Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1429353
MD5:5f30e027d147af1de92391f2e18644c8
SHA1:febe9d268d31c17a24c0cae2d2e2b5d617d8608f
SHA256:8f82f1de5cd507dd90c604c127dfe50e366530fbc0bbe2841ce68767d911cc65
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2896 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5F30E027D147AF1DE92391F2E18644C8)
    • WerFault.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 880 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4284 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 980 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1332 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1932 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4284 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1916 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1760 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1892 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          Click to see the 2 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:04/22/24-01:28:54.900516
          SID:2049060
          Source Port:49730
          Destination Port:58709
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/22/24-01:28:55.338745
          SID:2046267
          Source Port:58709
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/22/24-01:28:55.099915
          SID:2046266
          Source Port:58709
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/22/24-01:28:58.805975
          SID:2046269
          Source Port:49730
          Destination Port:58709
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 39%
          Source: file.exeVirustotal: Detection: 45%Perma Link
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004D1240

          Compliance

          barindex
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: Binary string: C:\wigidefebeyugo\sizaf.pdb source: file.exe
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004D0620
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC100 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,0_2_004EC100
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A0880 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004A0880
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_0042C8B1

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
          Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
          Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
          Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
          Connects to many ports of the same IP (likely port scanning)
          Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
          Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
          Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
          Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
          Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: unknownDNS query: name: ipinfo.io
          Source: unknownDNS query: name: ipinfo.io
          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D23C0 Sleep,recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,recv,Sleep,0_2_004D23C0
          Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
          Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
          Source: unknownDNS traffic detected: queries for: ipinfo.io
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.102:57amadka.
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe-
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe.1
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
          Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
          Source: file.exe, 00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibD
          Source: file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.524
          Source: file.exe, 00000000.00000002.2008702665.00000000041EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52q.
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52?9d1
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
          Source: file.exe, 00000000.00000002.2008702665.00000000041C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/1D
          Source: file.exe, 00000000.00000002.2008702665.00000000041BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/B
          Source: file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Content-Type:
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2008702665.00000000041DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.520%
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
          Source: file.exe, 00000000.00000003.1768920337.0000000008CFB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1766930296.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
          Source: Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
          Source: file.exe, 00000000.00000003.1768920337.0000000008CFB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1766930296.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
          Source: Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
          Source: file.exe, 00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, W9yZG_t61Z_J7GfmBn540XA.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1880373194.0000000008CFF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
          Source: file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: file.exe, file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
          Source: file.exe, 00000000.00000003.1769746318.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1769220187.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768851664.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767799918.0000000004274000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1770260013.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1770968109.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2008702665.0000000004267000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1769565531.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768153753.0000000004274000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1771499986.000000000427B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
          Source: file.exe, 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
          Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: file.exe, 00000000.00000003.1769746318.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1769220187.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768851664.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767799918.0000000004274000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1770260013.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1770968109.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2008702665.0000000004267000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1769565531.000000000427B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768153753.0000000004274000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1771499986.000000000427B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
          Source: file.exe, 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: file.exe, 00000000.00000002.2008702665.0000000004267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2150 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,0_2_004F2150

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005041A00_2_005041A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E58B0_2_0040E58B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F66600_2_004F6660
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CC6100_2_004CC610
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005167300_2_00516730
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045A7900_2_0045A790
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A8BD0_2_0043A8BD
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005069200_2_00506920
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005209F00_2_005209F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CA550_2_0040CA55
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00506DD00_2_00506DD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045504E0_2_0045504E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045B0100_2_0045B010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D1100_2_0049D110
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004091BF0_2_004091BF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004534500_2_00453450
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D4680_2_0040D468
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004B36B00_2_004B36B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054B9900_2_0054B990
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453C300_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042A0400_2_0042A040
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052A0800_2_0052A080
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC0A00_2_004FC0A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005040A00_2_005040A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005101400_2_00510140
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005062100_2_00506210
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005522300_2_00552230
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E3400_2_0054E340
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004483140_2_00448314
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050E4500_2_0050E450
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052E5100_2_0052E510
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005025800_2_00502580
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC8B00_2_004FC8B0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504A900_2_00504A90
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043ABFF0_2_0043ABFF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FECA00_2_004FECA0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00552DC00_2_00552DC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00420DB00_2_00420DB0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00504FE00_2_00504FE0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EFAF0_2_0040EFAF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F0500_2_0044F050
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004090100_2_00409010
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB0A00_2_004FB0A0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005531700_2_00553170
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004371F00_2_004371F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005411800_2_00541180
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004351B80_2_004351B8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005472600_2_00547260
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040F27E0_2_0040F27E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D32800_2_004D3280
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F72900_2_004F7290
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005133200_2_00513320
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005233F00_2_005233F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FF4500_2_004FF450
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D5B30_2_0040D5B3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050F6200_2_0050F620
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004536D00_2_004536D0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DF7900_2_004DF790
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB8600_2_004DB860
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F39100_2_004F3910
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431A300_2_00431A30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503BD00_2_00503BD0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00545BF00_2_00545BF0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553BB00_2_00553BB0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453E0C0_2_00453E0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FBE000_2_004FBE00
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00503E000_2_00503E00
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00553960 appears 85 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0042EC10 appears 58 times
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 784
          Source: file.exeBinary or memory string: OriginalFilename vs file.exe
          Source: file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
          Source: file.exe, 00000000.00000000.1635935851.00000000040D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFires( vs file.exe
          Source: file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
          Source: file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
          Source: file.exeBinary or memory string: OriginalFilenameFires( vs file.exe
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/94@2/3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00550C20 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_00550C20
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00550E80 GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_00550E80
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049B950 CreateDirectoryA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0049B950
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2896
          Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxXJump to behavior
          Source: C:\Users\user\Desktop\file.exeCommand line argument: 1310_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCommand line argument: 1310_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCommand line argument: Dk43l_dwmk438*0_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCommand line argument: N.E0_2_00452DA0
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exe, file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: KsnNQ7qbgZr8Login Data.0.dr, vbwxzHO_00KHLogin Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: file.exeReversingLabs: Detection: 39%
          Source: file.exeVirustotal: Detection: 45%
          Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 784
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 880
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 912
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 980
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1332
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1920
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1960
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1972
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1916
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1760
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1892
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\wigidefebeyugo\sizaf.pdb source: file.exe

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
          Detected unpacking (overwrites its own PE header)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E7E9 push ecx; ret 0_2_0042E7FC
          Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\file.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045A5C0
          Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-77292
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h0_2_00550DF0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004D0620
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EC100 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,0_2_004EC100
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A0880 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004A0880
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_0042C8B1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452968 VirtualQuery,GetSystemInfo,0_2_00452968
          Source: Amcache.hve.3.drBinary or memory string: VMware
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
          Source: file.exe, 00000000.00000002.2008702665.0000000004180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&1
          Source: file.exe, 00000000.00000003.1659576324.00000000041E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: file.exe, 00000000.00000002.2009564997.0000000008CD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5VGY2Uv8hsqNeqQA6vNfh0mAV2LIP4QsiYwsZfzvE4DRGbeyXnmwlF9DIQVlwgYOLdGblpA6OTbmY1TFi/S3g/V5aWA4opD8xHSyuVrplJa8RRTH9BwbPO7Bhbym04QHzjgA70UkjV11miVXoAudUWW7gWJgKUHYPDNs/iMVSsL5Y00MGtWB26nUyKwAPci7VeFkfhBKr0/FGEViKWrxT2RbqYieC5h++XJMJjhOzSS1Bqsykj1Sv8XwbrIOJkVmTyTcogd+OhCziIksLu+Gr4Al8HjMJJiCDKsQcxmWOvE1KVgR/l13pNJrf0cK3T+33wDhRGiZVLoHGcfaGkrTL5I25CM2EpffCGyiAJD+Q7YerOw6EKE40In4hYWRXC4viMdZIlIyS0VMfX72EjkdGZCtkN3SSJN0iH8WDcVeGlXtL4aPTLZIPMD4xMDu0Z5pnXDQIkCtKAfE4Gipi7FwmBKlOe2UNXV+GYUEqW68JBASqXL89TbQXCIt2UvXKXkSnK8HCZ2E1e8KRJ7SRT70XssFYQzU2Qq/3uTyggFWzGcZbep6K4HI4s+szGz2Uc5+ZqY2EqXqknUgpH6oCFyW/SwlkltNsdwG0IiPX9UX11rVdhzlFCaipm6aO0i/7CII7Yq+LEqLm9rpYJrK3ULqBRqDEBTh9d6+CZaypzIzGNDGm4ysNXdx3m0i5fK/lNg2qMUo/ChIPMkJ8NhZfGlwpasZbX0krEGUtvZGB0que2iWj2jF6nZJrYttWzbN68v+k2UewSHPfSFU7LOfvaeNu1Mz8mEZautfUd8U1DSQkcul8ZvdX5peEXk2HzltYDWqGy4MVxHfdrvbjZE0qR4QxQfw96hUQqy59vsa/0g1qVNvzHOi8IdYBuTlKrP1QRDu0S0apDPMhU2m2aAvwBOMw7ovdy3USh6ccCWVqV+Q8K5fXX3L0zH1CGwxzcPL3fXmatVlN6+Wgvn/HmAxmLRWO8oDrJpPK40z77FTSvHjne+3sKnFgl0ieLJiZK2XZjs4R3BMdKRdNNQrwXp+OeezuMo6WSM/3SLPsun4QJFjjvK5w6w/3L2NC8vxAqonCrXqCO6/BCDPQ6Z+dnXyv6AvNuSonodI6YgnIg4oquLEbV2tjij1haavZjnRLf78g0lrUqwdAYbfa+3NASlfz3XnOkuA2slV3qrF7xkej5uHBK6gaNoy3c+y6XUdGiNcurZE/KMcMWZ0e3MBGvxK6fobDXCrxaydRkCuf9gyoFXH42XWvRdx86qZIXpfWo6FKoMD7O6ltK9gQP3DLkCff+jfMpLc0uqugYyYl8JcXYK5VaEceMoqme0EoXScvdGkpSXX39Rxz5ooSGnK/Qkbq1i1uisBrIjtIfRZdTTH0Nv33gUj3Ne40txU4Fbzsdx207bsfx2kgE51/tNn46zqe286njfG47nzvOWds56zi/tZ3fOk4HCh3nvO2cQ68FxRaeTAAGFxSux3x4gsMFiQsWFzQueFwQuWByQeWCy+3wwniCzgWfBz4PfB74PLaITfLYMjzB54HPA58HPg98Hvg88Hng88DndXgLeILPA1+71S7Di+lruTf9wRXzUzPuIZh57u6v+qx13NUF19OPTAY7DrYGjzdni2Lx06o4lTuwRdtZtP/tnfPvu9bn1q5K2Rs92Th9eiWjn4y1J1YwhItHpUuJDGM1rZ7W0kBdLgmXy9MSnZtMkTAqTHdovNbeooId8MT9EhSi7ZBXtyglOljssXlu69w928UEC77J4x2UX8THx7iSF1sc7g8j86kg1UzZQ7SdJ2ezesAOifoVCQPY+CmafxwGjHw6Kdq0/PeJNhTjQUBbtS2aV8
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2008702665.00000000041DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: file.exe, 00000000.00000003.1659576324.00000000041F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: file.exe, 00000000.00000002.2009564997.0000000008CD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_EAC1505Eo
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: file.exe, 00000000.00000002.2009564997.0000000008CD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_EAC1505E
          Source: file.exe, 00000000.00000003.1659576324.00000000041F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}W
          Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E2080 IsDebuggerPresent,IsProcessorFeaturePresent,GetVolumeInformationA,0_2_004E2080
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045504E CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_0045504E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045504E mov eax, dword ptr fs:[00000030h]0_2_0045504E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045504E mov ecx, dword ptr fs:[00000030h]0_2_0045504E
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]0_2_0045578C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]0_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]0_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00454577 mov eax, dword ptr fs:[00000030h]0_2_00454577
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E2C80 mov eax, dword ptr fs:[00000030h]0_2_004E2C80
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D3280 mov eax, dword ptr fs:[00000030h]0_2_004D3280
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004D1480 mov eax, dword ptr fs:[00000030h]0_2_004D1480
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]0_2_004DF790
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453E0C mov eax, dword ptr fs:[00000030h]0_2_00453E0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453E0C mov eax, dword ptr fs:[00000030h]0_2_00453E0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453E0C mov eax, dword ptr fs:[00000030h]0_2_00453E0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453E0C mov eax, dword ptr fs:[00000030h]0_2_00453E0C
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_004FA050
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_00453C30
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042EA14
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EBA1 SetUnhandledExceptionFilter,0_2_0042EBA1
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042EDAD
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004332F4

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Contains functionality to inject threads in other processes
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E615 cpuid 0_2_0042E615
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_0042C623
          Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0044D3EB
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044D5F0
          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044D6E2
          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044D697
          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044D77D
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0044D808
          Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00445A41
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044DA5B
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0044DB84
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044DC8A
          Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0044DD60
          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C1FB GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_0043C1FB
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E2AC0 GetUserNameA,GetComputerNameA,GetCurrentProcess,TerminateProcess,0_2_004E2AC0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004479BE GetTimeZoneInformation,0_2_004479BE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00551070 GetVersionExA,GetFileAttributesW,GetFileAttributesA,0_2_00551070
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected RisePro Stealer
          Source: Yara matchFile source: 00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 2896, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zip, type: DROPPED
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\walletsq
          Source: file.exe, 00000000.00000003.1910906464.0000000008CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx;
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
          Source: file.exe, 00000000.00000003.1910906464.0000000008CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
          Source: file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 2896, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected RisePro Stealer
          Source: Yara matchFile source: 00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 2896, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zip, type: DROPPED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		12
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts3
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts11
          Process Injection          		2
          Obfuscated Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol2
          Data from Local System          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Software Packing          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Screen Capture          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS47
          System Information Discovery          		Distributed Component Object Model1
          Email Collection          		2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets1
          Query Registry          		SSHKeylogging13
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Virtualization/Sandbox Evasion          		Cached Domain Credentials61
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
          Process Injection          		DCSync1
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
          System Network Configuration Discovery          		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe39%ReversingLabs
          file.exe45%VirustotalBrowse
          file.exe100%AviraHEUR/AGEN.1313019
          file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ipinfo.io
          		34.117.186.192
          		truefalse
            		high
            db-ip.com
            		172.67.75.166
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ipinfo.io/widget/demo/81.181.57.52false
                		high
                https://db-ip.com/demo/home.php?s=81.181.57.52false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                    		high
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.0.drfalse
                      		high
                      http://.102:57amadka.file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                        		low
                        https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                          		high
                          http://www.winimage.com/zLibDfile.exe, 00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                              		high
                              http://147.45.47.102:57893/hera/amadka.exe-file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://db-ip.com/demo/home.php?s=81.181.57.524file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://147.45.47.102:57893/hera/amadka.exefile.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://db-ip.com/file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                        		high
                                        http://upx.sf.netAmcache.hve.3.drfalse
                                          		high
                                          https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, W9yZG_t61Z_J7GfmBn540XA.zip.0.drfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                              		high
                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1768920337.0000000008CFB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1766930296.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drfalse
                                                		high
                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1768920337.0000000008CFB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1766930296.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, Cma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                                    		high
                                                    https://db-ip.com:443/demo/home.php?s=81.181.57.52?9d1file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                          		high
                                                          https://ipinfo.io/Bfile.exe, 00000000.00000002.2008702665.00000000041BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ipinfo.io/Content-Type:file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://193.233.132.167/cost/go.exe.1file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://ipinfo.io:443/widget/demo/81.181.57.520%file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://193.233.132.167/cost/go.exefile.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                                                      		high
                                                                      https://t.me/risepro_botfile.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1880373194.0000000008CFF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drfalse
                                                                        		high
                                                                        https://ipinfo.io/file.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.maxmind.com/en/locate-my-ip-addressfile.exe, file.exe, 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ipinfo.io/1Dfile.exe, 00000000.00000002.2008702665.00000000041C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallCma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drfalse
                                                                                		high
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                                                                  		high
                                                                                  http://www.winimage.com/zLibDllfile.exe, 00000000.00000003.1636879616.0000000006070000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://db-ip.com/demo/home.php?s=81.181.57.52q.file.exe, 00000000.00000002.2008702665.00000000041EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                                                                                        		high
                                                                                        http://193.233.132.167/cost/lenin.exefile.exe, 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                        • URL Reputation: malware
                                                                                        		unknown
                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesCma6mvK3hWvIHistory.0.dr, ZP9OgwnUTBtwHistory.0.drfalse
                                                                                          		high
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1769245344.0000000008D1C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1767408508.0000000008D05000.00000004.00000020.00020000.00000000.sdmp, kpoRIew0KmbRWeb Data.0.dr, 6xWctsbrfVe0Web Data.0.dr, v9sfzApO2m4MWeb Data.0.drfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            34.117.186.192
                                                                                            		ipinfo.ioUnited States
                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                            147.45.47.93
                                                                                            		unknownRussian Federation
                                                                                            		2895FREE-NET-ASFREEnetEUtrue
                                                                                            172.67.75.166
                                                                                            		db-ip.comUnited States
                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                            Analysis ID:1429353
                                                                                            Start date and time:2024-04-22 01:28:04 +02:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 8m 22s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:40
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:file.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@15/94@2/3
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 56%
                                                                                            • Number of executed functions: 96
                                                                                            • Number of non-executed functions: 55
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): WerFault.exe, SIHClient.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 13.89.179.12
                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            No simulations

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/json
                                                                                            Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/ip
                                                                                            Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                            • ipinfo.io/
                                                                                            Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                            • ipinfo.io/
                                                                                            w.shGet hashmaliciousXmrigBrowse
                                                                                            • /ip
                                                                                            Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/ip
                                                                                            Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                            • ipinfo.io/ip
                                                                                            uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                            • ipinfo.io/ip
                                                                                            8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                            • ipinfo.io/ip
                                                                                            147.45.47.93file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                              qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                  SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                    SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                      UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                        tA6etkt3gb.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                            dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                              Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                172.67.75.166s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                  file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                    TANQUIVUIA.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                      oZ8kX4OA5q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                        S2ruRfajig.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                          WARYTtjh4l.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                            fzrGl94EQ2.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                              SeR6QESSMe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                z21FdylQJD.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                  tBtJCF8REJ.exeGet hashmaliciousRisePro StealerBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    ipinfo.iofile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    Dj43d18ukx.exeGet hashmaliciousDCRatBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    db-ip.comfile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.4.15
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 104.26.4.15
                                                                                                                                    s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 104.26.4.15
                                                                                                                                    dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 104.26.5.15

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    Dj43d18ukx.exeGet hashmaliciousDCRatBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    UnderWars.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    https://shiny-haze-e3f9.oriental-chef-hrg9939.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.25.14
                                                                                                                                    https://pub-a7051849f97e40258b2898070eea69ef.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.18.3.35
                                                                                                                                    https://yxv.ens.mybluehost.me/Ca/net/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                    • 162.247.243.29
                                                                                                                                    https://yzkgxjyz0y4417anol.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                                                                                                    • 172.66.45.32
                                                                                                                                    https://pub-ad26986ae16e4366a1d34c587ca0df93.r2.dev/megme.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.25.14
                                                                                                                                    https://topwingroups.top/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                    • 104.21.19.92
                                                                                                                                    https://pub-cece57d8d2864d24b41d6f56ef2fee01.r2.dev/light.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.18.2.35
                                                                                                                                    https://www.itstoreindia.com/web/info.phpGet hashmaliciousDHL PhishingBrowse
                                                                                                                                    • 104.21.36.246
                                                                                                                                    https://funne.freewebhostmost.com/DHL-MULTI_M-2024/MTTRBDFH/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.24.14
                                                                                                                                    FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 193.233.132.175
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 193.233.132.253
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 193.233.132.175
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 193.233.132.226
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 193.233.132.226
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 147.45.47.93
                                                                                                                                    jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                    • 193.233.132.175
                                                                                                                                    74fa486WVX.exeGet hashmaliciousMars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                    • 193.233.132.234
                                                                                                                                    qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                    • 193.233.132.226
                                                                                                                                    s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 147.45.47.93

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    https://yxv.ens.mybluehost.me/Ca/net/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    Pictures.com.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    2FjvjcayaH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    qrLdMv1QXG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    PASS-1234.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    • 172.67.75.166

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_10335d55-7344-4798-868a-642b323fdb2a\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0284214926729556
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:uiTN4kvxOPyS056rPI3jS3ZrYbajzuiFcZ24IO8kVBb4:cmxO6Z56rIj0jzuiFcY4IO8a
                                                                                                                                    MD5:4A45F971BB3539C6096FE946B73C4AAE
                                                                                                                                    SHA1:FD7A1065C5EB47852B7342DD14D8C5533954B47C
                                                                                                                                    SHA-256:31D8A872F4DC5B030E495325D79E5C5CC85F74322D4C96E13AD03AA026F46C20
                                                                                                                                    SHA-512:9BC2FC02C3802D56F1F5417A4DD777C31F846B67C10FA0E45D7F417577292EDE04C6DC769A98A6069466F98193BF57698C5D4017DCFE65D4DB6A01BBA042082B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.1.5.7.1.9.6.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.3.3.5.d.5.5.-.7.3.4.4.-.4.7.9.8.-.8.6.8.a.-.6.4.2.b.3.2.3.f.d.b.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.2.d.e.b.8.b.-.c.2.1.0.-.4.f.7.d.-.b.a.8.e.-.5.b.1.6.3.4.5.2.7.f.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_15d3ae8c-14d8-47b4-889c-158b8969f6cd\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9343928585093682
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:7iTN4kvuPyS056rPI3jS3ZrYDzuiFcZ24IO8kVBb4Y:lmu6Z56rIjpzuiFcY4IO8a
                                                                                                                                    MD5:7E4259CEF75EB08D1677112E2DCE38E7
                                                                                                                                    SHA1:AE947F27280C5741B2161BE8DD571C5DBF75DED2
                                                                                                                                    SHA-256:DA672A81F2CFE9D0655E03406669AE074528CA6BFFC6DE6FBAE972FDF5CE7DF3
                                                                                                                                    SHA-512:D6AB6BE1B2F5A6D48C1605082E3790243CF8EC550D0B0FEDFEDB0AFB4620F67AE57F3FBC51353BFF90B493FDCFECF3A2A947DEEFE8E7C47A375DF208AEE75DAC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.4.9.7.1.7.7.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.d.3.a.e.8.c.-.1.4.d.8.-.4.7.b.4.-.8.8.9.c.-.1.5.8.b.8.9.6.9.f.6.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.3.2.5.4.8.f.-.4.6.1.b.-.4.0.a.0.-.8.0.c.e.-.9.2.c.0.1.d.6.9.7.3.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_407a37f6-a980-4391-8494-bf9bcb7a1c8d\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.047780135809523
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:0diTN4kvsPyS056rPI3jS3ZrYbWJzuiFcZ24IO8kVBb4:0jms6Z56rIj4JzuiFcY4IO8a
                                                                                                                                    MD5:F32465F1358D010B64EED37847639D7C
                                                                                                                                    SHA1:7A6882F9D7E248C7349BC7644A8DD822DFCFD7A8
                                                                                                                                    SHA-256:FD0FAFE9C2D3CF8F49EFFA5DD3022CB1C609B099332DB5C9EFF3A9FD19148C19
                                                                                                                                    SHA-512:ACCA33C1160B252646BD7D9912E9D61449CD7D2FAB2545A08753863113FAB5E15F58853C423FEA9BF924590BBD05854ECC7D80BDA9826F67052ED5B253226DEC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.5.0.5.5.2.0.3.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.7.a.3.7.f.6.-.a.9.8.0.-.4.3.9.1.-.8.4.9.4.-.b.f.9.b.c.b.7.a.1.c.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.8.1.0.8.e.8.-.2.1.b.c.-.4.d.d.0.-.8.5.2.3.-.a.e.a.d.f.d.3.1.2.5.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_681b8baa-75ab-45c4-b7b0-ae76b7b2d453\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9080577808324307
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:XiTN4kvfPyS056rPI3jS3ZrYszuiFcZ24IO8kVBb4:pmf6Z56rIjWzuiFcY4IO8a
                                                                                                                                    MD5:3285F04756C85B4413534794F0936FD0
                                                                                                                                    SHA1:74E97A927EAD7E7B16B5404F3D9E9B4C79462394
                                                                                                                                    SHA-256:E64FADA14199ED663C419B596691C0BF88A497E9D4B7621BBFA7B09CEF8A2EB6
                                                                                                                                    SHA-512:D1BCE5152B4ED1F90DD95CC571F623BA8B84F21753EF31DE23831EF01A76A29BE7A2E65E53B1CB2102C2D00A702EB4CEF82ABC0870BF4747FB556C9C59B9076F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.4.3.4.7.7.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.1.b.8.b.a.a.-.7.5.a.b.-.4.5.c.4.-.b.7.b.0.-.a.e.7.6.b.7.b.2.d.4.5.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.5.d.2.a.b.4.-.6.3.b.4.-.4.a.e.8.-.8.b.c.d.-.f.c.1.3.7.f.5.e.3.8.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_688cbf8b-67c3-4b5a-8f65-1c3ad19de2a6\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9888250838635992
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:YjiTN4kvuPyS056rPI3jS3ZrYbNzuiFcZ24IO8kVBb4:2mu6Z56rIjDzuiFcY4IO8a
                                                                                                                                    MD5:00CE2C3901C6B8D1CBB8A604CF066132
                                                                                                                                    SHA1:EC25C076C648E507A590F2C84B1C673139DEAEB1
                                                                                                                                    SHA-256:FBDC70BD536146DC6D122F2024C95E06D587E8491463EAD22EC1C81B08F87D8B
                                                                                                                                    SHA-512:2916E5E5EEAA5F9A4ECB902D3D8FBA3DAA004CB663B1FD18921BBB11CEA2017F3B80DDDB3523F09F4D8AFF2ADEA03E4656EE9AFAE7BD044D444533C02C6B842D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.7.1.6.2.0.3.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.8.c.b.f.8.b.-.6.7.c.3.-.4.b.5.a.-.8.f.6.5.-.1.c.3.a.d.1.9.d.e.2.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.2.c.e.7.b.1.-.c.4.5.4.-.4.d.0.6.-.b.7.d.8.-.0.a.0.e.e.1.1.4.3.5.8.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_83ca9a92-fbbd-4d11-a1a6-fbba96d67552\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9345700594944922
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:oeMiTN4kvnPyS056rPI3jS3ZrYDzuiFcZ24IO8kVBb4:Pumn6Z56rIjpzuiFcY4IO8a
                                                                                                                                    MD5:FA5BB8E5A8753FA52CA7360EA984AC1A
                                                                                                                                    SHA1:8E713B704632C015E045352200F1CD36CCDA9858
                                                                                                                                    SHA-256:34812D813BE432C81EB40C0F41416C9F2D8FD258524A3488232F7CF4E88694C2
                                                                                                                                    SHA-512:6CA920BB22315CE004626AC36D8DD1BC3F5D36A22BF19B13FD972182901383934B7D3DE5A906703058116F7FF2CE2878FDDDB07ECB0DB0E4934B292FFCA8542E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.5.5.6.4.6.7.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.c.a.9.a.9.2.-.f.b.b.d.-.4.d.1.1.-.a.1.a.6.-.f.b.b.a.9.6.d.6.7.5.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.b.5.e.7.3.7.-.9.e.9.1.-.4.4.e.1.-.9.2.a.b.-.9.6.d.2.f.8.f.0.f.f.b.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_84b6f306-bf5a-493e-9e98-3770969605f7\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0481064330216645
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:WciTN4kvfnPyS056rPI3jS3ZrYbWJzuiFcZ24IO8kVBb45:W+mf6Z56rIj4JzuiFcY4IO8aG
                                                                                                                                    MD5:F56CE1230974A9506CA40F4E64B6A273
                                                                                                                                    SHA1:6773ACE1CC36127C298A0F79DF79D777A154C7C5
                                                                                                                                    SHA-256:4B141BBA003DC7769D4DEDD8E04280BD3AA408A2F6ADEA21EC1FAA246B05A266
                                                                                                                                    SHA-512:F8A70E9F0C7EF22DC027FDD536B4825CC803AC79E9B2081324F67C85409ACF17488C664C905FCC8CEDF18D706728138120424EC8F4FB1BF589CD4D49A5DA11CA
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.5.1.4.1.3.6.2.6.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.b.6.f.3.0.6.-.b.f.5.a.-.4.9.3.e.-.9.e.9.8.-.3.7.7.0.9.6.9.6.0.5.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.0.9.8.a.0.e.-.6.7.9.0.-.4.f.e.a.-.8.1.5.8.-.3.f.0.2.2.7.1.5.6.0.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_85a5fc3c-0a1c-48df-b75b-a51156fea0d7\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.9344893344241797
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:fbiTN4kvdPyS056rPI3jS3ZrYDzuiFcZ24IO8kVBb4:fFmd6Z56rIjpzuiFcY4IO8a
                                                                                                                                    MD5:3630E135CB74084DEE22D860ED92C1B3
                                                                                                                                    SHA1:6E2E4A2A2DB79696F9006DECEA3B26C8989358F0
                                                                                                                                    SHA-256:C96CFA154A417D6A59811CB053C5229B03D16E1E5960D14F9A19B8BFAA6C45CB
                                                                                                                                    SHA-512:F5ECE5B79BE4197E0177E6703E170CC50A32D3A19C88DF5E02D5F8E2766899157FDA0A3C08B76D84525F45232DD6E9803B419A9C19BEFEECDF250FC7FB90CE2E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.6.1.7.9.2.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.a.5.f.c.3.c.-.0.a.1.c.-.4.8.d.f.-.b.7.5.b.-.a.5.1.1.5.6.f.e.a.0.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.2.0.8.a.e.4.-.c.1.2.e.-.4.f.3.1.-.a.4.7.1.-.7.a.5.3.1.e.f.2.7.9.4.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_9042f83a-504d-4950-abc0-e4e4679bb0f8\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0480111729930894
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:hiTN4kvtPyS056rPI3jS3ZrYbWJzuiFcZ24IO8kVBb4:/mt6Z56rIj4JzuiFcY4IO8a
                                                                                                                                    MD5:A4C27846ACC9B8F66DCC86073E80E7AF
                                                                                                                                    SHA1:0EC3189731027A4542E41BABD52B57235B0D33A9
                                                                                                                                    SHA-256:CFE44F1656F2AAF0183CBBC4C4906E7F53C23439EE7FCD21481892D93383DD6C
                                                                                                                                    SHA-512:1D372C0FB4847F49D92E103521870CA39901D238DACBF2818F2A5F2260299A6B4DE33A819E155ACAA0B3F3B0398FDDB57B6733159892C3C69971DE68DB3434D5
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.7.2.7.7.4.9.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.4.2.f.8.3.a.-.5.0.4.d.-.4.9.5.0.-.a.b.c.0.-.e.4.e.4.6.7.9.b.b.0.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.3.3.5.3.3.9.-.9.e.4.8.-.4.2.d.9.-.9.5.4.d.-.b.2.d.6.a.4.f.7.b.3.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_b4ee208a-c92f-4f51-be05-eaa535ab5445\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0150491058888564
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:FiTN4kvqPyS056rPI3jS3ZrYbzzuiFcZ24IO8kVBb4:Lmq6Z56rIjdzuiFcY4IO8a
                                                                                                                                    MD5:22BA37ADF5E2264826C08F7ECEA9FA49
                                                                                                                                    SHA1:D61C0F86C734470C1BFBBF89A9C31A0BFF6CC7A6
                                                                                                                                    SHA-256:70701C8AD7E1AA9AECA0D9675395C2EB708953357088D22E27251E55275AD553
                                                                                                                                    SHA-512:7E778DF5DDE777B70C6E129918BA22CBBDAC81C43458E977DFB74BEF2CC46FD560C173C460B49F9614DB98913802310B55B1D7B6909A139B593015CFC7D40C85
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.0.7.6.5.4.0.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.e.e.2.0.8.a.-.c.9.2.f.-.4.f.5.1.-.b.e.0.5.-.e.a.a.5.3.5.a.b.5.4.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.c.d.c.3.b.1.-.f.5.6.9.-.4.a.d.a.-.9.1.8.b.-.d.8.9.f.c.d.f.e.2.9.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_b621ded2-faf3-4fb3-a976-16024740780d\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.04778575666465
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:yAiTN4kvTjPyS056rPI3jS3ZrYbWJzuiFcZ24IO8kVBb4:nmX6Z56rIj4JzuiFcY4IO8a
                                                                                                                                    MD5:EA070C6F99993907679093EDF4E87DF4
                                                                                                                                    SHA1:312DB2E97E3EB70270E917697F6963849A9C1814
                                                                                                                                    SHA-256:479FD874B30A1A3214350C5EA6DA57CF7ECBE0A412C7731BA5E85B717DA7BE19
                                                                                                                                    SHA-512:01FC43A49579A1064562613D561894C8F6B162B70B7B9BD586437E0A383EF6041C5967B779A353AE1395CB3D85AFE0107E9CA6F9B8B03F94FF27768B22FF91C0
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.5.1.0.7.5.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.2.1.d.e.d.2.-.f.a.f.3.-.4.f.b.3.-.a.9.7.6.-.1.6.0.2.4.7.4.0.7.8.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.2.4.0.e.d.6.-.b.2.e.2.-.4.8.5.c.-.9.b.4.c.-.4.9.9.7.e.6.d.1.f.5.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_4d3f288dd4798765eb91273da4b76d6bea17316_52238708_f6dc93c5-cb1c-438e-a34b-3e15d7234d4b\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):0.894583972830973
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:GjiTN4kvMPyS056rPI3jS3ZrY6zuiFcZ24IO8kVBb4:GNmM6Z56rIjgzuiFcY4IO8a
                                                                                                                                    MD5:E8A2D93108ED3B21A89651006466B617
                                                                                                                                    SHA1:9A460E070E5F7093F9BB3F223ACDBBCA48CC351E
                                                                                                                                    SHA-256:918AF43415E945CF80422982DDA02043A534382EDB7FB1FA792B4BAAAB6DBBF3
                                                                                                                                    SHA-512:F3C01D4CB87C19B69F1E3A6105016E0F56BB914DFF897F184C7A8560E59AB504C0E7AF6E7A279E024B37D422BEC0F01CCF0D7BC9D4DD24B48440BFD8BC0B0AEB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.3.2.9.6.0.4.0.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.d.c.9.3.c.5.-.c.b.1.c.-.4.3.8.e.-.a.3.4.b.-.3.e.1.5.d.7.2.3.4.d.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.e.1.a.4.c.f.-.c.b.2.0.-.4.7.5.9.-.a.3.b.4.-.6.0.2.4.4.7.8.0.9.1.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_302080a6-229b-410a-bd76-88077ad387bc\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0478206956040896
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:6iTN4kvTPyi0JsAnbcAgI3jS3ZrYbWJzuiFcZ24IO8kVBb4:QmT6pJsAnbcA3j4JzuiFcY4IO8a
                                                                                                                                    MD5:F01F6802A73C8EDB833F75CF4A9AAD19
                                                                                                                                    SHA1:6D7397A7FD699FED26188F6EF12E87BD73C3C096
                                                                                                                                    SHA-256:CC9F808DE817C31D5D0941C0A7BF96337FBB591B0DEE4A0182CD7157E351E600
                                                                                                                                    SHA-512:0960961185A2B083CAEBC0230951BE6E8BADED5B56050886DBBCCFBBF99BE8F41D58EAA6AC308CF5DDEAA50C808D8B65F89500691A924F79DC505A2B6B67AF96
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.5.2.8.8.2.5.8.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.2.0.8.0.a.6.-.2.2.9.b.-.4.1.0.a.-.b.d.7.6.-.8.8.0.7.7.a.d.3.8.7.b.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.2.4.7.6.0.1.-.8.7.d.b.-.4.c.2.9.-.a.9.0.8.-.d.7.b.6.1.f.0.b.2.2.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_73a5c60f-cccd-4bb6-87ec-0e77435d9d45\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0479227251818521
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:UzDiTN4kv9Pyi0JsAnbcAgI3jS3ZrYbWJzuiFcZ24IO8kVBb4:UJm96pJsAnbcA3j4JzuiFcY4IO8a
                                                                                                                                    MD5:F4F1E02A568ED67CE7AB2C4DB605303B
                                                                                                                                    SHA1:D2474D2F08B11498565441503EE4EE8D49EF129A
                                                                                                                                    SHA-256:1588CF346968A82EB1A176CC0172B46DE32EAF00091EE01C921C68E7B3C46E69
                                                                                                                                    SHA-512:C374FF6F3D14746AF6CBDD352B874C584D31D765DAE03BFC794E84224FE1AF7D8974C4002ABD30CD3A0459C554CB35F81CC7F5ACF594B9161F2F1B471CD2B868
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.9.5.9.7.7.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.a.5.c.6.0.f.-.c.c.c.d.-.4.b.b.6.-.8.7.e.c.-.0.e.7.7.4.3.5.d.9.d.4.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.8.f.7.f.5.f.-.b.b.b.6.-.4.5.0.9.-.b.2.3.4.-.f.b.6.0.b.3.8.3.8.0.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_bfe9909b-817e-4821-a15d-d84abb4d0703\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0417745596178778
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:QViTN4kvlPyi0JsAnbcAgI3jS3ZrYbWlzuiFcZ24IO8kVBb4:Qbml6pJsAnbcA3j4lzuiFcY4IO8a
                                                                                                                                    MD5:E96958BC4C8111DF4392E827A3456DA0
                                                                                                                                    SHA1:1C96B2EEDBEA0676358DB1E663283E8F995AAE93
                                                                                                                                    SHA-256:68E9B318E19898030AC1CDCBCBF2FF350CF13DC057F28056F60C5CC56CD806A7
                                                                                                                                    SHA-512:E391A274101C756870D5C04B5B088492776B25B2C0154C255C277DBCBB620C54A251B48CAF7D70EF400AF73B2D992BC3A6F702E4B5A98A9C0C41CFA0973119D8
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.3.8.6.7.8.7.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.e.9.9.0.9.b.-.8.1.7.e.-.4.8.2.1.-.a.1.5.d.-.d.8.4.a.b.b.4.d.0.7.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.f.1.1.9.e.3.-.7.6.c.d.-.4.b.b.c.-.b.1.8.3.-.4.6.f.9.3.4.7.b.5.d.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_d1f1775b-34ae-4862-b958-5a7fbc722829\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.047734375481204
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:4iTN4kvgPyi0JsAnbcAgI3jS3ZrYbWJzuiFcZ24IO8kVBb4:ymg6pJsAnbcA3j4JzuiFcY4IO8a
                                                                                                                                    MD5:D77866FF92A38EF905605744B6C20414
                                                                                                                                    SHA1:12E1792285B28159AF67C3BFE5AB192FBB509871
                                                                                                                                    SHA-256:E60ED3E09DA65BAC0FF114796D88BADFDF4383C96154C3FF9C74F18864F1C5C5
                                                                                                                                    SHA-512:E483BDF1438C4843B41EC5E5617C6BACE1E070EC43FCCF0DAA89C6B240EF9D9AA692E7A6BE8E1B7847E7456FA37666CF3F2519F0F31713871D3EFEB0B0E8FAD3
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.5.2.2.6.3.9.0.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.f.1.7.7.5.b.-.3.4.a.e.-.4.8.6.2.-.b.9.5.8.-.5.a.7.f.b.c.7.2.2.8.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.c.5.8.a.c.7.-.2.b.d.f.-.4.8.4.7.-.8.4.4.e.-.f.6.d.5.c.e.3.b.f.2.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_ed24c999-a2a5-41aa-9fbc-f46e42155e4d\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0412899645235876
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:pfiTN4kv8Pyi0JsAnbcAgI3jS3ZrYbWlzuiFcZ24IO8kVBb4:pxm86pJsAnbcA3j4lzuiFcY4IO8a
                                                                                                                                    MD5:36BBAFCDA35A632DD875FD8E7751118B
                                                                                                                                    SHA1:030BACAA24193A392C6FE40D890C2BBC598AC1D1
                                                                                                                                    SHA-256:63038A47ABC00A59AAAC6C57F7A25CE49FB02554EE578BDE51F83297A7E783C2
                                                                                                                                    SHA-512:2F761A685C1F4EC17B1B5D2824F3E45F111686256F5F596007FECAD8F1792A5D10FE013B3AC08E8D372846EFEFF8B4DC4187168CBBFAE426A954178936B5C287
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.3.0.4.8.3.9.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.2.4.c.9.9.9.-.a.2.a.5.-.4.1.a.a.-.9.f.b.c.-.f.4.6.e.4.2.1.5.5.e.4.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.b.0.a.5.3.7.-.e.6.6.c.-.4.1.a.f.-.b.d.6.3.-.a.a.9.9.1.1.4.4.d.3.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_bf3ace7eccf87db32bccac6338e1d4b03dc99b8f_52238708_f1cbd908-8b84-401d-9fbd-c08ff655e859\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0478763068056167
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:UiTN4kvSPyi0JsAnbcAgI3jS3ZrYbWJzuiFcZ24IO8kVBb4:2mS6pJsAnbcA3j4JzuiFcY4IO8a
                                                                                                                                    MD5:5F00822AFA89EDE83C4EED94D19881B6
                                                                                                                                    SHA1:AD4DB0BC6D5E9B0F4C2339B204E1AC7B88B19C01
                                                                                                                                    SHA-256:CFAEEAEBFC0D88F0F17EFB8EF55A561584FF36DFC2388E6EF19475DB06778470
                                                                                                                                    SHA-512:39ED3F1CC6D5312864F8FE88DF7061CFEC67863AC1FD29BFA1439744DE7D30493FEB5EE0CDEFFC4F43522DCB4A969A9472485F07C28E4A3B61BBCD7473F876FC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.2.1.5.7.4.8.8.7.9.0.1.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.c.b.d.9.0.8.-.8.b.8.4.-.4.0.1.d.-.9.f.b.d.-.c.0.8.f.f.6.5.5.e.8.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.d.c.d.3.4.7.-.6.e.a.b.-.4.0.3.7.-.b.e.c.4.-.9.2.a.9.4.c.c.9.d.8.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.5.0.-.0.0.0.1.-.0.0.1.4.-.8.1.a.6.-.d.7.a.a.4.3.9.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.8.4.5.2.c.e.3.e.f.7.3.0.5.5.2.d.9.8.1.1.8.7.1.8.1.d.5.4.2.b.0.0.0.0.0.a.1.6.!.0.0.0.0.f.e.b.e.9.d.2.6.8.d.3.1.c.1.7.a.2.4.c.0.c.a.e.2.d.2.e.2.b.5.d.6.1.7.d.8.6.0.8.f.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.f.i.l.e...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....S.e.r.v.i.c.e.S.p.l.i.t.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER152.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:10 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):140240
                                                                                                                                    Entropy (8bit):1.9798375541558633
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:3n6n8CND4lTv8UYwGaAYZP60+qeT2rCqm:9hJa06T2rCqm
                                                                                                                                    MD5:0211715AE8B79DB1ED8D844F0EDFE6A5
                                                                                                                                    SHA1:68BA1C186E546525F391ADAFF1D44F590DEDA27B
                                                                                                                                    SHA-256:7A272CE9D2F11C49C2701AB3D6E769E01DA6B3C9A81A989D0174A8C9CA8306FE
                                                                                                                                    SHA-512:631E22348A53FDEC9994352C387F30ED9C4DB4646AB160A6B8AF43F5858DF4EF3A9C39BA8655FB388B5CBE1C3FE35D041AD36EEE3E49D799322CB0176E164055
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......F.%f........................p...........l...(%...........Y..........`.......8...........T............K...............%...........'..............................................................................eJ.......(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER22D.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6983669681177425
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCT6W6Y9fSU9mIgmf6EVpBG89bSRsf9mm:R6lXJW6W6YVSU9mIgmf9lSKfl
                                                                                                                                    MD5:217E15AAD1632D6C4B25FFC7BB954FA5
                                                                                                                                    SHA1:46FC76F04D010497889F70F97C64EED6A97BCEE9
                                                                                                                                    SHA-256:AD3C1306D7FF349933024B97CFD908BD948DE6E8FB187513CC584608280FA71A
                                                                                                                                    SHA-512:3B2D07F76600EDD47B44C97E8DCA4C414396E4209B6D131425C68F190531CC3EDB9ABEAD9FC97E90042654A09E23E4BF7942FE8CD0D28CE15DAB1EE7A6C72F26
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER25D.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4549568887778035
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYaYm8M4JhNJFsB7+q8vMNLjyvkd:uIjfuI7h57VWJhSB7KM5+vkd
                                                                                                                                    MD5:794B56B4B0C378397D1CD91A3A6173BC
                                                                                                                                    SHA1:52170EB4DB7D7D4D068933C49DBB5A103A466874
                                                                                                                                    SHA-256:957622B76F911FF215170C348BDFB228783C50B897B9E831C1EA7042A18D3B30
                                                                                                                                    SHA-512:73B72F879B7474B1037A98C065B2E92325A14FAC19498A969B8562FDCD0298AF3B62464FDBF44C317883B5349E0A67DB894F6923C216BD95F5AB14496981F453
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:11 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):139788
                                                                                                                                    Entropy (8bit):1.9897167434272096
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:zq3KCNz4lTv6l6MEqWwuaAYZP6NmtrF4QZ4:fdivEqcNOFLZ4
                                                                                                                                    MD5:635B33B96E95D7A50C5404C5B53B0ED2
                                                                                                                                    SHA1:1D7B972836F7B35F6A45B82456D53C774C31B4C0
                                                                                                                                    SHA-256:707D33AED2621369F4B040C6A98138B8BDA59CC73F64E895ED9F23D3BAD87CDF
                                                                                                                                    SHA-512:9F0831D683460A8A44CE70251AA7C7AEFB4C177CA057498B508AE21D655D754785071CEF4BC1845D0932E89E4BFE491964B73FBD02571222487B49E53511F32E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......G.%f........................p...........l...(%...........Y..........`.......8...........T............K...............%...........'..............................................................................eJ.......(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A8.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6984980914267735
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfC8676Y9XGSU9UIgmf6EVpBT89bbRsfppm:R6lXJp676YtGSU9UIgmf9+bKfm
                                                                                                                                    MD5:634F791A807C9DB37A4B8B806DCC0F09
                                                                                                                                    SHA1:2B5459F491D1F4418F864E67177D2C91ED93C895
                                                                                                                                    SHA-256:12FD70FE5E34EC416DA7A5256CE61A22DE1EDCB8A81AB3B62F3112BDD30E3A9D
                                                                                                                                    SHA-512:BAA87F54173C65C425B8841F8CFFBA9463D1D22E6C9E3F782A6767E3D71DEE3599237F2DEEDCFECDC7EBD25C11558361B6F2D248909DDDC2CA7B3C42D29A6F6F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F7.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4546786695870875
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYLYm8M4JhNJFr+q8vMNLjyvkd:uIjfuI7h57VHJh5KM5+vkd
                                                                                                                                    MD5:04CEC444752D5B36ECC9E8FF0A6F6A94
                                                                                                                                    SHA1:41215E8E5AE77A1032F22D13288D908B61246DDB
                                                                                                                                    SHA-256:A1126D5E1382493D3B1EA978A83AF7AF84897B8C9F419A966C61B1EB9593B9C7
                                                                                                                                    SHA-512:781D40D9422A5B11A9241094C0C98E6524DBD384EAC8C489D35A5222738214DE2491978DB74D4E16B9DF59D59659299C45EC4DE6E5DF27BA092C3B593EF509F9
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F9.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:12 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):139336
                                                                                                                                    Entropy (8bit):2.0018313386600046
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:MaH2CN+4lTvF+Pwq9WwGaAYZP66XxXDwhtP2uIbts5kf:caNXq9UWxXDw32uIbt7f
                                                                                                                                    MD5:8CA5CB6147D5B5DB1485E4379FF98258
                                                                                                                                    SHA1:67F7A72EE98FF7AFB16E2E085430614EC07F359B
                                                                                                                                    SHA-256:51061A70C6530A4B647F0C402F915CF2F9D61475841CD93A489C2D4B3A526093
                                                                                                                                    SHA-512:750A119F86EA16FFA0AD6F1DCDAC131BF33F85AFE8C19FC12D36690396F2692E108EE25F9F2EB310858D75D06AE77AA04C1CC8DB320F2B9B5D6B1B6A8DC0C4C9
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......H.%f........................p...........l...(%...........Y..........`.......8...........T............K..8............%...........'..............................................................................eJ.......(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B5.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6975970351840965
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCs676Y9XSSU9UIgmf60aAjAypBT89bgRsfjAm:R6lXJ5676YtSSU9UIgmftaAjAxgKfh
                                                                                                                                    MD5:E2BC416F878BE4FA70922D56E9F19375
                                                                                                                                    SHA1:955A4BAE1F7B39A1D32C5AF101075ECB7C3ED392
                                                                                                                                    SHA-256:8F99917C747BEEC4AB8A5C0AA9C0751191D1F09B7255938A991CE4024A254B42
                                                                                                                                    SHA-512:C2810CD7BB6F851EAF06F5B44FD8429AB14788191BAD451757BE9B93C470D3CC9375B9F39053D2CD0D04274AB44D3E6B3DBE1A1E3B816C4BB6EB2628185E266B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D5.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.455703457400895
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYCYm8M4JhNBFH+q8vMNTjyvkd:uIjfuI7h57VqJhVKMp+vkd
                                                                                                                                    MD5:8B9C6B5B800AD399F16047CB3781C642
                                                                                                                                    SHA1:EF9B53D738E225A2AEDE4C75248F4CB880BB91D8
                                                                                                                                    SHA-256:C07CAC194CFC2D6434DCDB7EC68218EA680E78C9C293C8DA86D1C70C0C772842
                                                                                                                                    SHA-512:2E372CC6C4762341CFC892E17BA9838DEF90969CD47868EED745EC6E6EFB9801815F30C30FE124953F7CCC849B3098F0233ACE276E6C053E229D6E4B57910C2D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6A.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:13 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):133880
                                                                                                                                    Entropy (8bit):2.031095165529541
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:FXXq7RL+e4lTvgG2wF1+hwXwGaAYZP6RBKyFgc0HU:o7orhFkhw/7Kn1HU
                                                                                                                                    MD5:16614756322A4B562CB850BBE8CC9F0E
                                                                                                                                    SHA1:ACE7A430584CD5902E35B7C5CC6204BBD814197A
                                                                                                                                    SHA-256:602465E540CB147A7B0C53ABBB731E979ED379628117EC9E0D63B05E2C31101D
                                                                                                                                    SHA-512:E6BE9AE7CCF4AE25F1A9DC8DE4B6FEEA305F5CD9A2C811556221A0FBE3C7A50FA33F7746661DB57D5BD39668187E3D05CEAA991C71490B954B65809CD7BD43BC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......I.%f............t...........p...........l....$...........V..........`.......8...........T............K.............d%..........P'..............................................................................eJ.......'......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB84.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6957175341409654
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCj6q6Y9XzSU97Egmf60aAjAypB089bpRsf1Dm:R6lXJG6q6YtzSU97EgmftaAjAUpKfc
                                                                                                                                    MD5:D70306D47F301A744098392CEEF643BF
                                                                                                                                    SHA1:FA829EBE8C823D3C875AE5F4C082132EAFCE22F6
                                                                                                                                    SHA-256:89397A317786BAE36AD723F151E438E35CEF74ED5A8CB7D8C0CF12A851FCE461
                                                                                                                                    SHA-512:973965CCE17FBAC7D5F493C38AE36B9DE68BAF934796EFEBC8F19C775109BCA29F4B91D87B779F52578027E42FAC7F69C6A2CC3D7497D018232ED5138516F604
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA4.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4533227116304435
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYi0Ym8M4JhNBFx+q8vMNTjyvkd:uIjfuI7h57VBJhLKMp+vkd
                                                                                                                                    MD5:A77B0719430595944E17BE591A81461B
                                                                                                                                    SHA1:66427264EC919594EF03C0BA71CB6ABE6DC15A52
                                                                                                                                    SHA-256:3C0953B449E9128E4D88E603CD2CFA482CB73E6F67433D5E0A0EE90A7A38EFC5
                                                                                                                                    SHA-512:E545B313511E119AC3C77BA7ACB12B808446F69CC84BDB392B44CA82134EC343AF82C8CCBFDEF0CAAA3574CB2FB841D8136196B26196DC5F753556C7E495DBE5
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC98.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:53 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60284
                                                                                                                                    Entropy (8bit):2.30660068036045
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:74BR3KlTve7NsRMX0pvqG+AYxVF680UnUp6xHC0Pd:8BRalTve7Nr0pvqCYx76gLPd
                                                                                                                                    MD5:17A1E728DA268C1D7960A996105B96A5
                                                                                                                                    SHA1:8E003348902197BEC4E18872FBC8C058E640C9A2
                                                                                                                                    SHA-256:E3FB89C469172AD80E6528D8EE99E993F90168E514462197F302464EDE69500A
                                                                                                                                    SHA-512:FF6A27F4F7A6A5352228E40DD693A486664DE0BC41967510572903BE8817F3D0747F5460A8DAE6503FB3C30300280CF02BC8CA99AF78947919CD95AA81B7C9C4
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......5.%f....................................$...........t..../..........`.......8...........T...........(...T.......................................................................................................eJ......<.......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD74.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.7004833515937072
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCf6dci6Y97LSU9Wglgmf6EVpBH89bMRsfDkm:R6lXJy6ei6YFSU9Wwgmf9yMKfl
                                                                                                                                    MD5:A7152751191EC7079E331705B7767182
                                                                                                                                    SHA1:2BE9CE9C681524BB05B119056C1E3F0907A9BF88
                                                                                                                                    SHA-256:07FBC6C1519D1A0F70CCD352C235DE8988A2F59843CC3C9AA3D3D6B6AB479D13
                                                                                                                                    SHA-512:ABC257FBB79A9358CACEED5E4205D1418F3DD308D11FB7B980F5DC2B3BFA777EF2D239C7B5565521DBF5D8954007EAEBA961506E5606C98BC0B8897F7184665F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD94.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4550027892048965
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYpYm8M4JhNJFP4+q8vMNLjyvkd:uIjfuI7h57VhJhCKM5+vkd
                                                                                                                                    MD5:C443AA3359E8B236FABC40910B8D0B0B
                                                                                                                                    SHA1:BB9D5FF7465988D88A098F28EF953EB94AFA953E
                                                                                                                                    SHA-256:E2A18937E44211B207541F976E6D3537F7CA12D2C80E6677FA7CA922DCE0D63E
                                                                                                                                    SHA-512:B6A9096856152709D702EEB8B8C92DD45D94BCBB49C6AF4313075B6798FEFE89775B295ADC3B5780000C556CF1CDA8E30EE1C253F4453A4BC70F8AD5208A4347
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC206.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:54 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):74324
                                                                                                                                    Entropy (8bit):2.3773242483396575
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:utmep3lTvrQ3bVsKh1FLWJOYG+AYxVT6cljnUpOIgSqgLf/Y:nep3lTvkxDlWJOYCYxt6KqX
                                                                                                                                    MD5:CF7298300615DCF00A0530A9C660829A
                                                                                                                                    SHA1:D3227DB83A807A3C3576C39E89A0507331E14DAF
                                                                                                                                    SHA-256:248F569075C6448A47FE96A39BCA111040B993A9F4CDAB2083A84C8E296FFDAF
                                                                                                                                    SHA-512:D3DA11C53F853F5FF053469A5AAF842B32F687FBE881E61DF5CE6B9FAD2DC697EE8E741F244BAE02FC3995D702F14B1BF43E1BEB893A710C91A8928F2055A74B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......6.%f....................................<...............|3..........`.......8...........T............"..l.......................................................................................................eJ......\.......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC275.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8408
                                                                                                                                    Entropy (8bit):3.6996844437731253
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfC26Q6Y9ZSU9cg8gmf6EVpBe89bjRsfoBm:R6lXJ76Q6YzSU9c5gmf9tjKfD
                                                                                                                                    MD5:237B6EEAFD00BF88FBB348FAA18C9F5D
                                                                                                                                    SHA1:0D78BF4DDA65BBB390F90AE708168DBC338B80B1
                                                                                                                                    SHA-256:A2857F4F1EA8FE6EBF2F52D715C6A6CF19ED530A251280CF99B43C410335C4DD
                                                                                                                                    SHA-512:C09E1DA9001EC3FF4768D535B79F0C018160E583095F947E696CA8B4858326C35EDED230ABF6B34080DC713A4C011E5C395004E5E304DE6EC3756F6A5C4A0B06
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC295.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.456489061413185
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYzYm8M4JhNJFhp+q8vMNLjyvkd:uIjfuI7h57VfJhrpKM5+vkd
                                                                                                                                    MD5:B0B410D254BC7D0B737F800450D714F5
                                                                                                                                    SHA1:70CD85305D8CA65A2467DA20EAD9A037CB750F53
                                                                                                                                    SHA-256:6F501CDA83FF76BEBA3A12AB8FF1E9FE286631ABE4A4D9548464A6A43231C06A
                                                                                                                                    SHA-512:AB081DEEF34F003B0CE20088C99BFAC510D47A757E6000E657B8D6423F8A1C9909B92CCE713D6BF51019961A398B9FAC4EA023F88B2080FDB7B788F16F49C17C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC477.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:55 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):85814
                                                                                                                                    Entropy (8bit):2.2405398440582838
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:Vy/osidNZlTvSjNuBx3NpXdsr2yRJOYG+AYxVF6cYj8UpOdSET97CqW:Q/QdrlTvSjNGdpXdXyRJOYCYx76kto
                                                                                                                                    MD5:3243903D53F3487A1369F7CB3C1F220B
                                                                                                                                    SHA1:68D30DAA2AD119EBAB6E9DEBD36DD631D7D15652
                                                                                                                                    SHA-256:D8913CDD63D38D7525C2BE47A49B58682A19AE035ACBE7A0C94532D327938CB2
                                                                                                                                    SHA-512:1C24B3C5B69E3530F80528F0D130AE9B88EEAD97477303F0A596F1D498D86BC2B8D98D73418D9EC2D9B408EEBB57430AF9890D9CE02E8DC89AD4C60A7F8079F6
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......7.%f............T...........D...h.......<................;..........`.......8...........T...........($...+......................................................................................................eJ......l.......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E6.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.6999951237730953
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCS6G6Y9eSU9cg8gmf6EVpBy89baRsfE+m:R6lXJf6G6Y0SU9c5gmf9xaKfU
                                                                                                                                    MD5:65A1491B06FC899D445C8261A5BEF2B0
                                                                                                                                    SHA1:FD0BC562962547D1ED4CCF4CED9C906604F967B9
                                                                                                                                    SHA-256:7F5D3F354B9DBB94545F7F742601F4AD7B5C3C16504B6B3AB28639118F310784
                                                                                                                                    SHA-512:E000C5A7A963737AF742F0696D4FE9E74E76296B2284538B2A9EDDE2F6B04B8E9620C8D011F29F2D09C9227AB916EF69480ED42D0B573683F8CA923E2C1F7A13
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC506.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4545400977649345
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYtYm8M4JhNJF6/+q8vMNLjyvkd:uIjfuI7h57V9Jhg/KM5+vkd
                                                                                                                                    MD5:DB948BC05C1B239C14BC3D36DBDD44E1
                                                                                                                                    SHA1:9CE75D07B657F8673AFF6E89D56C2AE68373ED7E
                                                                                                                                    SHA-256:C2F61CCA95A002130BD0D5F8E6298BA8A85FB99DB82AFED2EA622B5D8FEE3E2F
                                                                                                                                    SHA-512:5D8B43F320B9679B03B0DEF227A7B58CC7D59FFF9CCB3692679395E9AE5BEA6D19CB5316E21A7CCF9AA9416861841DB55DB14561F357718AFA60B775E3732916
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6C9.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:55 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):85390
                                                                                                                                    Entropy (8bit):2.2524435655962614
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:SsidN0clTvdaB1sxp13uUyRJOYG+AYxVF6coj8UpOmSaeuIgJxUBreW:md+clTvdsyvyRJOYCYx76UspxU8W
                                                                                                                                    MD5:5B20EA73D3B2FB8CC26B020CF625005A
                                                                                                                                    SHA1:4EFA378AE0A968BB1E025E4FCB56F81DE32BFB31
                                                                                                                                    SHA-256:41177C575A4476287F8BD029928A4543372C8DB39C595E3AD23E5F2B36805FBE
                                                                                                                                    SHA-512:52C5620B1541C3A77CE3FEB437C9756C91F11AB9DBAC6C94B40A7AEE974452B10F5D2F78AEA9CD3E368CEA1FCB6327DD1AFB44C0215CF3A1E223A7505D0ED186
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......7.%f............T...........D...h.......<................;..........`.......8...........T...........($..f)......................................................................................................eJ......l.......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC786.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.700086302412444
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCC6q6Y93SU9cg8gmf6EVpBa89baRsfqM+m:R6lXJv6q6YtSU9c5gmf9ZaKfT
                                                                                                                                    MD5:E8947F338FAA5680D970CE808100364B
                                                                                                                                    SHA1:3C16911B60749AD48D638523C4268E743A7FF7D5
                                                                                                                                    SHA-256:09305550FE0D7756E95F201AFEB471C486F6C7566C7193AD061205DD915035AB
                                                                                                                                    SHA-512:4DFE5BE214018C0BCF685705EA94B0A8E2D8D0A3491D764440DA2F558701D1B9FD2467937B5D6A4142951EFF825F94130B389E881123D068CAFCA1C834B3D309
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7A6.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4576093902618
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYQYm8M4JhNJFGR5P+q8vMNLjyvkd:uIjfuI7h57VYJh0R5PKM5+vkd
                                                                                                                                    MD5:90CC64AECCB2C4496A339CEE2A4B287B
                                                                                                                                    SHA1:80504013BB3037765C2D980EAF74064A71E82586
                                                                                                                                    SHA-256:082CFF0E25CB111585950AA317068BE1DE8BF5EF858871C828E50BD6A5788A6F
                                                                                                                                    SHA-512:690DEA0AB56D743B94A9832212C75A230A06EF2DDE01D6F8F78D602BC4FFF14086210BB3C3FCC10A11E9C514A98EEA7F4E79B8299B36374C82815B676EB4A39E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC92B.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:56 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):93712
                                                                                                                                    Entropy (8bit):2.242917721722728
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:QZnD+oIGlTvvBvX31Uhsjp5k3mk12DJOYG+AYxVT6c/jFUpOwSF0MfCaU+pmdGBb:W+vGlTvx6Ep302DJOYCYxt62tKaUik
                                                                                                                                    MD5:145A8B08AB9DFECFBF2E09CFB74B54C9
                                                                                                                                    SHA1:8BBC663B24060340D31D31E09B02EFEE73A5CDAF
                                                                                                                                    SHA-256:D8857C030BC70F2D5C0346285F117A02E6EB1B36B3593FC5F07015AE0AB31717
                                                                                                                                    SHA-512:E9390A054576BCA967C51241883F2588C2F6C8E93086B9BAC8A6A094BF6DD23A44CD52858DCD427105FC7F1BCF7CA7B7D2DBF3CDC0ED73841A92AFE47A736A50
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......8.%f........................D...........<................>..........`.......8...........T...........p'...F......................................................................................................eJ..............GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9B8.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.6987200406669825
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCl6be6Y9cSU9cg8gmf6EVpBw89bxRsfsbm:R6lXJ46i6Y2SU9c5gmf9nxKf9
                                                                                                                                    MD5:819E1C850F81A5A0D4F041DCDA8D656F
                                                                                                                                    SHA1:28B97BBADA1B3C691D517C87B97D417D7A16F610
                                                                                                                                    SHA-256:F366945DF8DC039772D0FAA4EF4B848BB2FCA4BA31A6FFE551DF6E8AFEB7D85A
                                                                                                                                    SHA-512:1B8F22B0BCE1F2E5CF661DB280F567843A81A65612BB0395E014F5E7818F4FE5E6F7187AB558BFCD0A8A6B0E2D59CDE3EA9731CBFA1A557E167C283F816E8407
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9D8.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.455224705879269
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYlYm8M4JhNJFem+q8vMNLjyvkd:uIjfuI7h57VlJhzKM5+vkd
                                                                                                                                    MD5:B324375F5A2CA60676C95718FF3B5D38
                                                                                                                                    SHA1:E5E82FA18D562CE2459091FCE4BF49255F3D60AB
                                                                                                                                    SHA-256:BEF5E7896228EC3D7A913BCEA9081D9D394BABA5517D5786E882FDC09C773816
                                                                                                                                    SHA-512:A822DF87599AF61392042CD5525300E22A559BAD465A3AC9022FBE1AFB92D8F7624D1F870C873C0AAEE386453FEFCB006BED9EAD7442D59B192635D47F287AC9
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD03.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:28:57 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):110494
                                                                                                                                    Entropy (8bit):2.323407152108866
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:swTlTvvBVVlwMCU8RJGBmYZT6GL4nNT6:s0xVVlgfOv4NT6
                                                                                                                                    MD5:498661DA3479E08299EC4B90EE62A32C
                                                                                                                                    SHA1:342D3A5B9161BAF8EFA89E92DCED9C8CBAB0DC3C
                                                                                                                                    SHA-256:E98277BEF2306FEE698B8D6DAF49BD542B3EDBFF4583CA496410CEBA53F859B7
                                                                                                                                    SHA-512:794BAC99454E70D3F500437ABC02E69CD8014ACB44466DE774F6F2D116A794D749FBD8D11DD203BC1236DC87E1FBDAEBFC74B58A0B62D6F35142086B8994046B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......9.%f....................................<...l ...........E..........`.......8...........T............5...z........... ..........."..............................................................................eJ......,#......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDBF.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.699740934607127
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCy6I6Y90SU9PgQvGgmf6EVpBw89boRsfkYm:R6lXJf6I6YuSU9PEgmf9noKfK
                                                                                                                                    MD5:F0C3C611E65F9EAF96DC8598DE451908
                                                                                                                                    SHA1:B3E44F01BA3C040A7B2387BB7AF35444D5BD0179
                                                                                                                                    SHA-256:2F8D4A77A3A941146B1F05F732E9CA3E5E4752C6580147DDAD99A0818573E95C
                                                                                                                                    SHA-512:3AAEA266C6BEBD624F90097CAABA2CDAA441E20451C67EFC06C2B52CD9F14E96A37D4446B7516A0508EE71BBB1DFE9C8CA6C6B38EFF41A79C9FC928EB8BE280E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDE0.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.455784850300265
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYmYm8M4JhNJFM+q8vMNLjyvkd:uIjfuI7h57VOJhmKM5+vkd
                                                                                                                                    MD5:87407C8BC306446747187311722823A0
                                                                                                                                    SHA1:A194A8818A29646BF04FB181C25FD2CCEE267212
                                                                                                                                    SHA-256:286376C6B8328BF161466029F21428007177831927446A7930161F4A1EEE57B3
                                                                                                                                    SHA-512:F003FE6ED14BF5F75F72BA7D2CA921478A995FC3D0E6A9534BC9CF5D3D928D3DFA7C1BA839323FC6F345BCE06BA2A5E8E2FEE6A27DFC3035EA787C6AD4F44519
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB2C.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:00 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):120208
                                                                                                                                    Entropy (8bit):2.0886264725898527
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:8DTJSV6SlTvMtCHX6dso2ur1AaGaWYZFN6V5jmUpqiSwiCl1mijc4UCQieLA:8PJDSlTv/3eTl1AaAYZT662PmigwCA
                                                                                                                                    MD5:E719C15FE67B3A4B85C48C8530B14266
                                                                                                                                    SHA1:C502FD6EB6980B937597B2E8BF6C1E4A8950B2FF
                                                                                                                                    SHA-256:DD463D99DE9C56FD59D44DBEB2DD79BFA96916CDC7F69AC3883FE6017285755F
                                                                                                                                    SHA-512:B20AFFB8535E8B8D73E4BC9327A9F908A7091398D2537048DADE40C3965A7AD7F6C78D512823478EF82DA02E64FED016D6A22AFAC6DFC102018072E52DB60752
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......<.%f........................T...(.......<...|"......$....M..........`.......8...........T...........pE.. ............"...........$..............................................................................eJ......<%......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBD9.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8410
                                                                                                                                    Entropy (8bit):3.697009881681015
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCY666Y9sSU93pgmf6EVpBB89bDRsfZhm:R6lXJF666YGSU93pgmf9kDKfO
                                                                                                                                    MD5:3E4C5555C2D689EFDF4E2C47D064D749
                                                                                                                                    SHA1:7FE3F271557D8ADD6A0E84066888077B83CB135F
                                                                                                                                    SHA-256:FB1B0C60C21CB6620ABBD274E70563DF186EA206C9D2699D06725D5F8AC4C8CA
                                                                                                                                    SHA-512:7C4C7B1BEE35FEAF92213F37203048133293EEE98B271B772107684EB3043837AE4CDA4CC16EC283505451646BD41A668A23DE90E7F0E8B7403ED7BC708E5342
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBF9.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.456286374618758
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYbYm8M4JhNJFq+q8vMNLjyvkd:uIjfuI7h57VfJhsKM5+vkd
                                                                                                                                    MD5:8A077FB29A7E3FE4E0FF137C906A51C8
                                                                                                                                    SHA1:946ECD7DB48408C15D2FABF777D739856A7A57E9
                                                                                                                                    SHA-256:3B717C69CF607B2B975B8678028C74AFD56B50767BB89A163FAFAA37736F6468
                                                                                                                                    SHA-512:24DF7FBEEBFDD03E0DD4A2BE0618F0E44DB10C0B65C49027B1FCE7E14F62B1620D45F929D0D1CBC47FB54FB89503992B47CA3771156F05828C9E3649C4CDEEB9
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE49.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:01 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):150308
                                                                                                                                    Entropy (8bit):1.8493139304742745
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:smfplTvaQRQU3+dL4zwaAYZT69tkfzlW3IbwAYD9GK:smvvyLlQfzlW3IbwAYD9GK
                                                                                                                                    MD5:29BB501BB75768766A93749168D51DD5
                                                                                                                                    SHA1:1402A03DD7234D2F312B39852C259AC823196884
                                                                                                                                    SHA-256:4F4AD30CB2780709647B2E114F8EE502C1F5C60D1FE09230403EA34E0012A137
                                                                                                                                    SHA-512:CBF1610BE678C423A705764DB607046A05E08E2A52E9E7515AC3002295575F356FC936AD4036907786BF8D7F483C7B20AB55B26CB571008DB420319FB73089F5
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......=.%f........................,...(.......<...T#......$....N..........`.......8...........T...........8F...............#..........|%..............................................................................eJ.......&......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF73.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6975274701715266
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCjf6uSYh6Y9ASU99pgmf6EVpBP89b6Rsfcuem:R6lXJ8f6uSYh6YKSU99pgmf9K6Kfce
                                                                                                                                    MD5:20304CAE3A5B796FCFA51ED0966FFB37
                                                                                                                                    SHA1:BC54CB83C9841A2E49A9233E8D3259916954E7F4
                                                                                                                                    SHA-256:65A596CFACD0CD7D8E0424BB2E441DD62D539E7CBA63214ACAE5764A085CB792
                                                                                                                                    SHA-512:4B673BA773E116A73984D420031D6E2B6783210EB4E61D60B1BF0C3D11876E3B023E2F379D37EE7278226AE4352AAF0E3FC244AC099FAC6A005EED670A3D603C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF93.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.457452473521463
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VY1Ym8M4JhNJFpH+q8vMNLjyvkd:uIjfuI7h57VpJhfKM5+vkd
                                                                                                                                    MD5:9A471223257D890379BEE6BD8A8B43D6
                                                                                                                                    SHA1:04542873D6AC804EC29ACB536E510C864CABFF89
                                                                                                                                    SHA-256:51A621DEF16F6798E40E6D5E7F6A10FD6ED321B7E186C5E78A7EAA3AC1B3D925
                                                                                                                                    SHA-512:63104042876DEF8AD0CC5B01107E92920AC80EF2B45D7910E4CED60803E0E6237D671DA945740F65A3E14ECE0F100AB38C7BC2F4A290CB3FCFBCCA114106AF0E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE406.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:03 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):120602
                                                                                                                                    Entropy (8bit):2.1150610939545147
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:iRtwWt4lTve+z1wG90wGaAYZP6uH1rtdR5fVw:iRtmGA1wG9u+rtdR3
                                                                                                                                    MD5:D7FEFC0E60AA0125EFEB17AF5B40A531
                                                                                                                                    SHA1:0F9FD1891C3EDEA91AEA7AE5983317628E57D419
                                                                                                                                    SHA-256:C26D4904EDF8FEA5AFE69F3A617DB9BBA7239FA5E9E0C5C93B4D39BDFAA48B06
                                                                                                                                    SHA-512:D18803245A7C9FD287166BC4823759FB591FE415561E6E65E75BA2484C164B56C23136FA25740D09543639DD68E5DB024255861D4CDE04D8BC63B33ED2E059FB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......?.%f............................(.......l...,$......T...|P..........`.......8...........T............I..r............$...........&..............................................................................eJ.......'......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE52F.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6952816697682493
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCH6w0m6Y9zvSU9aQgmf60aAjAypBZ89bIRsf54m:R6lXJC6i6YBvSU9aQgmftaAjAzIKfj
                                                                                                                                    MD5:F26502973E2111A05B4B4033D8CBE05C
                                                                                                                                    SHA1:CCD5A7E36841AF875097172F564C109008E33004
                                                                                                                                    SHA-256:D7B6426CE76A05F992370436277075A52F5EA523B02631BF8C1EE660ABE6F8DD
                                                                                                                                    SHA-512:375B414E15C1ECA04FFA48D04C4F3B26C95D57DA4D9FB6B9E73AD5D9CE04E787B31A945E7452ED5BDA88491FDC577442B42A621669D2EE9F965C04DBEAFFB065
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE55F.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.453345672510294
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VY7Ym8M4JhNBFkE+q8vMNTjyvkd:uIjfuI7h57VzJhjKMp+vkd
                                                                                                                                    MD5:F1D47C7E5B392567AE683C8871300D2F
                                                                                                                                    SHA1:C69576B283B91AFE8DE6F32A31CD66DC84E1C5F4
                                                                                                                                    SHA-256:B4BDEFD4F9191A3CD7A9BB45BC40AFD07E97F40762D0FD442826D582D89C2AD3
                                                                                                                                    SHA-512:8FDB4F21A2077252D5EED11A4AFD8CB57F162D1C3D04A70FBFA249B25ED7E02E0FF395CEE95E4684F4F138997ADAE446BCB96DF7D94735D995E98339A55DF50F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE732.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:04 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):115126
                                                                                                                                    Entropy (8bit):2.1536972780188384
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:ztMjZhp4lTvv+UuYwfwGaAYZP6qqNBjG7jX:zkXSHfuYwXNN9G7b
                                                                                                                                    MD5:35EFAD8A16D07C63AE3C307FD9656660
                                                                                                                                    SHA1:EB3453B53DE6A5779C54E0D4C3E5A28A430EB2EA
                                                                                                                                    SHA-256:0EBD36B88603F43369E57A9E21CA49CB7D0CE3E9E948F77A069E87DFBA546990
                                                                                                                                    SHA-512:00BD248A6933170432FEB9BC82A737C8E0F7C9C2B9E6A2DBD8A082D732CFCD522A1A2C461AD59D206E0CF392924A6BD60228F4DD50E119AE9CCBC6D4FC4FBF14
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......@.%f....................................l....#......$....M..........`.......8...........T............I...x..........h$..........T&..............................................................................eJ.......&......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7EF.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6959009564632064
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCh6m4m6Y9PSU9aQgmf60aAjAypBa89bnRsfptm:R6lXJE6Y6YFSU9aQgmftaAjAGnKfK
                                                                                                                                    MD5:E58D6F2A19C77FBF95EB8BF4F3B189C7
                                                                                                                                    SHA1:25FD36DF0D427536682F21E8814D065DB7633746
                                                                                                                                    SHA-256:AE868E33C5C7BB393440DC18D14DCEFF8FB7F105E48E876975545A9C21FBF22B
                                                                                                                                    SHA-512:F7651E217D458E0A8C66FE15A19B29CCCFFE69BBF85D1D3EC3B7C8B928C8A09B30CF2E10D4910DCBE7F3735D9094267FD161B4CB534B353CBE01F9DC1344A97E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE80F.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.455519333234965
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYZYm8M4JhNBFT+q8vMNTjyvkd:uIjfuI7h57VRJhZKMp+vkd
                                                                                                                                    MD5:260F64159633BFC207F6AA1893DB766A
                                                                                                                                    SHA1:BAAEA9EAC95277F1AA53E2D414501DE5B090845B
                                                                                                                                    SHA-256:DF8AA3B5478F6285036AB72AFD52BD4991B900A0B08FFDC9DE2DF8C0B5D39F66
                                                                                                                                    SHA-512:E8FD4118B1A30E755E94238033707DB635E2D6F5B12178C3E0CDC957A596C48FA9287C3A44B46DB51E5B8E7B3D5030DC534E7921ED6C5E4A4E30F20BF8F55128
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC04.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:05 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):152116
                                                                                                                                    Entropy (8bit):1.9053283694109437
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:GVeQuM3sp6KW34lTvLCOdo7wGaAYZP6NCZ/Nzwo57QvoMQTJO9mKuB:KsIMDxdobQZ1Mo57QvoMQTJO9mKuB
                                                                                                                                    MD5:69740F057E604A29ACDC06673565EBA1
                                                                                                                                    SHA1:360389A2025BB039E2D36ED2BE3612D43154392D
                                                                                                                                    SHA-256:47A57CCF1B4A522DDBDB44A125AD7009953877CDA73CE8EB6C7C236C26324C1B
                                                                                                                                    SHA-512:4B437971EA6C434A012A42FCC2A4CE20C9F517B2DAA3CB0898C3C31115BDD1331D453B3CF9DDDEBAC8B0874E59057E13B8898776E1D68E874634DBF33250C939
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......A.%f........................p...........l....%..........._..........`.......8...........T............K..$............%...........'..............................................................................eJ......x(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD1.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.698411100482801
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCe616Y9DSU9Z5gmf6EVpBa89beRsfXAqm:R6lXJb616YZSU9Z5gmf9ZeKfXc
                                                                                                                                    MD5:471EC40A0C4A5B051AAFE7D408B97A2B
                                                                                                                                    SHA1:6125BA114B750B0EBFD25E3A0AD02431716D8C75
                                                                                                                                    SHA-256:2E74D3018A5C370EFFF8E41307307E3DCCAE07F686803F397F72FC5905A80D32
                                                                                                                                    SHA-512:851A049C945546BAA557E2EC013D1D63B6318619FC0F2AD976BD3B319997E2B5AC1F57B33F7F86F0582D3D244E14AB3D18BFA7033C7B522FC6A1B353802D0D8A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERED5E.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.455769659011207
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYdYm8M4JhNJFv+q8vMNLjyvkd:uIjfuI7h57V5JhBKM5+vkd
                                                                                                                                    MD5:75940B10124AA64A45B36335984EA5A4
                                                                                                                                    SHA1:9E5DCD336AC386D351DE5E138897E247AE57318A
                                                                                                                                    SHA-256:488C401645D8F42DFAFE0586AB272894F5C45967D2D8E90C0BA7B425E7C66D27
                                                                                                                                    SHA-512:D8E19ACFBEC86A9B3D87263BB5F4F0109918DFB73DF22157694E8537895311E9EADCE39DC13BF5E5E30838421E6751690F78B88AD92A115A18EAC85A11560FFF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF490.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:07 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):151664
                                                                                                                                    Entropy (8bit):1.9126789958067452
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:bZ8y4crhsp6Kp4lTvvUxzRQU3BkdwGaAYZP6Npj8xLIZe2Wt7kvEM0:bBscenkpDj8tIZe2Wt7kvEM0
                                                                                                                                    MD5:BEB1D1D25EF16E9E292EA7F81A1BD87D
                                                                                                                                    SHA1:9E1361A57023CC4FE1FA282D3104C7F9F9056919
                                                                                                                                    SHA-256:D595E4743BF7B65136AA43D83CFD4C1D35855C77C014E0351A95C0703E225320
                                                                                                                                    SHA-512:89FD7E7E431B0E826D0939DEB902CF9BF185C5EB37473F6A698D98E80E6259A8C8614D3C8ECE8DAF365D43CFAD22622932A0D6EA9C8BF3078795BDE75FD1D91C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......C.%f........................p...........l....%..........._..........`.......8...........T............K..`............%...........'..............................................................................eJ......x(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B4.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6991458845765512
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfC56x6Y9/mSU9p6gmf6EVpBl89bGbRsfrAjm:R6lXJ86x6YESU9p6gmf9YGbKf86
                                                                                                                                    MD5:140968D3B787B4747C19B7B3F82768B3
                                                                                                                                    SHA1:8511DA398ED0057BE43100C0F76C640DFEC0F177
                                                                                                                                    SHA-256:0E444501FAAE333C3FE6356E205EDB3DBA7BD81FEB94B7FF7FF636872CF94064
                                                                                                                                    SHA-512:9E560B1998EE2248E773E01734E6B81BEDC882B9B8E1F6DF96B688A7DD32E86A954C56B6B51F651C49B09C3B983C587BB74499F83C689AA642099D40C04C2B11
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D4.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.4578670689810025
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYZYm8M4JhNJFn+q8vMNLjyvkd:uIjfuI7h57VFJhBKM5+vkd
                                                                                                                                    MD5:FE01A48CB7EBBE666EF0F02C94B3FC5A
                                                                                                                                    SHA1:70A379D01A498EDBD2CC4FC9E7DEB2E8498D40E7
                                                                                                                                    SHA-256:653F26E6D52FD3C5CB7C1BBB9D5A3595BA5E9A89DF1D214F3A44CE6B8421D144
                                                                                                                                    SHA-512:6B023BB1B4FAD9B447C69B1EFF71C2B90FA7F2C1C3BC3E5F64E67C7CA4133D747AF0566646852375FAFB07E2D495F7F560FD2E63A9CE637C741D87D76E5FF416
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD9.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:09 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):151172
                                                                                                                                    Entropy (8bit):1.9275516387321967
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:xSsEMvsp6KD4lTvgqegOwqwGaAYZP6BBZ4oZzvhSjYR/+fS106s:LsCdegOwwLZ4EzvhSjYR/+fS106s
                                                                                                                                    MD5:0E5594C09311EAE4EDD34602F9999F8F
                                                                                                                                    SHA1:DE8D91EB5EB8789C36A89AF9412D412CABFA908A
                                                                                                                                    SHA-256:E2DD3F72EE59417C1FA6EC334E35F10DA653527B6E49E8F2FDFAEB5CEE74FBBA
                                                                                                                                    SHA-512:75931635594634E7ECB9627013E32ED81A3B736059A9B29EE49094D036C64FF8E9202B6A81D26CB4DF0382C7710C06A4FB1B157D2F6F25F24ABBFD8482B786E9
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......E.%f........................p...........l....%..........._..........`.......8...........T............K..t............%...........'..............................................................................eJ......x(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB96.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.697815845654339
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCI6V6Y9eSU9mIgmf60aAjAypB989bCRsf42m:R6lXJd6V6Y0SU9mIgmftaAjAvCKfQ
                                                                                                                                    MD5:BA313197542CD4E87DB8AFE6D7791B20
                                                                                                                                    SHA1:B5B3567C118A5F89CC1C1619C35805B72A2FD13E
                                                                                                                                    SHA-256:6E44E58D3B8029955A2DF6BCEB37A52B6B7D9A37D54F1371ABB039C9D9CEB646
                                                                                                                                    SHA-512:AFCEFBE6F7E9F269F44914BE7ED7DC0717A470E006FD7690DA80ED2E25FA4FA785FE27A8EF33D12C8DD4CED7C596BE2D4D9424E6D26C4D4579875C9317A6C90B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBB6.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.452740239107526
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VY+Ym8M4JhNBF44+q8vMNTjyvkd:uIjfuI7h57V2JhvKMp+vkd
                                                                                                                                    MD5:BFCAD7A79D80DBC2A446EE5F5B8E9D7B
                                                                                                                                    SHA1:CA0439C196BD38D3EC5F9B87CFDA5BB36086A105
                                                                                                                                    SHA-256:BB781E6079CED5773FA2E204BCDED88C8DC1C69F408F4062D1138D92C74F8A6B
                                                                                                                                    SHA-512:A7F80DE3E35DB52464A9403F42C32DBAE08B1CE4D6CCF43D4A9075A5A40A32CD133E991008C3707B0F4AD6DDCB966030D2EC4D87E5FEF303FF640DEDFA4C3C5C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD98.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Sun Apr 21 23:29:09 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):145696
                                                                                                                                    Entropy (8bit):1.9541136968837163
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:3+LAAYL1Jj9W4lTvcHjwrMwGaAYZP6BAUX/tLJZF:3bRZKjwrWrX1LJZF
                                                                                                                                    MD5:C4167176EB0B89D7C9CE4AF98B2BF922
                                                                                                                                    SHA1:A69B3626216243739A45692A80A127B51FAE0CBA
                                                                                                                                    SHA-256:FC4D5BDC952C6C6BE545F1FF1E36792559EDDE2721496E8B105351F386CF4917
                                                                                                                                    SHA-512:EB8902931A3D7CC71D7CB39B107D0D83718D641B9E13E351E4A1EE1EEF26A07947A91B887B5448FC08829EF95E13E3B8A8451AC3ED52F561880170BC2875E5C2
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .......E.%f........................p...........l...X%...........\..........`.......8...........T............K...............%...........'..............................................................................eJ......H(......GenuineIntel............T.......P...3.%f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEF1.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8412
                                                                                                                                    Entropy (8bit):3.6976586447083672
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJfCM6G6Y9mSU9mIgmf60aAjAypBB89bCRsfL2m:R6lXJp6G6YsSU9mIgmftaAjA7CKfj
                                                                                                                                    MD5:C14B55EC67CF087BD1AB50C637BD289B
                                                                                                                                    SHA1:28A361EF8B33315FE7CBED85723DA9A546ACB67C
                                                                                                                                    SHA-256:27217515CEA3CB4AF1BA38DE16535400A01D86550DBF4F2C5D418C87681BF8E6
                                                                                                                                    SHA-512:552C0B4F0F87B571EF2DC356D02C15AFB2C7E4625F5DE9DCBEBFD43B73D29C50D22EB3860F96DA2849CA265A54C8636A3F9BE02B2CA97D8A76AC4AFF928881BB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.9.6.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF11.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4692
                                                                                                                                    Entropy (8bit):4.456814442687764
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsoJg77aI9TAWpW8VYtYm8M4JhNBFP+q8vMNTjyvkd:uIjfuI7h57VJJhRKMp+vkd
                                                                                                                                    MD5:76130B511AEA58092885A5F2F18BABA0
                                                                                                                                    SHA1:DA6C0730558951AD98CF2B7892ECE8AB7BCE925F
                                                                                                                                    SHA-256:33DBE3126F9A426FF4129D19A45D8356C8947789EDBCA6F673C3EBD8AAEBC381
                                                                                                                                    SHA-512:B9298903EA65132A3842C963D2B5CE01EED4422127DA761936E3E9AD59A9F5EC5EDE39E6DC7FE21E67DC3A428DF2518F8A11C78D64C2CE7C38C4B6DDA977FDB5
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="290311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zip

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5495
                                                                                                                                    Entropy (8bit):7.899150804081277
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:wk6yWGzqeAoMq+YK0KF8cAJiI2i+uWbnYrIZlGAyujvIWFw3KJ5kgFaL:vhqASpF8wF9/ECvIx6JOp
                                                                                                                                    MD5:1236012D43014D116638CD0D693CA44F
                                                                                                                                    SHA1:3045600BD24CBA58BE4BE6DEEFC98E0CDEB68241
                                                                                                                                    SHA-256:39DBB196F9FF54A6E21383FCDDF77EC08F31CB284D8DCA4139D49671DF6616EE
                                                                                                                                    SHA-512:A14BE6E29196E36B5B14914577D4A2F6BF8D516D9CF962F68367A01C0B0883BD05842675392943571FA0F5E6834C2CEDC5632EB0E99E1CD43B24C2DC8DA1E931
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\W9yZG_t61Z_J7GfmBn540XA.zip, Author: Joe Security
                                                                                                                                    Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\02zdBXl47cvzcookies.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):98304
                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\2tsRP66QVQTmWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):114688
                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.037963276276857943
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\6xWctsbrfVe0Web Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.1358696453229276
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\73zD30s3rSfmHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):126976
                                                                                                                                    Entropy (8bit):0.47147045728725767
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\Cma6mvK3hWvIHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.7873599747470391
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\D87fZN3R3jFeplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.037963276276857943
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\HhIb92Xvz5nICookies

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):28672
                                                                                                                                    Entropy (8bit):2.5793180405395284
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\KsnNQ7qbgZr8Login Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\Le1h_k1bUmDcLogin Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):49152
                                                                                                                                    Entropy (8bit):0.8180424350137764
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                    MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\X4oeewryncyYWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):114688
                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\ZP9OgwnUTBtwHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.7873599747470391
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\c7L3m01NgL1nHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):126976
                                                                                                                                    Entropy (8bit):0.47147045728725767
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\kpoRIew0KmbRWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.1358696453229276
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\v9sfzApO2m4MWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.1358696453229276
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\vbwxzHO_00KHLogin Data For Account

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanBKaHSrnNvXxX\xq4j8bDozcmeWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):114688
                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\Cookies\Chrome_Default.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):6085
                                                                                                                                    Entropy (8bit):6.038274200863744
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                    MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                    SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                    SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                    SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\information.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5576
                                                                                                                                    Entropy (8bit):5.370309588820505
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:xraXZRbicT4Aisph+9hcmf/aPikANUbg3x:x0NivAtphWhcmf/aPOB
                                                                                                                                    MD5:1B4EAB0ACFE8F5F8589712E0AA58E893
                                                                                                                                    SHA1:3BA4DDA32E364E78E5C336FF57ECA3252D08A424
                                                                                                                                    SHA-256:6FF5E3C56706A12B2B04C92377A648B09F08FD18A5E0662BDC423659227AD72A
                                                                                                                                    SHA-512:372D97F0536A37BD136EC1D2C4D1C941351DC91E09A8A4AE0679BE91AF190DC34E084A6AC7FA4871E67B2C619CB43F441B7435DE196B52DDADDF8F2446AAACF4
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:Build: fufes..Version: 1.9....Date: Mon Apr 22 01:29:04 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 5dae1d66b9e5e9735be7dfdd4f60af51....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 066656 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 22/4/2024 1:29:4..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svcho

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyBKaHSrnNvXxX\passwords.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4897
                                                                                                                                    Entropy (8bit):2.518316437186352
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1835008
                                                                                                                                    Entropy (8bit):4.465279137708291
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbG:4XD94+WlLZMM6YFH1+G
                                                                                                                                    MD5:E0248D14EA942B24B73A4C31C431A63B
                                                                                                                                    SHA1:44718D5C4D49339D2E90308F510A31A8FEED0D52
                                                                                                                                    SHA-256:DB7C1140A3BABD44910BB5849ED0E05DDEE0F75CA46D3BD5D376A4F09CBCCFF6
                                                                                                                                    SHA-512:45541AE50B683B846CE0FC99CB1650D1D063609CCA343C9729038896275E98DB2764EA54FD1412593A8BA4BAFAB764268518B336AE88EEB1B00F7791EA91967B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.b.C................................................................................................................................................................................................................................................................................................................................................l..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Entropy (8bit):7.766442912330682
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                    File name:file.exe
                                                                                                                                    File size:997'888 bytes
                                                                                                                                    MD5:5f30e027d147af1de92391f2e18644c8
                                                                                                                                    SHA1:febe9d268d31c17a24c0cae2d2e2b5d617d8608f
                                                                                                                                    SHA256:8f82f1de5cd507dd90c604c127dfe50e366530fbc0bbe2841ce68767d911cc65
                                                                                                                                    SHA512:671aaf72c280f56f5f5d11d138946d1b30e6625670c9be1350cc6eac560be5af2c48906b04b14c072efe4cd313d3d0694128475548d5efe0721f97990631e809
                                                                                                                                    SSDEEP:24576:V3l3jR7ECfW0DJfsOtKSpnywvEITMp2hiF3UdEbwQ:V3Jj2CfZJf1KSXsM22A3UdYw
                                                                                                                                    TLSH:68251202F6F2A434F5A70B3A48349B1506BFFD339A74859FA388320E69B15D06772B53
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....|...|...|.......|.....z.|.....*.|.......|...}.v.|..4....|.......|..4....|.Rich..|.........PE..L....2.d...................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:cd0d3d2e4e054d05

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x40405d
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0x64C1320B [Wed Jul 26 14:47:39 2023 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:5
                                                                                                                                    OS Version Minor:1
                                                                                                                                    File Version Major:5
                                                                                                                                    File Version Minor:1
                                                                                                                                    Subsystem Version Major:5
                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                    Import Hash:43cb5d6ab6c623f5883f711e054621c1

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    call 00007F66B87BC048h
                                                                                                                                    jmp 00007F66B87B6415h
                                                                                                                                    push 00000014h
                                                                                                                                    push 004166D8h
                                                                                                                                    call 00007F66B87B9592h
                                                                                                                                    call 00007F66B87BB153h
                                                                                                                                    movzx esi, ax
                                                                                                                                    push 00000002h
                                                                                                                                    call 00007F66B87BBFDBh
                                                                                                                                    pop ecx
                                                                                                                                    mov eax, 00005A4Dh
                                                                                                                                    cmp word ptr [00400000h], ax
                                                                                                                                    je 00007F66B87B6416h
                                                                                                                                    xor ebx, ebx
                                                                                                                                    jmp 00007F66B87B6445h
                                                                                                                                    mov eax, dword ptr [0040003Ch]
                                                                                                                                    cmp dword ptr [eax+00400000h], 00004550h
                                                                                                                                    jne 00007F66B87B63FDh
                                                                                                                                    mov ecx, 0000010Bh
                                                                                                                                    cmp word ptr [eax+00400018h], cx
                                                                                                                                    jne 00007F66B87B63EFh
                                                                                                                                    xor ebx, ebx
                                                                                                                                    cmp dword ptr [eax+00400074h], 0Eh
                                                                                                                                    jbe 00007F66B87B641Bh
                                                                                                                                    cmp dword ptr [eax+004000E8h], ebx
                                                                                                                                    setne bl
                                                                                                                                    mov dword ptr [ebp-1Ch], ebx
                                                                                                                                    call 00007F66B87B9408h
                                                                                                                                    test eax, eax
                                                                                                                                    jne 00007F66B87B641Ah
                                                                                                                                    push 0000001Ch
                                                                                                                                    call 00007F66B87B64F1h
                                                                                                                                    pop ecx
                                                                                                                                    call 00007F66B87B8AE9h
                                                                                                                                    test eax, eax
                                                                                                                                    jne 00007F66B87B641Ah
                                                                                                                                    push 00000010h
                                                                                                                                    call 00007F66B87B64E0h
                                                                                                                                    pop ecx
                                                                                                                                    call 00007F66B87BAE9Ch
                                                                                                                                    and dword ptr [ebp-04h], 00000000h
                                                                                                                                    call 00007F66B87BA4F5h
                                                                                                                                    test eax, eax
                                                                                                                                    jns 00007F66B87B641Ah
                                                                                                                                    push 0000001Bh
                                                                                                                                    call 00007F66B87B64C6h
                                                                                                                                    pop ecx
                                                                                                                                    call dword ptr [004100C8h]
                                                                                                                                    mov dword ptr [040D7A4Ch], eax
                                                                                                                                    call 00007F66B87BC02Fh
                                                                                                                                    mov dword ptr [004E6A00h], eax
                                                                                                                                    call 00007F66B87BBC2Ch
                                                                                                                                    test eax, eax
                                                                                                                                    jns 00007F66B87B641Ah

                                                                                                                                    Rich Headers

                                                                                                                                    Programming Language:
                                                                                                                                    • [ASM] VS2013 build 21005
                                                                                                                                    • [ C ] VS2013 build 21005
                                                                                                                                    • [C++] VS2013 build 21005
                                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                                    • [RES] VS2013 build 21005
                                                                                                                                    • [LNK] VS2013 UPD5 build 40629

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x16b0c0x50.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3cd80000xee58.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x102000x38.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x160b00x18.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x160680x40.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x100000x190.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x10000xe4030xe600590cc0bd6f8bcc8f80a46e1c375b800cFalse0.601953125data6.680942552005868IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rdata0x100000x74400x76001560bf9c69cef0ed073692a7553e3c60False0.3897974046610169data4.887444766557987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .data0x180000x3cbfa640xcea00e7c90b233c7d1f1b2075f03b8765b98eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .rsrc0x3cd80000xee580xf000ce35a0ad0d757bc5db78cd7e6465e998False0.47861328125data5.238002400787557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    RT_ICON0x3cd85700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRomanianRomania0.48667377398720685
                                                                                                                                    RT_ICON0x3cd94180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRomanianRomania0.5938628158844765
                                                                                                                                    RT_ICON0x3cd9cc00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRomanianRomania0.6526497695852534
                                                                                                                                    RT_ICON0x3cda3880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRomanianRomania0.6589595375722543
                                                                                                                                    RT_ICON0x3cda8f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RomanianRomania0.39180497925311203
                                                                                                                                    RT_ICON0x3cdce980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096RomanianRomania0.5077392120075047
                                                                                                                                    RT_ICON0x3cddf400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304RomanianRomania0.5860655737704918
                                                                                                                                    RT_ICON0x3cde8c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RomanianRomania0.6773049645390071
                                                                                                                                    RT_ICON0x3cdeda80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.4139125799573561
                                                                                                                                    RT_ICON0x3cdfc500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.4598375451263538
                                                                                                                                    RT_ICON0x3ce04f80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.554147465437788
                                                                                                                                    RT_ICON0x3ce0bc00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.44942196531791906
                                                                                                                                    RT_ICON0x3ce11280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.46307053941908716
                                                                                                                                    RT_ICON0x3ce36d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4793621013133208
                                                                                                                                    RT_ICON0x3ce47780x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.494672131147541
                                                                                                                                    RT_ICON0x3ce51000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5540780141843972
                                                                                                                                    RT_DIALOG0x3ce57c80x52data0.8780487804878049
                                                                                                                                    RT_STRING0x3ce58200x322dataRomanianRomania0.47256857855361595
                                                                                                                                    RT_STRING0x3ce5b480x5a8dataRomanianRomania0.43577348066298344
                                                                                                                                    RT_STRING0x3ce60f00x1e4dataRomanianRomania0.4772727272727273
                                                                                                                                    RT_STRING0x3ce62d80x322dataRomanianRomania0.47381546134663344
                                                                                                                                    RT_STRING0x3ce66000x698dataRomanianRomania0.4259478672985782
                                                                                                                                    RT_STRING0x3ce6c980x1badataRomanianRomania0.5135746606334841
                                                                                                                                    RT_GROUP_ICON0x3cded300x76dataRomanianRomania0.6610169491525424
                                                                                                                                    RT_GROUP_ICON0x3ce55680x76dataRomanianRomania0.6694915254237288
                                                                                                                                    RT_VERSION0x3ce55e00x1e4data0.5371900826446281

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    KERNEL32.dllLocalCompact, GetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, EnumTimeFormatsW, GetUserDefaultLangID, FindResourceExA, GetVolumeInformationA, GetLocaleInfoW, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, SetLastError, GetProcAddress, CreateTimerQueueTimer, FindFirstChangeNotificationW, BuildCommDCBW, LoadLibraryA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, SetNamedPipeHandleState, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, ReadConsoleInputW, GetWindowsDirectoryW, AddConsoleAliasA, SetFileAttributesA, GetComputerNameA, WriteConsoleW, OutputDebugStringW, GetLastError, HeapFree, EncodePointer, DecodePointer, ReadFile, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, HeapAlloc, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, SetFilePointerEx, GetConsoleMode, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, GetModuleFileNameW, LoadLibraryExW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, HeapReAlloc, LCMapStringW, SetStdHandle, GetConsoleCP, FlushFileBuffers, CreateFileW
                                                                                                                                    ADVAPI32.dllDeregisterEventSource
                                                                                                                                    WINHTTP.dllWinHttpConnect

                                                                                                                                    Possible Origin

                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                    RomanianRomania

                                                                                                                                    Network Behavior

                                                                                                                                    Snort IDS Alerts

                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                    04/22/24-01:28:54.900516TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.93
                                                                                                                                    04/22/24-01:28:55.338745TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.93192.168.2.4
                                                                                                                                    04/22/24-01:28:55.099915TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.93192.168.2.4
                                                                                                                                    04/22/24-01:28:58.805975TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.93

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Apr 22, 2024 01:28:54.661473036 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:54.880594969 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:54.880693913 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:54.900516033 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:55.099915028 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:55.119390965 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:55.119645119 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:55.222831011 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:55.338745117 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:55.394500971 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:55.483964920 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:57.981108904 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:57.981194019 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:57.981261969 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:57.984538078 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:57.984572887 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:58.223450899 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:58.223562956 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:58.226178885 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:58.226201057 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:58.226548910 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:58.269516945 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:58.805974960 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:58.938863039 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:58.980144024 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.032304049 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.074306011 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.074489117 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.074585915 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:59.077487946 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:59.077529907 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.077578068 CEST49731443192.168.2.434.117.186.192
                                                                                                                                    Apr 22, 2024 01:28:59.077595949 CEST4434973134.117.186.192192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.082017899 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:28:59.188054085 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.188169003 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.188285112 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.188553095 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.188579082 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.417783022 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.417907000 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.421648026 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.421680927 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.422092915 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.424979925 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.468123913 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.879900932 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.880007982 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.880323887 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.880450964 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.880498886 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.880531073 CEST49732443192.168.2.4172.67.75.166
                                                                                                                                    Apr 22, 2024 01:28:59.880546093 CEST44349732172.67.75.166192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.881858110 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.128200054 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.175782919 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.207223892 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.442692041 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.488415003 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.535403967 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.775589943 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775645971 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775684118 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775712967 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.775748968 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775787115 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775801897 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.775825024 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775861025 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775873899 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.775898933 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775954962 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.775955915 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.775993109 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.776041031 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.995244980 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.995363951 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.995402098 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.995441914 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.995484114 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:00.995568037 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:00.995568037 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:01.035257101 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:01.082250118 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:01.316823006 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:01.363362074 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:01.410321951 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:01.644783020 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:01.691412926 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:16.984997988 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:16.985105991 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:17.203995943 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:17.204020023 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:17.204035044 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:17.204086065 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:17.468429089 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:20.019617081 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                                    Apr 22, 2024 01:29:20.238773108 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:20.250283003 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                                    Apr 22, 2024 01:29:20.250499010 CEST4973058709192.168.2.4147.45.47.93

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Apr 22, 2024 01:28:57.871700048 CEST6335253192.168.2.41.1.1.1
                                                                                                                                    Apr 22, 2024 01:28:57.976252079 CEST53633521.1.1.1192.168.2.4
                                                                                                                                    Apr 22, 2024 01:28:59.079485893 CEST5356853192.168.2.41.1.1.1
                                                                                                                                    Apr 22, 2024 01:28:59.186819077 CEST53535681.1.1.1192.168.2.4

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Apr 22, 2024 01:28:57.871700048 CEST192.168.2.41.1.1.10xa835Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                    Apr 22, 2024 01:28:59.079485893 CEST192.168.2.41.1.1.10xfe74Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Apr 22, 2024 01:28:57.976252079 CEST1.1.1.1192.168.2.40xa835No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                    Apr 22, 2024 01:28:59.186819077 CEST1.1.1.1192.168.2.40xfe74No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                    Apr 22, 2024 01:28:59.186819077 CEST1.1.1.1192.168.2.40xfe74No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                    Apr 22, 2024 01:28:59.186819077 CEST1.1.1.1192.168.2.40xfe74No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • https:
                                                                                                                                      • ipinfo.io
                                                                                                                                    • db-ip.com

                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.44973134.117.186.1924432896C:\Users\user\Desktop\file.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-21 23:28:58 UTC237OUTGET /widget/demo/81.181.57.52 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-21 23:28:59 UTC513INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Sun, 21 Apr 2024 23:28:59 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 980
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 2
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-21 23:28:59 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 30 33 30 32 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f
                                                                                                                                    Data Ascii: { "input": "81.181.57.52", "data": { "ip": "81.181.57.52", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS212238 Datacamp Limited", "postal": "30302", "timezone": "America/
                                                                                                                                    2024-04-21 23:28:59 UTC238INData Raw: 61 64 64 72 65 73 73 22 3a 20 22 41 76 65 72 65 73 63 75 20 4d 61 72 65 73 61 6c 20 38 2d 31 30 2c 20 42 75 63 68 61 72 65 73 74 2c 20 52 6f 6d 61 6e 69 61 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 52 4f 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 2d 62 69 6e 62 6f 78 40 72 6e 63 2e 72 6f 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 63 6f 6e 74 61 63 74 20 72 6f 6c 65 20 6f 62 6a 65 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 31 2e 31 38 31 2e 34 38 2e 30 2f 32 30 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 34 30 20 33 37 38 20 36 30 30 20 30 30 30 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                                                                    Data Ascii: address": "Averescu Maresal 8-10, Bucharest, Romania", "country": "RO", "email": "abuse-binbox@rnc.ro", "name": "Abuse contact role object", "network": "81.181.48.0/20", "phone": "+40 378 600 000" } }}


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.449732172.67.75.1664432896C:\Users\user\Desktop\file.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-21 23:28:59 UTC261OUTGET /demo/home.php?s=81.181.57.52 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-21 23:28:59 UTC660INHTTP/1.1 200 OK
                                                                                                                                    Date: Sun, 21 Apr 2024 23:28:59 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC454715:4710_93878F2E:0050_6625A13B_9387A70:4F34
                                                                                                                                    x-iplb-instance: 59215
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Md0UKWXUvmeXLRB0U%2BLgS1O1PpSt6%2Fz92a%2B3pNZztNIj88Nh%2BqzdOBrgCXj51KOS3NCpUHWor0AOvai5O%2BgMSaYG6Nuy7fCr2wMz1rihH5%2FwMGK0HE9qhy05Yg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 878127548dfa672f-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-21 23:28:59 UTC699INData Raw: 32 62 34 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a
                                                                                                                                    Data Ascii: 2b4{"status":"ok","demoInfo":{"ipAddress":"81.181.57.52","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":
                                                                                                                                    2024-04-21 23:28:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:01:28:51
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:997'888 bytes
                                                                                                                                    MD5 hash:5F30E027D147AF1DE92391F2E18644C8
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2008702665.000000000418E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2009564997.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2009091900.000000000459F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2008702665.0000000004206000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2009188631.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:01:28:52
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 784
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:5
                                                                                                                                    Start time:01:28:54
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 880
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:01:28:54
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 912
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:9
                                                                                                                                    Start time:01:28:55
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 920
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:11
                                                                                                                                    Start time:01:28:56
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 980
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:13
                                                                                                                                    Start time:01:28:57
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1332
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:15
                                                                                                                                    Start time:01:29:00
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:17
                                                                                                                                    Start time:01:29:01
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1772
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:19
                                                                                                                                    Start time:01:29:02
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:21
                                                                                                                                    Start time:01:29:03
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1920
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:23
                                                                                                                                    Start time:01:29:04
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1932
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:25
                                                                                                                                    Start time:01:29:06
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1960
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:27
                                                                                                                                    Start time:01:29:08
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1776
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:30
                                                                                                                                    Start time:01:29:09
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1972
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:32
                                                                                                                                    Start time:01:29:10
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1916
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:34
                                                                                                                                    Start time:01:29:11
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1760
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:36
                                                                                                                                    Start time:01:29:12
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:38
                                                                                                                                    Start time:01:29:12
                                                                                                                                    Start date:22/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1892
                                                                                                                                    Imagebase:0xd00000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Has exited:true

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:11.9%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:19.9%
                                                                                                                                      Total number of Nodes:2000
                                                                                                                                      Total number of Limit Nodes:132
                                                                                                                                      execution_graph 76671 507a50 76672 507a7c 76671->76672 76675 549860 76672->76675 76674 507a9e 76678 549883 __fread_nolock 76675->76678 76676 549a20 76676->76674 76677 5499f7 76719 5561f0 76677->76719 76678->76676 76678->76677 76691 54c130 76678->76691 76682 5561f0 2 API calls 76684 549a0d 76682->76684 76683 5499c1 76683->76677 76689 5499ca 76683->76689 76718 54c8d0 6 API calls 76683->76718 76684->76674 76685 5498e3 __fread_nolock 76685->76683 76687 54991a 76685->76687 76708 551e30 SetFilePointer 76685->76708 76687->76683 76714 54cb30 76687->76714 76689->76674 76696 54c164 76691->76696 76692 54c1f4 76693 54c460 76692->76693 76701 54c222 __fread_nolock __Strxfrm 76692->76701 76694 5561f0 2 API calls 76693->76694 76695 54c466 76694->76695 76695->76685 76696->76692 76696->76695 76696->76696 76697 54c1dd 76696->76697 76698 5561f0 2 API calls 76697->76698 76702 54c1e8 76698->76702 76699 54c35f 76704 5561f0 2 API calls 76699->76704 76707 54c36c 76699->76707 76700 54c2bf 76700->76699 76703 54cb30 2 API calls 76700->76703 76701->76700 76705 5561f0 2 API calls 76701->76705 76702->76685 76703->76699 76706 54c454 76704->76706 76705->76700 76706->76685 76707->76685 76709 551e71 ReadFile 76708->76709 76710 551e5a GetLastError 76708->76710 76712 551e8c GetLastError 76709->76712 76713 551ea0 __fread_nolock 76709->76713 76710->76709 76711 551e64 76710->76711 76711->76687 76712->76687 76713->76687 76715 54cb49 76714->76715 76717 54cb7f 76714->76717 76715->76717 76723 54fc90 76715->76723 76717->76683 76718->76677 76720 549a04 76719->76720 76721 5561fb 76719->76721 76720->76682 76721->76720 76727 43c526 76721->76727 76725 54fc9c 76723->76725 76724 54fcbf 76724->76717 76725->76724 76726 5561f0 2 API calls 76725->76726 76726->76724 76730 4458aa 76727->76730 76729 43c53e 76729->76720 76731 4458b5 RtlFreeHeap 76730->76731 76733 4458d7 ___free_lconv_mon 76730->76733 76732 4458ca GetLastError 76731->76732 76731->76733 76732->76733 76733->76729 76734 42e481 76735 42e48d __FrameHandler3::FrameUnwindToState 76734->76735 76736 42e5e7 76735->76736 76742 42e4be ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 76735->76742 77200 42ea14 4 API calls 2 library calls 76736->77200 76738 42e5ee 77194 43dfae 76738->77194 76740 42e5f4 76741 42e4dd 76742->76741 76756 42eb29 76742->76756 77201 430240 76756->77201 76759 42e564 76760 441204 76759->76760 77203 44af03 76760->77203 76762 42e56c 76765 453c30 76762->76765 76763 44120d 76763->76762 77209 44b1b6 33 API calls 76763->77209 77212 42efb0 76765->77212 76769 453c4f 77217 43bb47 76769->77217 78808 43dde2 77194->78808 77200->76738 77202 42eb3c GetStartupInfoW 77201->77202 77202->76759 77204 44af0c 77203->77204 77205 44af3e 77203->77205 77210 44478d 33 API calls 3 library calls 77204->77210 77205->76763 77207 44af2f 77211 44ad0e 43 API calls 2 library calls 77207->77211 77209->76763 77210->77207 77211->77205 77213 42efc4 Sleep 77212->77213 77214 4e2fa0 77213->77214 77288 42d8f9 77214->77288 77216 4e2fa6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 77216->76769 77218 43bb5a __fread_nolock 77217->77218 77296 43322c 77218->77296 77221 4f80f0 77304 43c1fb GetSystemTimeAsFileTime 77221->77304 77223 453c8c 77224 433e2c 77223->77224 77306 4446d2 GetLastError 77224->77306 77291 42dead 77288->77291 77292 42dee9 GetSystemTimeAsFileTime 77291->77292 77293 42dedd GetSystemTimePreciseAsFileTime 77291->77293 77294 42d907 77292->77294 77293->77294 77294->77216 77297 433238 77296->77297 77298 43324f 77297->77298 77302 4332d7 33 API calls 2 library calls 77297->77302 77300 433262 77298->77300 77303 4332d7 33 API calls 2 library calls 77298->77303 77300->77221 77302->77298 77303->77300 77305 43c234 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 77304->77305 77305->77223 77307 4446e8 77306->77307 77309 4446ee 77306->77309 77324 445eec 6 API calls __FrameHandler3::FrameUnwindToState 77307->77324 77322 4446f2 SetLastError 77309->77322 77325 444eea 77309->77325 77312 444787 77313 433e36 77322->77312 77322->77313 77324->77309 77328 444ef7 _strftime 77325->77328 78809 43de21 78808->78809 78810 43de0f 78808->78810 78820 43dc73 78809->78820 78835 42eb5f GetModuleHandleW 78810->78835 78813 43de14 78813->78809 78836 43dec3 GetModuleHandleExW 78813->78836 78815 43de5e 78815->76740 78821 43dc7f __FrameHandler3::FrameUnwindToState 78820->78821 78842 43eadb EnterCriticalSection 78821->78842 78823 43dc89 78843 43dcfa 78823->78843 78825 43dc96 78847 43dcb4 78825->78847 78828 43de79 78874 43deaa 78828->78874 78830 43de83 78831 43de97 78830->78831 78832 43de87 GetCurrentProcess TerminateProcess 78830->78832 78833 43dec3 3 API calls 78831->78833 78832->78831 78834 43de9f ExitProcess 78833->78834 78835->78813 78837 43df23 78836->78837 78838 43df02 GetProcAddress 78836->78838 78839 43de20 78837->78839 78840 43df29 FreeLibrary 78837->78840 78838->78837 78841 43df16 78838->78841 78839->78809 78840->78839 78841->78837 78842->78823 78844 43dd06 __FrameHandler3::FrameUnwindToState 78843->78844 78846 43dd6a 78844->78846 78850 440f65 78844->78850 78846->78825 78873 43eb23 LeaveCriticalSection 78847->78873 78849 43dca2 78849->78815 78849->78828 78851 440f71 __EH_prolog3 78850->78851 78854 440cbd 78851->78854 78853 440f98 78853->78846 78855 440cc9 __FrameHandler3::FrameUnwindToState 78854->78855 78862 43eadb EnterCriticalSection 78855->78862 78857 440cd7 78863 440e75 78857->78863 78861 440cf5 78861->78853 78862->78857 78865 440e94 78863->78865 78867 440ce4 78863->78867 78864 440f22 78866 4458aa ___free_lconv_mon 2 API calls 78864->78866 78864->78867 78865->78864 78865->78867 78870 561d50 78865->78870 78866->78867 78869 440d0c LeaveCriticalSection std::_Lockit::~_Lockit 78867->78869 78869->78861 78871 415690 35 API calls 78870->78871 78872 561d68 78871->78872 78872->78865 78873->78849 78877 449a25 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 78874->78877 78876 43deaf 78876->78830 78877->78876 78878 54f890 78879 54f95a 78878->78879 78880 54f8a6 78878->78880 78880->78879 78882 54fdc0 78880->78882 78884 54fdc7 78882->78884 78886 54fe2a 78882->78886 78883 54fdd7 78883->78880 78884->78883 78885 5561f0 2 API calls 78884->78885 78885->78886 78886->78880 78887 557550 78890 51d3c0 78887->78890 78889 557563 78891 51d8a0 78890->78891 78893 51d3e7 78890->78893 78891->78889 78893->78891 78915 51d8b0 78893->78915 78894 51d881 78894->78889 78895 51d8b0 18 API calls 78895->78894 78896 51d41d 78896->78894 78898 51d477 78896->78898 78914 51d76c 78896->78914 78941 5408a0 6 API calls __Strxfrm 78896->78941 78942 5421b0 RtlFreeHeap GetLastError 78898->78942 78900 51d4aa 78943 5421b0 RtlFreeHeap GetLastError 78900->78943 78902 51d508 78903 5561f0 2 API calls 78902->78903 78905 51d52e 78902->78905 78903->78905 78904 51d4b8 78904->78902 78944 542830 RtlFreeHeap GetLastError 78904->78944 78907 5561f0 2 API calls 78905->78907 78908 51d5cf 78905->78908 78907->78908 78909 5561f0 2 API calls 78908->78909 78910 51d65a 78908->78910 78909->78910 78911 5561f0 2 API calls 78910->78911 78912 51d6db 78910->78912 78911->78912 78913 5561f0 2 API calls 78912->78913 78912->78914 78913->78914 78914->78895 78916 51d8cd __fread_nolock 78915->78916 78923 51d8d2 78916->78923 78945 512be0 78916->78945 78917 5561f0 2 API calls 78922 51de67 78917->78922 78920 51dabf 78949 5088a0 78920->78949 78922->78896 78923->78917 78923->78922 78924 51dbe1 78937 51dbf3 __Strxfrm 78924->78937 78993 52d3d0 RtlFreeHeap GetLastError __fread_nolock 78924->78993 78926 51d983 __Strxfrm 78926->78923 78927 5088a0 2 API calls 78926->78927 78930 51d9c5 78926->78930 78929 51da4b 78927->78929 78929->78930 78935 5561f0 2 API calls 78929->78935 78930->78924 78982 549220 78930->78982 78991 54aed0 6 API calls 78930->78991 78992 549130 6 API calls 78930->78992 78931 51dd1e 78995 540500 RtlFreeHeap GetLastError 78931->78995 78935->78930 78937->78931 78940 51dd26 78937->78940 78994 5408a0 6 API calls __Strxfrm 78937->78994 78939 5561f0 2 API calls 78939->78940 78940->78923 78940->78939 78996 542690 RtlFreeHeap GetLastError 78940->78996 78941->78898 78942->78900 78943->78904 78944->78904 78946 512c66 78945->78946 78947 512bf5 78945->78947 78946->78920 78946->78926 78947->78946 78948 5561f0 2 API calls 78947->78948 78948->78947 78955 5088d6 78949->78955 78950 508cc2 78950->78930 78951 508ab5 78952 508ade 78951->78952 79012 50b9a0 RtlFreeHeap GetLastError 78951->79012 78954 5561f0 2 API calls 78952->78954 78953 508999 78953->78951 78957 508a92 78953->78957 78959 509410 2 API calls 78953->78959 78962 508ae4 78954->78962 78955->78950 78955->78953 78960 5089ef 78955->78960 78964 50898e 78955->78964 78997 509410 78955->78997 78958 509410 2 API calls 78957->78958 78958->78951 78959->78957 78960->78953 78963 5561f0 2 API calls 78960->78963 78971 508b38 78962->78971 79013 555b30 RtlFreeHeap GetLastError 78962->79013 78963->78953 79011 553960 RtlFreeHeap GetLastError 78964->79011 78966 508b6b 78967 5561f0 2 API calls 78966->78967 78968 508b8c 78966->78968 78967->78968 78972 508bbf 78968->78972 79015 52cfd0 RtlFreeHeap GetLastError 78968->79015 78971->78966 79014 540500 RtlFreeHeap GetLastError 78971->79014 78974 5561f0 2 API calls 78972->78974 78975 508bd9 78972->78975 78974->78975 78976 5561f0 2 API calls 78975->78976 78979 508c12 78975->78979 78976->78979 78977 508c81 78978 508ca8 78977->78978 79016 52cfd0 RtlFreeHeap GetLastError 78977->79016 78978->78930 78979->78977 78981 5561f0 2 API calls 78979->78981 78981->78979 78983 54932d 78982->78983 78986 549241 78982->78986 78990 549257 78983->78990 79091 54acc0 RtlFreeHeap GetLastError __fread_nolock 78983->79091 78986->78983 78986->78990 79073 549420 78986->79073 79088 54b4e0 RtlFreeHeap GetLastError 78986->79088 79089 549370 6 API calls __fread_nolock 78986->79089 79090 549aa0 6 API calls 78986->79090 78990->78930 78991->78930 78992->78930 78993->78937 78994->78931 78995->78940 78996->78940 78998 509423 78997->78998 78999 5094d0 78998->78999 79000 509486 78998->79000 79001 50948d 78998->79001 79017 5095c0 78998->79017 78999->79000 79007 509509 78999->79007 79035 50b9a0 RtlFreeHeap GetLastError 78999->79035 79000->78955 79033 553960 RtlFreeHeap GetLastError 79001->79033 79004 5094af 79034 50b9a0 RtlFreeHeap GetLastError 79004->79034 79036 553960 RtlFreeHeap GetLastError 79007->79036 79008 5094c6 79008->78955 79010 509514 79010->78955 79011->78953 79012->78951 79013->78971 79014->78966 79015->78972 79016->78977 79018 509612 79017->79018 79021 509620 79017->79021 79018->79021 79022 509662 79018->79022 79032 50966e __fread_nolock 79018->79032 79019 50b365 79025 50b369 79019->79025 79054 50b7b0 RtlFreeHeap GetLastError 79019->79054 79020 50b3af 79023 50b3d4 79020->79023 79055 50b9a0 RtlFreeHeap GetLastError 79020->79055 79021->79019 79021->79020 79037 52da20 79022->79037 79023->78998 79025->78998 79027 5097f0 79027->79021 79030 542fa0 2 API calls 79027->79030 79029 50b3a5 79029->78998 79030->79021 79032->79021 79032->79027 79050 542fa0 79032->79050 79033->79004 79034->79008 79035->78999 79036->79010 79038 52da3e 79037->79038 79046 52dd8e 79037->79046 79038->79046 79056 542ec0 RtlFreeHeap GetLastError 79038->79056 79040 52da79 79041 52dcef 79040->79041 79047 52dbda 79040->79047 79048 542fa0 RtlFreeHeap GetLastError 79040->79048 79041->79046 79058 541d50 RtlFreeHeap GetLastError __fread_nolock 79041->79058 79042 52dccc 79042->79041 79043 542fa0 2 API calls 79042->79043 79043->79041 79045 542fa0 2 API calls 79045->79047 79046->79021 79047->79042 79047->79045 79057 542830 RtlFreeHeap GetLastError 79047->79057 79048->79040 79051 542fac 79050->79051 79059 555dc0 79051->79059 79053 542fc4 79053->79032 79054->79029 79055->79020 79056->79040 79057->79047 79058->79046 79060 555dd5 79059->79060 79068 555e5b 79059->79068 79061 555ebe 79060->79061 79064 555dd9 79060->79064 79067 555e4d __Strxfrm 79060->79067 79071 508390 RtlFreeHeap GetLastError __fread_nolock 79061->79071 79063 555ec3 79065 555ec7 79063->79065 79072 556050 RtlFreeHeap GetLastError 79063->79072 79064->79053 79065->79053 79067->79068 79069 5561f0 2 API calls 79067->79069 79068->79053 79070 555eb4 79069->79070 79070->79053 79071->79063 79072->79068 79092 54b990 79073->79092 79075 549435 79077 549598 79075->79077 79100 54b720 79075->79100 79077->78986 79078 549590 79078->79077 79114 54b930 6 API calls 79078->79114 79080 54944f 79080->79077 79080->79078 79083 549540 79080->79083 79081 54955c 79082 54fc90 2 API calls 79081->79082 79084 549572 79082->79084 79083->79081 79113 54b930 6 API calls 79083->79113 79086 54cb30 2 API calls 79084->79086 79087 549586 79086->79087 79087->78986 79088->78986 79089->78986 79090->78986 79091->78990 79093 54b9aa 79092->79093 79093->79093 79096 54ba29 79093->79096 79097 54ba69 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 79093->79097 79115 551070 79093->79115 79095 54bb6e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 79095->79096 79099 551e30 4 API calls 79095->79099 79096->79075 79097->79095 79097->79096 79126 54cf30 6 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 79097->79126 79099->79096 79101 54b738 79100->79101 79103 54b742 79100->79103 79101->79080 79104 54b895 79103->79104 79107 54b811 79103->79107 79110 54b74e 79103->79110 79111 54b77a __fread_nolock 79103->79111 79106 54b8a4 79104->79106 79104->79110 79105 54b8c2 79150 54dc00 RtlFreeHeap GetLastError __fread_nolock 79105->79150 79106->79105 79106->79111 79149 5508e0 RtlFreeHeap GetLastError __fread_nolock 79106->79149 79107->79111 79112 551e30 4 API calls 79107->79112 79110->79111 79148 54daf0 6 API calls 79110->79148 79111->79080 79112->79110 79113->79081 79114->79077 79127 551780 79115->79127 79117 551085 79118 55108b 79117->79118 79119 5510c6 79117->79119 79120 55109d GetVersionExA 79117->79120 79118->79097 79121 5510d5 GetFileAttributesA 79119->79121 79122 5510cd GetFileAttributesW 79119->79122 79120->79119 79123 5510db 79121->79123 79122->79123 79124 43c526 std::locale::_Locimp::~_Locimp 2 API calls 79123->79124 79125 5510e3 79124->79125 79125->79097 79126->79095 79128 551795 GetVersionExA 79127->79128 79129 5517be 79127->79129 79128->79129 79130 5517c5 79129->79130 79131 5517cf 79129->79131 79146 552170 7 API calls 2 library calls 79130->79146 79147 552170 7 API calls 2 library calls 79131->79147 79134 5517ca 79134->79117 79135 5517d5 79136 5517e1 AreFileApisANSI WideCharToMultiByte 79135->79136 79137 5517db 79135->79137 79138 43cc7c ___std_exception_copy 3 API calls 79136->79138 79137->79117 79139 55180a 79138->79139 79140 551831 79139->79140 79141 551813 WideCharToMultiByte 79139->79141 79143 43c526 std::locale::_Locimp::~_Locimp 2 API calls 79140->79143 79141->79140 79142 55182b 79141->79142 79144 43c526 std::locale::_Locimp::~_Locimp 2 API calls 79142->79144 79145 55183c 79143->79145 79144->79140 79145->79117 79146->79134 79147->79135 79148->79111 79149->79105 79150->79111 79151 410887 79152 417ea0 35 API calls 79151->79152 79153 41088c 79152->79153 79154 41089e CreateDirectoryA 79153->79154 79155 4108ab 79154->79155 79156 4f2870 53 API calls 79155->79156 79157 410b43 79156->79157 79158 410b51 79157->79158 79159 4031c0 std::_Throw_Cpp_error 33 API calls 79157->79159 79160 4031c0 std::_Throw_Cpp_error 33 API calls 79158->79160 79159->79158 79161 410b5c 79160->79161 79162 40b786 79163 403260 std::_Throw_Cpp_error 35 API calls 79162->79163 79164 40b78b 79163->79164 79165 4031c0 std::_Throw_Cpp_error 33 API calls 79164->79165 79166 40b855 79165->79166 79167 403260 std::_Throw_Cpp_error 35 API calls 79166->79167 79168 40b86d 79167->79168 79171 4f2d70 79168->79171 79170 40b872 79172 4340b0 35 API calls 79171->79172 79173 4f2e12 79172->79173 79174 437938 63 API calls 79173->79174 79176 4f2e1f 79173->79176 79174->79176 79175 4f2e52 error_info_injector 79175->79170 79176->79175 79177 433500 std::_Throw_Cpp_error 33 API calls 79176->79177 79178 4f2e6b 79177->79178 79179 44550f 79184 4452e5 79179->79184 79182 44554e 79185 445304 79184->79185 79186 445317 79185->79186 79190 44532c 79185->79190 79200 4334f0 33 API calls __fread_nolock 79186->79200 79188 445327 79188->79182 79197 43d543 79188->79197 79195 44544c 79190->79195 79201 43b83e 33 API calls __fread_nolock 79190->79201 79192 44549c 79192->79195 79202 43b83e 33 API calls __fread_nolock 79192->79202 79194 4454ba 79194->79195 79203 43b83e 33 API calls __fread_nolock 79194->79203 79195->79188 79204 4334f0 33 API calls __fread_nolock 79195->79204 79205 43ceeb 79197->79205 79200->79188 79201->79192 79202->79194 79203->79195 79204->79188 79206 43cef7 __FrameHandler3::FrameUnwindToState 79205->79206 79207 43cefe 79206->79207 79208 43cf29 79206->79208 79223 4334f0 33 API calls __fread_nolock 79207->79223 79214 43d4d5 79208->79214 79213 43cf0d 79213->79182 79225 437a37 79214->79225 79219 43d50b 79221 4458aa ___free_lconv_mon 2 API calls 79219->79221 79222 43cf4d 79219->79222 79221->79222 79224 43cf80 LeaveCriticalSection __wsopen_s 79222->79224 79223->79213 79224->79213 79263 433e3e 79225->79263 79228 437a5b 79230 437a1a 79228->79230 79273 437968 79230->79273 79232 437a32 79232->79219 79233 43d563 79232->79233 79234 43d580 79233->79234 79237 43d595 79234->79237 79293 44902a 79234->79293 79237->79219 79239 43d689 GetFileType 79241 43d694 GetLastError __dosmaperr CloseHandle 79239->79241 79242 43d6db 79239->79242 79240 43d65e GetLastError __dosmaperr 79240->79237 79241->79237 79260 43d6cb 79241->79260 79308 448f75 SetStdHandle __wsopen_s 79242->79308 79243 43d60c 79243->79239 79243->79240 79307 43d21c CreateFileW 79243->79307 79246 43d651 79246->79239 79246->79240 79260->79237 79264 433e5c 79263->79264 79270 433e55 79263->79270 79265 4446d2 __Getctype 33 API calls 79264->79265 79264->79270 79266 433e7d 79265->79266 79267 4449bd __Getctype 33 API calls 79266->79267 79268 433e93 79267->79268 79272 444a1b 33 API calls _strftime 79268->79272 79270->79228 79271 445d9e 5 API calls std::_Lockit::_Lockit 79270->79271 79271->79228 79272->79270 79274 437990 79273->79274 79275 437976 79273->79275 79277 437997 79274->79277 79278 4379b6 79274->79278 79288 437a76 RtlFreeHeap GetLastError ___free_lconv_mon 79275->79288 79283 437980 79277->79283 79289 437a90 5 API calls _strftime 79277->79289 79290 445a0a MultiByteToWideChar _strftime 79278->79290 79280 4379c5 79282 4379cc GetLastError __dosmaperr 79280->79282 79284 4379f2 79280->79284 79291 437a90 5 API calls _strftime 79280->79291 79282->79283 79283->79232 79284->79283 79292 445a0a MultiByteToWideChar _strftime 79284->79292 79287 437a09 79287->79282 79287->79283 79288->79283 79289->79283 79290->79280 79291->79284 79292->79287 79294 449036 __FrameHandler3::FrameUnwindToState 79293->79294 79314 43eadb EnterCriticalSection 79294->79314 79296 449084 79315 449134 79296->79315 79298 449062 79318 448e04 11 API calls 3 library calls 79298->79318 79301 449067 79301->79296 79319 448f52 EnterCriticalSection 79301->79319 79302 44903d 79302->79296 79302->79298 79303 4490d1 EnterCriticalSection 79302->79303 79303->79296 79305 4490de LeaveCriticalSection 79303->79305 79305->79302 79306 43d21c CreateFileW 79306->79243 79307->79246 79314->79302 79320 43eb23 LeaveCriticalSection 79315->79320 79317 43d5b3 79317->79237 79317->79306 79318->79301 79319->79296 79320->79317 79321 40e58b 79322 403260 std::_Throw_Cpp_error 35 API calls 79321->79322 79323 40e590 79322->79323 79324 4031c0 std::_Throw_Cpp_error 33 API calls 79323->79324 79325 40e65a 79324->79325 79482 4f2cd0 79325->79482 79328 40e670 79331 414090 std::_Throw_Cpp_error 35 API calls 79328->79331 79329 40e6b1 79330 4f2870 53 API calls 79329->79330 79332 40e6c0 79330->79332 79333 40e684 79331->79333 79335 40e6d2 79332->79335 79336 4031c0 std::_Throw_Cpp_error 33 API calls 79332->79336 79334 414090 std::_Throw_Cpp_error 35 API calls 79333->79334 79337 40e699 79334->79337 79338 417ea0 35 API calls 79335->79338 79336->79335 79563 4ec100 52 API calls 3 library calls 79337->79563 79341 40e77f 79338->79341 79340 40e6a4 79340->79329 79342 40e6ab 79340->79342 79343 40e791 CreateDirectoryA 79341->79343 79342->79332 79344 40e987 79343->79344 79345 40e79e 79343->79345 79346 417ea0 35 API calls 79344->79346 79347 403260 std::_Throw_Cpp_error 35 API calls 79345->79347 79348 40ea34 79346->79348 79350 40e845 79347->79350 79349 40ea46 CreateDirectoryA 79348->79349 79351 40ea53 79349->79351 79352 40fa08 79349->79352 79355 4031c0 std::_Throw_Cpp_error 33 API calls 79350->79355 79354 403260 std::_Throw_Cpp_error 35 API calls 79351->79354 79353 417ea0 35 API calls 79352->79353 79356 40fab5 79353->79356 79359 40eafe 79354->79359 79357 40e90f 79355->79357 79358 40fac7 CreateDirectoryA 79356->79358 79362 4f2cd0 45 API calls 79357->79362 79360 40fad4 79358->79360 79449 4100e8 79358->79449 79365 4031c0 std::_Throw_Cpp_error 33 API calls 79359->79365 79363 403260 std::_Throw_Cpp_error 35 API calls 79360->79363 79361 417ea0 35 API calls 79364 41019b 79361->79364 79366 40e921 79362->79366 79373 40fb80 79363->79373 79370 4101ad CreateDirectoryA 79364->79370 79367 40ebc8 79365->79367 79368 40e925 79366->79368 79369 40e966 79366->79369 79378 4f2cd0 45 API calls 79367->79378 79372 414090 std::_Throw_Cpp_error 35 API calls 79368->79372 79371 4f2870 53 API calls 79369->79371 79374 410611 79370->79374 79388 4101ba 79370->79388 79375 40e975 79371->79375 79376 40e939 79372->79376 79381 4031c0 std::_Throw_Cpp_error 33 API calls 79373->79381 79377 410626 79374->79377 79380 4f2870 53 API calls 79374->79380 79383 4031c0 std::_Throw_Cpp_error 33 API calls 79375->79383 79379 414090 std::_Throw_Cpp_error 35 API calls 79376->79379 79382 4031c0 std::_Throw_Cpp_error 33 API calls 79377->79382 79384 40ebda 79378->79384 79385 40e94e 79379->79385 79380->79377 79386 40fc4a 79381->79386 79387 410634 79382->79387 79383->79344 79389 40ee81 79384->79389 79395 417ea0 35 API calls 79384->79395 79564 4ec100 52 API calls 3 library calls 79385->79564 79393 414090 std::_Throw_Cpp_error 35 API calls 79386->79393 79388->79388 79400 4034e0 std::_Throw_Cpp_error 35 API calls 79388->79400 79392 4f2870 53 API calls 79389->79392 79391 40e959 79391->79369 79396 40e960 79391->79396 79397 40f9f6 79392->79397 79398 40fc5b 79393->79398 79401 40ec8f 79395->79401 79396->79375 79404 4031c0 std::_Throw_Cpp_error 33 API calls 79397->79404 79497 4d0620 79398->79497 79410 41028c 79400->79410 79408 4f2cd0 45 API calls 79401->79408 79404->79352 79411 40eca8 79408->79411 79410->79410 79417 41c4c0 38 API calls 79410->79417 79412 40ecb0 79411->79412 79413 40ed7d 79411->79413 79449->79361 79483 42d429 12 API calls 79482->79483 79484 4f2ce2 79483->79484 79485 4f2d4c 79484->79485 79486 4f2ce9 79484->79486 79570 42cdc4 35 API calls 2 library calls 79485->79570 79488 4f2cf5 79486->79488 79489 4f2d53 79486->79489 79493 4f2d0b GetFileAttributesA 79488->79493 79496 4f2d22 79488->79496 79571 42cdc4 35 API calls 2 library calls 79489->79571 79492 42d43a ReleaseSRWLockExclusive 79494 40e66c 79492->79494 79495 4f2d17 GetLastError 79493->79495 79493->79496 79494->79328 79494->79329 79495->79496 79496->79492 79563->79340 79564->79391 79604 40c5cc 79605 403260 std::_Throw_Cpp_error 35 API calls 79604->79605 79606 40c5d1 79605->79606 79607 4031c0 std::_Throw_Cpp_error 33 API calls 79606->79607 79608 40c69b 79607->79608 79609 403260 std::_Throw_Cpp_error 35 API calls 79608->79609 79610 40c6b3 79609->79610 79611 4f2d70 63 API calls 79610->79611 79612 40c6b8 79611->79612 79613 40c6c3 79612->79613 79614 40c7a8 79612->79614 79616 417ea0 35 API calls 79613->79616 79615 4f2870 53 API calls 79614->79615 79617 40c7b7 79615->79617 79620 40c770 79616->79620 79618 40c7c9 79617->79618 79619 4031c0 std::_Throw_Cpp_error 33 API calls 79617->79619 79621 417ea0 35 API calls 79618->79621 79619->79618 79622 40c787 CopyFileA 79620->79622 79623 40c876 79621->79623 79624 4031c0 std::_Throw_Cpp_error 33 API calls 79622->79624 79626 40c88a CreateDirectoryA 79623->79626 79625 40c79e 79624->79625 79625->79614 79627 40c7a2 79625->79627 79628 40c895 79626->79628 79627->79617 79629 417ea0 35 API calls 79628->79629 79630 40ccff 79629->79630 79631 40cd13 CreateDirectoryA 79630->79631 79632 40d26a 79631->79632 79633 40cd1e 79631->79633 79634 417ea0 35 API calls 79632->79634 79635 403260 std::_Throw_Cpp_error 35 API calls 79633->79635 79636 40d31d 79634->79636 79639 40cdca 79635->79639 79637 40d32f CreateDirectoryA 79636->79637 79638 40d33c 79637->79638 79640 40de86 79638->79640 79642 4f2870 53 API calls 79638->79642 79641 4031c0 std::_Throw_Cpp_error 33 API calls 79639->79641 79643 4031c0 std::_Throw_Cpp_error 33 API calls 79640->79643 79644 40ce94 79641->79644 79642->79640 79645 40de94 79643->79645 79646 414090 std::_Throw_Cpp_error 35 API calls 79644->79646 79647 4031c0 std::_Throw_Cpp_error 33 API calls 79645->79647 79648 40cea5 79646->79648 79649 40de9f 79647->79649 79650 4d0620 65 API calls 79648->79650 79651 4031c0 std::_Throw_Cpp_error 33 API calls 79649->79651 79695 40ceb4 79650->79695 79652 40deaa 79651->79652 79653 4031c0 std::_Throw_Cpp_error 33 API calls 79652->79653 79654 40deb5 79653->79654 79655 4031c0 std::_Throw_Cpp_error 33 API calls 79654->79655 79656 40dec0 79655->79656 79658 40d238 79660 4f2870 53 API calls 79658->79660 79662 40d24d 79658->79662 79660->79662 79838 416210 33 API calls 2 library calls 79662->79838 79663 414090 std::_Throw_Cpp_error 35 API calls 79663->79695 79669 40d25b 79672 4031c0 std::_Throw_Cpp_error 33 API calls 79669->79672 79672->79632 79679 416470 33 API calls 79679->79695 79690 417ea0 35 API calls 79708 40d0fa 79690->79708 79692 418040 35 API calls 79692->79708 79695->79658 79695->79663 79695->79679 79698 4031c0 33 API calls std::_Throw_Cpp_error 79695->79698 79695->79708 79835 417e60 38 API calls 79695->79835 79836 405140 35 API calls 79695->79836 79837 417aa0 41 API calls 79695->79837 79698->79695 79699 40d1d9 CopyFileA 79701 4031c0 std::_Throw_Cpp_error 33 API calls 79699->79701 79701->79708 79703 4031c0 std::_Throw_Cpp_error 33 API calls 79703->79708 79708->79690 79708->79692 79708->79695 79708->79699 79708->79703 79835->79695 79836->79695 79837->79695 79838->79669 79845 4d1380 79846 414090 std::_Throw_Cpp_error 35 API calls 79845->79846 79847 4d13b1 79846->79847 79848 414090 std::_Throw_Cpp_error 35 API calls 79847->79848 79849 4d13c1 79848->79849 79851 4d13d7 error_info_injector 79849->79851 79855 41fd60 79849->79855 79852 4d145b error_info_injector 79851->79852 79853 433500 std::_Throw_Cpp_error 33 API calls 79851->79853 79854 4d1478 79853->79854 79856 41fda2 79855->79856 79857 41ff49 79855->79857 79858 41fdc5 79856->79858 79860 41ff44 79856->79860 79862 41fdf7 79856->79862 79863 41fe1e 79856->79863 79884 403750 35 API calls std::_Throw_Cpp_error 79857->79884 79865 42df02 std::_Facet_Register 35 API calls 79858->79865 79883 403070 35 API calls 2 library calls 79860->79883 79862->79858 79862->79860 79866 42df02 std::_Facet_Register 35 API calls 79863->79866 79879 41fe08 79863->79879 79864 433500 std::_Throw_Cpp_error 33 API calls 79871 41ff53 79864->79871 79865->79879 79866->79879 79867 420143 79886 403750 35 API calls std::_Throw_Cpp_error 79867->79886 79869 42013e 79885 403070 35 API calls 2 library calls 79869->79885 79871->79867 79871->79869 79873 41fff3 79871->79873 79874 42001a 79871->79874 79872 433500 std::_Throw_Cpp_error 33 API calls 79876 42014d 79872->79876 79873->79869 79875 41fffe 79873->79875 79878 42df02 std::_Facet_Register 35 API calls 79874->79878 79881 420004 79874->79881 79877 42df02 std::_Facet_Register 35 API calls 79875->79877 79877->79881 79878->79881 79879->79864 79880 41ff0f error_info_injector 79879->79880 79880->79851 79881->79872 79882 420101 error_info_injector 79881->79882 79882->79851 79883->79857 79885->79867 79887 4f1f00 SetupDiGetClassDevsA 79888 4f1f22 79887->79888 79889 40e250 79890 403260 std::_Throw_Cpp_error 35 API calls 79889->79890 79891 40e255 79890->79891 79892 4031c0 std::_Throw_Cpp_error 33 API calls 79891->79892 79893 40e31f 79892->79893 79894 4f2cd0 45 API calls 79893->79894 79895 40e331 79894->79895 79896 40e335 79895->79896 79897 40e376 79895->79897 79899 414090 std::_Throw_Cpp_error 35 API calls 79896->79899 79898 4f2870 53 API calls 79897->79898 79900 40e385 79898->79900 79901 40e349 79899->79901 79904 40e397 79900->79904 79905 4031c0 std::_Throw_Cpp_error 33 API calls 79900->79905 79902 414090 std::_Throw_Cpp_error 35 API calls 79901->79902 79903 40e35e 79902->79903 80054 4ec100 52 API calls 3 library calls 79903->80054 79907 417ea0 35 API calls 79904->79907 79905->79904 79909 40e444 79907->79909 79908 40e369 79908->79897 79910 40e370 79908->79910 79911 40e456 CreateDirectoryA 79909->79911 79910->79900 79912 40e463 79911->79912 79913 417ea0 35 API calls 79912->79913 79914 40e77f 79913->79914 79915 40e791 CreateDirectoryA 79914->79915 79916 40e987 79915->79916 79917 40e79e 79915->79917 79918 417ea0 35 API calls 79916->79918 79919 403260 std::_Throw_Cpp_error 35 API calls 79917->79919 79920 40ea34 79918->79920 79922 40e845 79919->79922 79921 40ea46 CreateDirectoryA 79920->79921 79923 40ea53 79921->79923 79924 40fa08 79921->79924 79927 4031c0 std::_Throw_Cpp_error 33 API calls 79922->79927 79926 403260 std::_Throw_Cpp_error 35 API calls 79923->79926 79925 417ea0 35 API calls 79924->79925 79928 40fab5 79925->79928 79931 40eafe 79926->79931 79929 40e90f 79927->79929 79930 40fac7 CreateDirectoryA 79928->79930 79935 4f2cd0 45 API calls 79929->79935 79932 40fad4 79930->79932 79933 4100e8 79930->79933 79938 4031c0 std::_Throw_Cpp_error 33 API calls 79931->79938 79936 403260 std::_Throw_Cpp_error 35 API calls 79932->79936 79934 417ea0 35 API calls 79933->79934 79937 41019b 79934->79937 79939 40e921 79935->79939 79946 40fb80 79936->79946 79943 4101ad CreateDirectoryA 79937->79943 79940 40ebc8 79938->79940 79941 40e925 79939->79941 79942 40e966 79939->79942 79951 4f2cd0 45 API calls 79940->79951 79945 414090 std::_Throw_Cpp_error 35 API calls 79941->79945 79944 4f2870 53 API calls 79942->79944 79947 410611 79943->79947 79961 4101ba 79943->79961 79948 40e975 79944->79948 79949 40e939 79945->79949 79954 4031c0 std::_Throw_Cpp_error 33 API calls 79946->79954 79950 410626 79947->79950 79953 4f2870 53 API calls 79947->79953 79956 4031c0 std::_Throw_Cpp_error 33 API calls 79948->79956 79952 414090 std::_Throw_Cpp_error 35 API calls 79949->79952 79955 4031c0 std::_Throw_Cpp_error 33 API calls 79950->79955 79957 40ebda 79951->79957 79958 40e94e 79952->79958 79953->79950 79959 40fc4a 79954->79959 79960 410634 79955->79960 79956->79916 79962 40ee81 79957->79962 79968 417ea0 35 API calls 79957->79968 80055 4ec100 52 API calls 3 library calls 79958->80055 79966 414090 std::_Throw_Cpp_error 35 API calls 79959->79966 79967 4031c0 std::_Throw_Cpp_error 33 API calls 79960->79967 79961->79961 79973 4034e0 std::_Throw_Cpp_error 35 API calls 79961->79973 79965 4f2870 53 API calls 79962->79965 79964 40e959 79964->79942 79969 40e960 79964->79969 79970 40f9f6 79965->79970 79971 40fc5b 79966->79971 79972 41063f 79967->79972 79974 40ec8f 79968->79974 79969->79948 79977 4031c0 std::_Throw_Cpp_error 33 API calls 79970->79977 79975 4d0620 65 API calls 79971->79975 79976 4031c0 std::_Throw_Cpp_error 33 API calls 79972->79976 79982 41028c 79973->79982 79980 4f2cd0 45 API calls 79974->79980 79999 40fc6a 79975->79999 79977->79924 79983 40eca8 79980->79983 79982->79982 79989 41c4c0 38 API calls 79982->79989 79984 40ecb0 79983->79984 79985 40ed7d 79983->79985 79987 417ea0 35 API calls 79984->79987 79993 40ed99 79985->79993 79995 4031c0 std::_Throw_Cpp_error 33 API calls 79985->79995 79992 40ed5d 79987->79992 79991 410358 79989->79991 80006 4031c0 std::_Throw_Cpp_error 33 API calls 79991->80006 80001 40ed72 CreateDirectoryA 79992->80001 79993->79962 79997 40eda3 79993->79997 79995->79993 79996 4f2870 53 API calls 80002 4100cb 79996->80002 80003 417ea0 35 API calls 79997->80003 79998 414090 std::_Throw_Cpp_error 35 API calls 79998->79999 79999->79998 80024 416470 33 API calls 79999->80024 80046 4031c0 33 API calls std::_Throw_Cpp_error 79999->80046 80050 4100b6 79999->80050 80052 40ff60 79999->80052 80057 417e60 38 API calls 79999->80057 80058 405140 35 API calls 79999->80058 80059 417aa0 41 API calls 79999->80059 80001->79985 80009 410373 80006->80009 80024->79999 80035 417ea0 35 API calls 80035->80052 80039 418040 35 API calls 80039->80052 80042 410057 CopyFileA 80046->79999 80048 4031c0 std::_Throw_Cpp_error 33 API calls 80048->80052 80050->79996 80050->80002 80052->79999 80052->80035 80052->80039 80052->80042 80052->80048 80054->79908 80055->79964 80057->79999 80058->79999 80059->79999 80061 4109d3 80062 403260 std::_Throw_Cpp_error 35 API calls 80061->80062 80063 4109d8 80062->80063 80063->80063 80064 41c4c0 38 API calls 80063->80064 80065 410a9b 80064->80065 80066 4031c0 std::_Throw_Cpp_error 33 API calls 80065->80066 80067 410ab6 80066->80067 80068 4f2cd0 45 API calls 80067->80068 80069 410ac8 80068->80069 80070 410b0d 80069->80070 80071 410acc 80069->80071 80073 4f2870 53 API calls 80070->80073 80072 414090 std::_Throw_Cpp_error 35 API calls 80071->80072 80074 410ae0 80072->80074 80075 410b1c 80073->80075 80076 414090 std::_Throw_Cpp_error 35 API calls 80074->80076 80078 4031c0 std::_Throw_Cpp_error 33 API calls 80075->80078 80077 410af5 80076->80077 80089 4ec100 52 API calls 3 library calls 80077->80089 80081 410b2e 80078->80081 80080 410b00 80080->80070 80083 410b07 80080->80083 80082 410b43 80081->80082 80084 4f2870 53 API calls 80081->80084 80085 410b51 80082->80085 80086 4031c0 std::_Throw_Cpp_error 33 API calls 80082->80086 80083->80075 80084->80082 80087 4031c0 std::_Throw_Cpp_error 33 API calls 80085->80087 80086->80085 80088 410b5c 80087->80088 80089->80080 80090 422451 80091 422477 80090->80091 80092 4224ae 80090->80092 80093 411940 35 API calls 80091->80093 80094 4224b6 80092->80094 80095 4224ea 80092->80095 80101 422013 80093->80101 80094->80101 80214 429b50 35 API calls 80094->80214 80096 411960 35 API calls 80095->80096 80095->80101 80096->80101 80099 4227ff error_info_injector 80235 411310 33 API calls 2 library calls 80099->80235 80100 422ffe 80101->80099 80102 422604 80101->80102 80103 42254b 80101->80103 80104 422b9e 80101->80104 80106 41c660 38 API calls 80101->80106 80218 423ab0 35 API calls 80101->80218 80105 41c660 38 API calls 80102->80105 80215 41b7b0 42 API calls 2 library calls 80103->80215 80226 41b7b0 42 API calls 2 library calls 80104->80226 80110 42260c 80105->80110 80106->80101 80180 422cd2 80110->80180 80202 415c20 80110->80202 80111 42258c 80216 406670 38 API calls 3 library calls 80111->80216 80112 422be1 80227 406670 38 API calls 3 library calls 80112->80227 80117 4225b0 80217 41bd60 40 API calls 3 library calls 80117->80217 80118 422c05 80228 41bd60 40 API calls 3 library calls 80118->80228 80119 422d1f 80233 406670 38 API calls 3 library calls 80119->80233 80120 42262a 80124 41c660 38 API calls 80120->80124 80128 422635 80124->80128 80125 4225c6 80131 423016 80125->80131 80132 4225d8 80125->80132 80126 422c1b 80126->80132 80133 423097 80126->80133 80127 422d43 80234 41bd60 40 API calls 3 library calls 80127->80234 80129 422c32 80128->80129 80130 422641 80128->80130 80137 4036f0 std::_Throw_Cpp_error 35 API calls 80129->80137 80135 41c660 38 API calls 80130->80135 80236 416c30 34 API calls ___std_exception_copy 80131->80236 80143 4031c0 std::_Throw_Cpp_error 33 API calls 80132->80143 80239 416c30 34 API calls ___std_exception_copy 80133->80239 80141 422649 80135->80141 80144 422c4d 80137->80144 80138 422d59 80138->80099 80145 4230d5 80138->80145 80140 4230a5 80146 42fc4b Concurrency::cancel_current_task RaiseException 80140->80146 80159 4036f0 std::_Throw_Cpp_error 35 API calls 80141->80159 80142 423024 80147 42fc4b Concurrency::cancel_current_task RaiseException 80142->80147 80149 422b40 80143->80149 80229 41b7b0 42 API calls 2 library calls 80144->80229 80241 416c30 34 API calls ___std_exception_copy 80145->80241 80152 4230b6 80146->80152 80153 423035 80147->80153 80224 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 80149->80224 80151 422c86 80230 406670 38 API calls 3 library calls 80151->80230 80240 416c30 34 API calls ___std_exception_copy 80152->80240 80237 416c30 34 API calls ___std_exception_copy 80153->80237 80154 4230e3 80161 42fc4b Concurrency::cancel_current_task RaiseException 80154->80161 80156 422b56 80225 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 80156->80225 80165 42267b 80159->80165 80167 4230f4 80161->80167 80163 422caa 80231 41bd60 40 API calls 3 library calls 80163->80231 80164 4230c4 80170 42fc4b Concurrency::cancel_current_task RaiseException 80164->80170 80219 41b7b0 42 API calls 2 library calls 80165->80219 80166 423043 80172 423054 80166->80172 80173 42fc4b Concurrency::cancel_current_task RaiseException 80166->80173 80242 416c30 34 API calls ___std_exception_copy 80167->80242 80168 422b6f 80175 4031c0 std::_Throw_Cpp_error 33 API calls 80168->80175 80170->80145 80177 433500 std::_Throw_Cpp_error 33 API calls 80172->80177 80173->80172 80175->80099 80176 422cc0 80176->80152 80176->80180 80181 423059 80177->80181 80178 4226b4 80220 406670 38 API calls 3 library calls 80178->80220 80179 423102 80183 42fc4b Concurrency::cancel_current_task RaiseException 80179->80183 80232 41b7b0 42 API calls 2 library calls 80180->80232 80238 416c30 34 API calls ___std_exception_copy 80181->80238 80186 423113 80183->80186 80185 4226d8 80221 41bd60 40 API calls 3 library calls 80185->80221 80243 416c30 34 API calls ___std_exception_copy 80186->80243 80187 423067 80191 42fc4b Concurrency::cancel_current_task RaiseException 80187->80191 80190 423121 80193 42fc4b Concurrency::cancel_current_task RaiseException 80190->80193 80194 423078 80191->80194 80192 4226ee 80192->80153 80197 422700 error_info_injector 80192->80197 80195 423132 80193->80195 80199 42fc4b Concurrency::cancel_current_task RaiseException 80194->80199 80197->80172 80222 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 80197->80222 80198 42275c 80223 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 80198->80223 80199->80133 80201 422775 error_info_injector 80201->80099 80201->80172 80208 415c50 80202->80208 80203 415d09 80244 4063c0 35 API calls std::_Throw_Cpp_error 80203->80244 80204 415c8e 80206 42df02 std::_Facet_Register 35 API calls 80204->80206 80209 415ca8 80206->80209 80207 415d0e 80208->80203 80208->80204 80213 415cd4 80208->80213 80210 414090 std::_Throw_Cpp_error 35 API calls 80209->80210 80211 415cc2 80210->80211 80212 415ab0 35 API calls 80211->80212 80212->80213 80213->80120 80214->80101 80215->80111 80216->80117 80217->80125 80218->80101 80219->80178 80220->80185 80221->80192 80222->80198 80223->80201 80224->80156 80225->80168 80226->80112 80227->80118 80228->80126 80229->80151 80230->80163 80231->80176 80232->80119 80233->80127 80234->80138 80235->80100 80236->80142 80237->80166 80238->80187 80239->80140 80240->80164 80241->80154 80242->80179 80243->80190 80244->80207 80245 536680 80246 53669c 80245->80246 80249 5366c2 80245->80249 80247 5366b8 80246->80247 80251 5366e6 80246->80251 80263 5163c0 80247->80263 80250 5365b0 48 API calls 80250->80251 80251->80249 80251->80250 80252 53692a 80251->80252 80256 536970 48 API calls 80251->80256 80257 53690b 80251->80257 80260 536944 80251->80260 80271 537ba0 80251->80271 80278 553960 RtlFreeHeap GetLastError 80252->80278 80255 536935 80256->80251 80257->80249 80277 536af0 48 API calls 80257->80277 80259 53691c 80279 553960 RtlFreeHeap GetLastError 80260->80279 80262 53694f 80264 5163d4 80263->80264 80265 51643f 80263->80265 80264->80265 80266 537ba0 48 API calls 80264->80266 80265->80249 80267 5163f9 80266->80267 80267->80265 80280 536580 48 API calls 80267->80280 80269 516411 80269->80265 80270 537ba0 48 API calls 80269->80270 80270->80265 80272 537bb7 80271->80272 80273 537ccd 80271->80273 80272->80273 80274 537e60 48 API calls 80272->80274 80275 537ba0 48 API calls 80272->80275 80281 516730 80272->80281 80273->80251 80274->80272 80275->80272 80277->80259 80278->80255 80279->80262 80280->80269 80286 516973 80281->80286 80294 516756 __fread_nolock 80281->80294 80282 5168d3 80282->80286 80311 51ca20 RtlFreeHeap GetLastError 80282->80311 80284 537ba0 48 API calls 80284->80294 80286->80272 80287 517090 80312 533c50 RtlFreeHeap GetLastError 80287->80312 80288 5170c9 80288->80272 80290 5170a2 80290->80288 80313 553960 RtlFreeHeap GetLastError 80290->80313 80291 553960 RtlFreeHeap GetLastError 80291->80294 80294->80282 80294->80284 80294->80286 80294->80291 80295 516a30 80294->80295 80303 51e020 80294->80303 80309 51b0d0 RtlFreeHeap GetLastError __fread_nolock __Strxfrm 80294->80309 80310 5170f0 RtlFreeHeap GetLastError 80294->80310 80295->80286 80298 537ba0 48 API calls 80295->80298 80296 553960 RtlFreeHeap GetLastError 80301 5168eb __fread_nolock __Strxfrm 80296->80301 80299 516a62 80298->80299 80299->80272 80300 535430 RtlFreeHeap GetLastError 80300->80301 80301->80286 80301->80287 80301->80290 80301->80296 80301->80300 80302 5561f0 RtlFreeHeap GetLastError 80301->80302 80302->80301 80305 51e050 80303->80305 80304 51e08e 80304->80294 80305->80304 80307 51e0a9 80305->80307 80314 51e0c0 80305->80314 80335 52d3d0 RtlFreeHeap GetLastError __fread_nolock 80307->80335 80309->80294 80310->80294 80311->80301 80312->80290 80313->80288 80336 51e480 80314->80336 80316 51e156 80316->80305 80317 51e117 80317->80316 80318 51e1a1 80317->80318 80319 549220 18 API calls 80317->80319 80321 51e2df 80318->80321 80325 51e385 80318->80325 80320 51e16c 80319->80320 80320->80318 80322 51e172 80320->80322 80415 555b30 RtlFreeHeap GetLastError 80321->80415 80414 555b30 RtlFreeHeap GetLastError 80322->80414 80358 5209f0 80325->80358 80327 51e2ed 80327->80316 80328 51e455 80327->80328 80417 54aed0 6 API calls 80327->80417 80328->80316 80418 549130 6 API calls 80328->80418 80331 51e3c4 80332 5561f0 2 API calls 80331->80332 80333 51e3e6 80331->80333 80332->80333 80333->80327 80416 52d3d0 RtlFreeHeap GetLastError __fread_nolock 80333->80416 80335->80304 80337 51e4a9 80336->80337 80343 51e4f8 80336->80343 80338 51e4d8 80337->80338 80419 555b30 RtlFreeHeap GetLastError 80337->80419 80338->80317 80339 51e66a 80339->80317 80341 51e61c 80341->80317 80342 51e5f3 80346 51e509 80342->80346 80350 51e639 80342->80350 80343->80339 80343->80342 80344 51e548 80343->80344 80343->80346 80345 43bb47 33 API calls 80344->80345 80347 51e553 80345->80347 80346->80341 80421 555b30 RtlFreeHeap GetLastError 80346->80421 80349 5209f0 48 API calls 80347->80349 80353 51e56f 80349->80353 80350->80339 80422 51e680 RtlFreeHeap GetLastError 80350->80422 80351 51e592 80354 5561f0 2 API calls 80351->80354 80356 51e5c6 80351->80356 80353->80339 80353->80351 80420 51e680 RtlFreeHeap GetLastError 80353->80420 80355 51e5e8 80354->80355 80355->80317 80356->80317 80370 520a1a __fread_nolock __Strxfrm 80358->80370 80359 51d3c0 18 API calls 80397 520bc5 __fread_nolock 80359->80397 80360 5561f0 2 API calls 80376 52186f 80360->80376 80363 52158b 80445 5421b0 RtlFreeHeap GetLastError 80363->80445 80365 5215ba 80446 5421b0 RtlFreeHeap GetLastError 80365->80446 80367 42df02 std::_Facet_Register 35 API calls 80367->80370 80369 521618 80371 5561f0 2 API calls 80369->80371 80374 521648 80369->80374 80370->80367 80370->80397 80371->80374 80372 5215c8 80372->80369 80447 542830 RtlFreeHeap GetLastError 80372->80447 80377 5561f0 2 API calls 80374->80377 80381 5216c9 80374->80381 80391 52191b 80376->80391 80400 52196f __Strxfrm 80376->80400 80448 53f1d0 RtlFreeHeap GetLastError 80376->80448 80377->80381 80378 521270 80385 521298 80378->80385 80440 5408a0 6 API calls __Strxfrm 80378->80440 80380 5421b0 RtlFreeHeap GetLastError 80380->80397 80383 5561f0 2 API calls 80381->80383 80384 521706 80381->80384 80383->80384 80389 5561f0 2 API calls 80384->80389 80392 521749 80384->80392 80441 5421b0 RtlFreeHeap GetLastError 80385->80441 80389->80392 80390 5212c7 80442 5421b0 RtlFreeHeap GetLastError 80390->80442 80391->80400 80449 53f1d0 RtlFreeHeap GetLastError 80391->80449 80394 5561f0 2 API calls 80392->80394 80403 52179a 80392->80403 80394->80403 80395 52131e 80399 5561f0 2 API calls 80395->80399 80402 52134a 80395->80402 80397->80359 80397->80378 80397->80380 80411 5561f0 RtlFreeHeap GetLastError 80397->80411 80412 52124f 80397->80412 80413 51e480 48 API calls 80397->80413 80423 557a70 80397->80423 80436 53eae0 RtlFreeHeap GetLastError 80397->80436 80437 557280 RtlFreeHeap GetLastError 80397->80437 80438 5408a0 6 API calls __Strxfrm 80397->80438 80439 542830 RtlFreeHeap GetLastError 80397->80439 80398 5212d5 80398->80395 80443 542830 RtlFreeHeap GetLastError 80398->80443 80399->80402 80400->80331 80404 5561f0 2 API calls 80402->80404 80405 5213c1 80402->80405 80403->80360 80403->80376 80404->80405 80406 5561f0 2 API calls 80405->80406 80407 5213fe 80405->80407 80406->80407 80408 5561f0 2 API calls 80407->80408 80409 521441 80407->80409 80408->80409 80410 5561f0 2 API calls 80409->80410 80409->80412 80410->80412 80411->80397 80412->80363 80412->80403 80444 5408a0 6 API calls __Strxfrm 80412->80444 80413->80397 80414->80316 80415->80327 80416->80327 80417->80328 80418->80316 80419->80338 80420->80351 80421->80341 80422->80339 80424 557ecb 80423->80424 80434 557a89 80423->80434 80424->80397 80426 557dcc 80431 557e2c 80426->80431 80482 53f1d0 RtlFreeHeap GetLastError 80426->80482 80427 51d3c0 18 API calls 80427->80434 80429 557e0c 80430 5561f0 2 API calls 80429->80430 80429->80431 80430->80431 80431->80397 80434->80426 80434->80427 80434->80431 80435 5408a0 6 API calls 80434->80435 80450 538290 80434->80450 80480 5443c0 RtlFreeHeap GetLastError 80434->80480 80481 540500 RtlFreeHeap GetLastError 80434->80481 80435->80434 80436->80397 80437->80397 80438->80397 80439->80397 80440->80385 80441->80390 80442->80398 80443->80398 80444->80363 80445->80365 80446->80372 80447->80372 80448->80391 80449->80400 80451 53e0b9 80450->80451 80462 538309 80450->80462 80486 555b30 RtlFreeHeap GetLastError 80451->80486 80453 53e475 80491 555b30 RtlFreeHeap GetLastError 80453->80491 80455 53e0d0 80487 540b70 6 API calls 80455->80487 80457 53e4a5 80492 540b70 6 API calls 80457->80492 80459 53e4b6 80459->80434 80460 53e01f 80483 540b70 6 API calls 80460->80483 80462->80451 80462->80453 80462->80460 80464 54f120 RtlFreeHeap GetLastError 80462->80464 80465 5443c0 RtlFreeHeap GetLastError 80462->80465 80466 53e03c 80462->80466 80467 53e446 80462->80467 80472 53e2f6 80462->80472 80476 544490 RtlFreeHeap GetLastError 80462->80476 80463 53e031 80463->80434 80464->80462 80465->80462 80473 53e068 80466->80473 80484 555b30 RtlFreeHeap GetLastError 80466->80484 80490 540b70 6 API calls 80467->80490 80471 53e0e1 80471->80434 80488 555b30 RtlFreeHeap GetLastError 80472->80488 80485 540b70 6 API calls 80473->80485 80474 53e076 80474->80434 80476->80462 80477 53e30d 80489 540b70 6 API calls 80477->80489 80479 53e31e 80479->80434 80480->80434 80481->80434 80482->80429 80483->80463 80484->80473 80485->80474 80486->80455 80487->80471 80488->80477 80489->80479 80490->80471 80491->80457 80492->80459 80493 40c155 80494 403260 std::_Throw_Cpp_error 35 API calls 80493->80494 80495 40c15a 80494->80495 80496 4031c0 std::_Throw_Cpp_error 33 API calls 80495->80496 80497 40c224 80496->80497 80498 403260 std::_Throw_Cpp_error 35 API calls 80497->80498 80499 40c23c 80498->80499 80500 4f2d70 63 API calls 80499->80500 80501 40c241 80500->80501 80502 4f2870 53 API calls 80501->80502 80503 40c3c6 80502->80503 80504 4031c0 std::_Throw_Cpp_error 33 API calls 80503->80504 80505 40c3d8 80504->80505 80506 417ea0 35 API calls 80505->80506 80507 40c485 80506->80507 80508 40c499 CreateDirectoryA 80507->80508 80509 40c4a4 80508->80509 80510 40c7c9 80508->80510 80511 417ea0 35 API calls 80510->80511 80512 40c876 80511->80512 80513 40c88a CreateDirectoryA 80512->80513 80514 40c895 80513->80514 80515 417ea0 35 API calls 80514->80515 80516 40ccff 80515->80516 80517 40cd13 CreateDirectoryA 80516->80517 80518 40cd1e 80517->80518 80560 40d26a 80517->80560 80520 403260 std::_Throw_Cpp_error 35 API calls 80518->80520 80519 417ea0 35 API calls 80521 40d31d 80519->80521 80524 40cdca 80520->80524 80522 40d32f CreateDirectoryA 80521->80522 80523 40d33c 80522->80523 80525 40de86 80523->80525 80527 4f2870 53 API calls 80523->80527 80526 4031c0 std::_Throw_Cpp_error 33 API calls 80524->80526 80528 4031c0 std::_Throw_Cpp_error 33 API calls 80525->80528 80529 40ce94 80526->80529 80527->80525 80530 40de94 80528->80530 80531 414090 std::_Throw_Cpp_error 35 API calls 80529->80531 80532 4031c0 std::_Throw_Cpp_error 33 API calls 80530->80532 80533 40cea5 80531->80533 80534 40de9f 80532->80534 80535 4d0620 65 API calls 80533->80535 80536 4031c0 std::_Throw_Cpp_error 33 API calls 80534->80536 80540 40ceb4 80535->80540 80537 40deaa 80536->80537 80548 414090 std::_Throw_Cpp_error 35 API calls 80540->80548 80565 416470 33 API calls 80540->80565 80583 4031c0 33 API calls std::_Throw_Cpp_error 80540->80583 80588 40d238 80540->80588 80594 40d0fa 80540->80594 80721 417e60 38 API calls 80540->80721 80722 405140 35 API calls 80540->80722 80723 417aa0 41 API calls 80540->80723 80545 4f2870 53 API calls 80547 40d24d 80545->80547 80724 416210 33 API calls 2 library calls 80547->80724 80548->80540 80560->80519 80565->80540 80576 417ea0 35 API calls 80576->80594 80578 418040 35 API calls 80578->80594 80583->80540 80584 40d1d9 CopyFileA 80586 4031c0 std::_Throw_Cpp_error 33 API calls 80584->80586 80586->80594 80588->80545 80588->80547 80589 4031c0 std::_Throw_Cpp_error 33 API calls 80589->80594 80594->80540 80594->80576 80594->80578 80594->80584 80594->80589 80721->80540 80722->80540 80723->80540 80731 40ca55 80732 403260 std::_Throw_Cpp_error 35 API calls 80731->80732 80733 40ca5a 80732->80733 80734 4031c0 std::_Throw_Cpp_error 33 API calls 80733->80734 80735 40cb24 80734->80735 80736 403260 std::_Throw_Cpp_error 35 API calls 80735->80736 80737 40cb3c 80736->80737 80738 4f2d70 63 API calls 80737->80738 80739 40cb41 80738->80739 80740 40cc31 80739->80740 80741 40cb4c 80739->80741 80743 4f2870 53 API calls 80740->80743 80742 417ea0 35 API calls 80741->80742 80747 40cbf9 80742->80747 80744 40cc40 80743->80744 80745 40cc52 80744->80745 80746 4031c0 std::_Throw_Cpp_error 33 API calls 80744->80746 80748 417ea0 35 API calls 80745->80748 80746->80745 80749 40cc10 CopyFileA 80747->80749 80750 40ccff 80748->80750 80751 4031c0 std::_Throw_Cpp_error 33 API calls 80749->80751 80753 40cd13 CreateDirectoryA 80750->80753 80752 40cc27 80751->80752 80752->80740 80754 40cc2b 80752->80754 80755 40d26a 80753->80755 80756 40cd1e 80753->80756 80754->80744 80757 417ea0 35 API calls 80755->80757 80758 403260 std::_Throw_Cpp_error 35 API calls 80756->80758 80759 40d31d 80757->80759 80762 40cdca 80758->80762 80760 40d32f CreateDirectoryA 80759->80760 80761 40d33c 80760->80761 80763 40de86 80761->80763 80765 4f2870 53 API calls 80761->80765 80764 4031c0 std::_Throw_Cpp_error 33 API calls 80762->80764 80766 4031c0 std::_Throw_Cpp_error 33 API calls 80763->80766 80767 40ce94 80764->80767 80765->80763 80768 40de94 80766->80768 80769 414090 std::_Throw_Cpp_error 35 API calls 80767->80769 80770 4031c0 std::_Throw_Cpp_error 33 API calls 80768->80770 80771 40cea5 80769->80771 80772 40de9f 80770->80772 80773 4d0620 65 API calls 80771->80773 80774 4031c0 std::_Throw_Cpp_error 33 API calls 80772->80774 80818 40ceb4 80773->80818 80775 40deaa 80774->80775 80776 4031c0 std::_Throw_Cpp_error 33 API calls 80775->80776 80777 40deb5 80776->80777 80778 4031c0 std::_Throw_Cpp_error 33 API calls 80777->80778 80779 40dec0 80778->80779 80780 4031c0 std::_Throw_Cpp_error 33 API calls 80779->80780 80782 40decb 80780->80782 80781 40d238 80783 4f2870 53 API calls 80781->80783 80785 40d24d 80781->80785 80784 4031c0 std::_Throw_Cpp_error 33 API calls 80782->80784 80783->80785 80787 40ded6 80784->80787 80961 416210 33 API calls 2 library calls 80785->80961 80786 414090 std::_Throw_Cpp_error 35 API calls 80786->80818 80792 40d25b 80795 4031c0 std::_Throw_Cpp_error 33 API calls 80792->80795 80795->80755 80802 416470 33 API calls 80802->80818 80813 417ea0 35 API calls 80831 40d0fa 80813->80831 80815 418040 35 API calls 80815->80831 80818->80781 80818->80786 80818->80802 80821 4031c0 33 API calls std::_Throw_Cpp_error 80818->80821 80818->80831 80958 417e60 38 API calls 80818->80958 80959 405140 35 API calls 80818->80959 80960 417aa0 41 API calls 80818->80960 80821->80818 80822 40d1d9 CopyFileA 80824 4031c0 std::_Throw_Cpp_error 33 API calls 80822->80824 80824->80831 80826 4031c0 std::_Throw_Cpp_error 33 API calls 80826->80831 80831->80813 80831->80815 80831->80818 80831->80822 80831->80826 80958->80818 80959->80818 80960->80818 80961->80792 80968 40aed5 80969 403260 std::_Throw_Cpp_error 35 API calls 80968->80969 80970 40aeda 80969->80970 80971 4031c0 std::_Throw_Cpp_error 33 API calls 80970->80971 80972 40afa4 80971->80972 80973 403260 std::_Throw_Cpp_error 35 API calls 80972->80973 80974 40afbc 80973->80974 80975 4f2d70 63 API calls 80974->80975 80976 40afc1 80975->80976 80977 40b0b1 80976->80977 80978 40afcc 80976->80978 80979 4f2870 53 API calls 80977->80979 80980 417ea0 35 API calls 80978->80980 80981 40b0c0 80979->80981 80985 40b079 80980->80985 80982 40b0d2 80981->80982 80983 4031c0 std::_Throw_Cpp_error 33 API calls 80981->80983 80984 417ea0 35 API calls 80982->80984 80983->80982 80986 40b17f 80984->80986 80987 40b090 CopyFileA 80985->80987 80989 40b193 CreateDirectoryA 80986->80989 80988 4031c0 std::_Throw_Cpp_error 33 API calls 80987->80988 80990 40b0a7 80988->80990 80991 40b19e 80989->80991 80990->80977 80992 40b0ab 80990->80992 80993 417ea0 35 API calls 80991->80993 80992->80981 80994 40bef6 80993->80994 80995 40bf0a CreateDirectoryA 80994->80995 80996 40bf15 80995->80996 80997 417ea0 35 API calls 80996->80997 80998 40c485 80997->80998 80999 40c499 CreateDirectoryA 80998->80999 81000 40c4a4 80999->81000 81001 40c7c9 80999->81001 81002 417ea0 35 API calls 81001->81002 81003 40c876 81002->81003 81004 40c88a CreateDirectoryA 81003->81004 81005 40c895 81004->81005 81006 417ea0 35 API calls 81005->81006 81007 40ccff 81006->81007 81008 40cd13 CreateDirectoryA 81007->81008 81009 40d26a 81008->81009 81010 40cd1e 81008->81010 81011 417ea0 35 API calls 81009->81011 81012 403260 std::_Throw_Cpp_error 35 API calls 81010->81012 81013 40d31d 81011->81013 81016 40cdca 81012->81016 81014 40d32f CreateDirectoryA 81013->81014 81015 40d33c 81014->81015 81018 4031c0 std::_Throw_Cpp_error 33 API calls 81016->81018 81021 40ce94 81018->81021 81222 444c92 81223 444a79 __fread_nolock 33 API calls 81222->81223 81224 444c9f 81223->81224 81225 444cab 81224->81225 81226 444cf7 81224->81226 81245 444e5a 35 API calls __fread_nolock 81224->81245 81226->81225 81228 444d59 81226->81228 81229 4470fc 33 API calls 81226->81229 81234 444d88 81228->81234 81231 444d4c 81229->81231 81231->81228 81246 447f13 81231->81246 81235 444a79 __fread_nolock 33 API calls 81234->81235 81236 444d97 81235->81236 81237 444e3d 81236->81237 81238 444daa 81236->81238 81239 443f08 __wsopen_s 58 API calls 81237->81239 81240 444dc7 81238->81240 81243 444dee 81238->81243 81242 444d6a 81239->81242 81241 443f08 __wsopen_s 58 API calls 81240->81241 81241->81242 81243->81242 81251 43ce2f 81243->81251 81245->81226 81247 444eea __Getctype 3 API calls 81246->81247 81248 447f30 81247->81248 81249 4458aa ___free_lconv_mon 2 API calls 81248->81249 81250 447f3a 81249->81250 81250->81228 81252 43ce43 __fread_nolock 81251->81252 81253 43cc87 37 API calls 81252->81253 81254 43ce58 81253->81254 81255 43322c __fread_nolock 33 API calls 81254->81255 81256 43ce67 81255->81256 81256->81242 81257 43c6e3 81258 43c6fd 81257->81258 81260 43c711 81257->81260 81265 4334f0 33 API calls __fread_nolock 81258->81265 81261 43c70d 81260->81261 81266 448b2e 33 API calls 3 library calls 81260->81266 81263 42e607 CatchGuardHandler 5 API calls 81261->81263 81264 43c754 81263->81264 81265->81261 81266->81261 81267 408fe1 81268 408ff2 FreeLibrary 81267->81268 81269 408ff9 81267->81269 81268->81269 81270 40b362 81271 403260 std::_Throw_Cpp_error 35 API calls 81270->81271 81272 40b367 81271->81272 81273 4031c0 std::_Throw_Cpp_error 33 API calls 81272->81273 81274 40b431 81273->81274 81275 403260 std::_Throw_Cpp_error 35 API calls 81274->81275 81276 40b449 81275->81276 81277 4f2d70 63 API calls 81276->81277 81279 40b44e 81277->81279 81278 40b5c6 81279->81278 81280 40b588 81279->81280 81281 40b5a3 CopyFileA 81280->81281 81282 4031c0 std::_Throw_Cpp_error 33 API calls 81281->81282 81283 40b5ba 81282->81283 81283->81278 81284 447223 81285 447230 81284->81285 81287 447248 81284->81287 81313 4334f0 33 API calls __fread_nolock 81285->81313 81288 4472a7 81287->81288 81289 447f13 5 API calls 81287->81289 81296 447240 81287->81296 81290 444a79 __fread_nolock 33 API calls 81288->81290 81289->81288 81291 4472c0 81290->81291 81302 443087 81291->81302 81293 4472c8 81294 444a79 __fread_nolock 33 API calls 81293->81294 81293->81296 81295 4472f9 81294->81295 81295->81296 81297 444a79 __fread_nolock 33 API calls 81295->81297 81298 447307 81297->81298 81298->81296 81299 444a79 __fread_nolock 33 API calls 81298->81299 81300 447315 81299->81300 81301 444a79 __fread_nolock 33 API calls 81300->81301 81301->81296 81303 443093 __FrameHandler3::FrameUnwindToState 81302->81303 81304 443126 81303->81304 81305 44309b 81303->81305 81308 4430cd 81303->81308 81314 448f52 EnterCriticalSection 81304->81314 81305->81293 81307 44312c 81310 4431a0 __fread_nolock 47 API calls 81307->81310 81311 44314b 81307->81311 81315 4334f0 33 API calls __fread_nolock 81308->81315 81310->81311 81316 443198 LeaveCriticalSection __wsopen_s 81311->81316 81313->81296 81314->81307 81315->81305 81316->81305 81317 40d468 81318 403260 std::_Throw_Cpp_error 35 API calls 81317->81318 81319 40d46d 81318->81319 81320 4f2cd0 45 API calls 81319->81320 81321 40d483 81320->81321 81322 4f2cd0 45 API calls 81321->81322 81323 40d5e1 81322->81323 81324 40de50 81323->81324 81325 414090 std::_Throw_Cpp_error 35 API calls 81323->81325 81326 4f2870 53 API calls 81324->81326 81327 40d5fa 81325->81327 81328 40de5f 81326->81328 81329 4d0620 65 API calls 81327->81329 81330 40de71 81328->81330 81331 4031c0 std::_Throw_Cpp_error 33 API calls 81328->81331 81392 40d609 81329->81392 81332 40de86 81330->81332 81333 4f2870 53 API calls 81330->81333 81331->81330 81334 4031c0 std::_Throw_Cpp_error 33 API calls 81332->81334 81333->81332 81335 40de94 81334->81335 81336 4031c0 std::_Throw_Cpp_error 33 API calls 81335->81336 81337 40de9f 81336->81337 81339 4031c0 std::_Throw_Cpp_error 33 API calls 81337->81339 81338 40d8bc 81341 417ea0 35 API calls 81338->81341 81342 40deaa 81339->81342 81340 414090 std::_Throw_Cpp_error 35 API calls 81340->81392 81343 40d969 81341->81343 81344 4031c0 std::_Throw_Cpp_error 33 API calls 81342->81344 81347 4f2cd0 45 API calls 81343->81347 81346 40deb5 81344->81346 81348 4031c0 std::_Throw_Cpp_error 33 API calls 81346->81348 81351 40d982 81347->81351 81350 40dec0 81348->81350 81352 4031c0 std::_Throw_Cpp_error 33 API calls 81350->81352 81354 40d98a 81351->81354 81361 40da5f 81351->81361 81355 40decb 81352->81355 81356 417ea0 35 API calls 81354->81356 81357 4031c0 std::_Throw_Cpp_error 33 API calls 81355->81357 81359 40da37 81356->81359 81360 40ded6 81357->81360 81358 416470 33 API calls 81358->81392 81364 40da4c CreateDirectoryA 81359->81364 81363 4031c0 std::_Throw_Cpp_error 33 API calls 81360->81363 81362 40da81 81361->81362 81365 4031c0 std::_Throw_Cpp_error 33 API calls 81361->81365 81366 40db69 81362->81366 81367 40da8b 81362->81367 81369 40dee8 81363->81369 81364->81361 81370 40da59 81364->81370 81365->81362 81564 49b950 46 API calls 2 library calls 81366->81564 81368 417ea0 35 API calls 81367->81368 81372 40db3a 81368->81372 81373 41067d 81369->81373 81377 417ea0 35 API calls 81369->81377 81370->81361 81375 414090 std::_Throw_Cpp_error 35 API calls 81372->81375 81376 410b5c 81373->81376 81381 417ea0 35 API calls 81373->81381 81374 40db74 81379 40de25 81374->81379 81383 417ea0 35 API calls 81374->81383 81380 40db4f 81375->81380 81382 40df9e 81377->81382 81378 417ea0 35 API calls 81414 40d74e 81378->81414 81565 416210 33 API calls 2 library calls 81379->81565 81563 4ec100 52 API calls 3 library calls 81380->81563 81387 410733 81381->81387 81393 40dfb3 CreateDirectoryA 81382->81393 81389 40dc42 81383->81389 81385 40de30 81390 4031c0 std::_Throw_Cpp_error 33 API calls 81385->81390 81395 410748 CreateDirectoryA 81387->81395 81388 418040 35 API calls 81388->81414 81403 4340b0 35 API calls 81389->81403 81394 40de3b 81390->81394 81391 40db5a 81391->81366 81392->81338 81392->81340 81392->81358 81396 4031c0 33 API calls std::_Throw_Cpp_error 81392->81396 81392->81414 81560 417e60 38 API calls 81392->81560 81561 405140 35 API calls 81392->81561 81562 417aa0 41 API calls 81392->81562 81397 40dfc0 81393->81397 81398 41066b 81393->81398 81566 416210 33 API calls 2 library calls 81394->81566 81401 410755 81395->81401 81396->81392 81402 417ea0 35 API calls 81397->81402 81399 4031c0 std::_Throw_Cpp_error 33 API calls 81398->81399 81399->81373 81405 4031c0 std::_Throw_Cpp_error 33 API calls 81401->81405 81406 40e071 81402->81406 81415 40dcf2 81403->81415 81404 40de4a 81404->81324 81404->81328 81405->81376 81409 40e083 CreateDirectoryA 81406->81409 81407 40de0f 81412 4031c0 std::_Throw_Cpp_error 33 API calls 81407->81412 81408 40d85d CopyFileA 81410 4031c0 std::_Throw_Cpp_error 33 API calls 81408->81410 81413 40e090 81409->81413 81410->81414 81411 40de01 81416 437938 63 API calls 81411->81416 81412->81379 81418 417ea0 35 API calls 81413->81418 81414->81378 81414->81388 81414->81392 81414->81408 81417 4031c0 std::_Throw_Cpp_error 33 API calls 81414->81417 81415->81407 81415->81411 81556 403770 81415->81556 81416->81407 81417->81414 81557 403787 81556->81557 81573 43b5c3 81557->81573 81560->81392 81561->81392 81562->81392 81563->81391 81564->81374 81565->81385 81566->81404 81574 43b5d7 __fread_nolock 81573->81574 81575 43b5f9 81574->81575 81577 43b620 81574->81577 81590 433473 33 API calls 2 library calls 81575->81590 81582 438c26 81577->81582 81578 43b614 81580 43322c __fread_nolock 33 API calls 81578->81580 81581 403791 81580->81581 81581->81411 81581->81415 81583 438c32 __FrameHandler3::FrameUnwindToState 81582->81583 81591 43bae0 EnterCriticalSection 81583->81591 81585 438c40 81592 439b5b 81585->81592 81590->81578 81591->81585 81593 44713a 34 API calls 81592->81593 81672 40aa6a 81673 403260 std::_Throw_Cpp_error 35 API calls 81672->81673 81674 40aa6f 81673->81674 81675 4031c0 std::_Throw_Cpp_error 33 API calls 81674->81675 81676 40aa97 81675->81676 81677 403260 std::_Throw_Cpp_error 35 API calls 81676->81677 81678 40aaaf 81677->81678 81679 4f2d70 63 API calls 81678->81679 81680 40aab4 81679->81680 81681 40aba4 81680->81681 81682 40aabf 81680->81682 81684 4f2870 53 API calls 81681->81684 81683 417ea0 35 API calls 81682->81683 81688 40ab6c 81683->81688 81685 40abb3 81684->81685 81686 40abc5 81685->81686 81687 4031c0 std::_Throw_Cpp_error 33 API calls 81685->81687 81689 40abda 81686->81689 81691 4f2870 53 API calls 81686->81691 81687->81686 81690 40ab83 CopyFileA 81688->81690 81692 4031c0 std::_Throw_Cpp_error 33 API calls 81689->81692 81693 4031c0 std::_Throw_Cpp_error 33 API calls 81690->81693 81691->81689 81694 40abe8 81692->81694 81696 40ab9a 81693->81696 81695 4031c0 std::_Throw_Cpp_error 33 API calls 81694->81695 81697 40abf3 81695->81697 81696->81681 81698 40ab9e 81696->81698 81699 4031c0 std::_Throw_Cpp_error 33 API calls 81697->81699 81698->81685 81700 40ac05 81699->81700 81701 40dee8 81700->81701 81702 417ea0 35 API calls 81700->81702 81703 41067d 81701->81703 81706 417ea0 35 API calls 81701->81706 81705 40acbb 81702->81705 81704 410b5c 81703->81704 81707 417ea0 35 API calls 81703->81707 81710 40acd2 CreateDirectoryA 81705->81710 81708 40df9e 81706->81708 81709 410733 81707->81709 81713 40dfb3 CreateDirectoryA 81708->81713 81715 410748 CreateDirectoryA 81709->81715 81711 40ded6 81710->81711 81712 40acdd 81710->81712 81714 4031c0 std::_Throw_Cpp_error 33 API calls 81711->81714 81716 417ea0 35 API calls 81712->81716 81717 40dfc0 81713->81717 81718 41066b 81713->81718 81714->81701 81720 410755 81715->81720 81721 40ad8e 81716->81721 81722 417ea0 35 API calls 81717->81722 81719 4031c0 std::_Throw_Cpp_error 33 API calls 81718->81719 81719->81703 81723 4031c0 std::_Throw_Cpp_error 33 API calls 81720->81723 81725 40ada2 CreateDirectoryA 81721->81725 81724 40e071 81722->81724 81723->81704 81726 40e083 CreateDirectoryA 81724->81726 81727 40adad 81725->81727 81729 40e090 81726->81729 81728 417ea0 35 API calls 81727->81728 81730 40b17f 81728->81730 81731 417ea0 35 API calls 81729->81731 81733 40b193 CreateDirectoryA 81730->81733 81732 40e444 81731->81732 81735 40e456 CreateDirectoryA 81732->81735 81734 40b19e 81733->81734 81736 417ea0 35 API calls 81734->81736 81737 40e463 81735->81737 81738 40bef6 81736->81738 81739 417ea0 35 API calls 81737->81739 81741 40bf0a CreateDirectoryA 81738->81741 81740 40e77f 81739->81740 81743 40e791 CreateDirectoryA 81740->81743 81742 40bf15 81741->81742 81942 40bbaa 81943 403260 std::_Throw_Cpp_error 35 API calls 81942->81943 81944 40bbaf 81943->81944 81945 4031c0 std::_Throw_Cpp_error 33 API calls 81944->81945 81946 40bc79 81945->81946 81947 403260 std::_Throw_Cpp_error 35 API calls 81946->81947 81948 40bc91 81947->81948 81949 4f2d70 63 API calls 81948->81949 81950 40bc96 81949->81950 81951 40be21 81950->81951 81952 4f2870 53 API calls 81950->81952 81953 4031c0 std::_Throw_Cpp_error 33 API calls 81951->81953 81952->81951 81954 40be2f 81953->81954 81955 4031c0 std::_Throw_Cpp_error 33 API calls 81954->81955 81956 40be3a 81955->81956 81957 40be49 81956->81957 81958 4031c0 std::_Throw_Cpp_error 33 API calls 81956->81958 81959 417ea0 35 API calls 81957->81959 81958->81957 81960 40bef6 81959->81960 81961 40bf0a CreateDirectoryA 81960->81961 81962 40bf15 81961->81962 81963 417ea0 35 API calls 81962->81963 81964 40c485 81963->81964 81965 40c499 CreateDirectoryA 81964->81965 81966 40c4a4 81965->81966 81967 40c7c9 81965->81967 81968 417ea0 35 API calls 81967->81968 81969 40c876 81968->81969 81970 40c88a CreateDirectoryA 81969->81970 81971 40c895 81970->81971 81972 417ea0 35 API calls 81971->81972 81973 40ccff 81972->81973 81974 40cd13 CreateDirectoryA 81973->81974 81975 40d26a 81974->81975 81976 40cd1e 81974->81976 81977 417ea0 35 API calls 81975->81977 81978 403260 std::_Throw_Cpp_error 35 API calls 81976->81978 81979 40d31d 81977->81979 81982 40cdca 81978->81982 81980 40d32f CreateDirectoryA 81979->81980 81981 40d33c 81980->81981 81983 40de86 81981->81983 81985 4f2870 53 API calls 81981->81985 81984 4031c0 std::_Throw_Cpp_error 33 API calls 81982->81984 81987 40ce94 81984->81987 81985->81983 81989 414090 std::_Throw_Cpp_error 35 API calls 81987->81989 82188 437aee 82189 437b06 82188->82189 82190 437afc 82188->82190 82192 437a37 __wsopen_s 33 API calls 82189->82192 82191 446260 3 API calls 82190->82191 82193 437b03 82191->82193 82194 437b20 82192->82194 82195 437a1a _strftime 8 API calls 82194->82195 82196 437b2d 82195->82196 82197 437b34 82196->82197 82201 446260 DeleteFileW 82196->82201 82199 437b52 82197->82199 82200 4458aa ___free_lconv_mon 2 API calls 82197->82200 82200->82199 82202 446284 82201->82202 82203 446272 GetLastError __dosmaperr 82201->82203 82202->82197 82203->82197 82204 4e35a0 GetLastError 82205 4e3715 CopyFileA 82204->82205 82209 4e35d7 82204->82209 82206 4e372a GetLastError 82205->82206 82207 4e3749 82205->82207 82206->82207 82208 4e3735 82206->82208 82284 4f3910 64 API calls 3 library calls 82208->82284 82252 424c30 82209->82252 82212 4e373c CopyFileA 82212->82207 82213 4e35f6 __fread_nolock 82214 4e3610 RmStartSession 82213->82214 82215 4e36f6 RmEndSession SetLastError 82214->82215 82216 4e3630 82214->82216 82279 416470 82215->82279 82270 413a80 82216->82270 82219 4e363c RmRegisterResources 82220 4e36a8 82219->82220 82221 4e3663 RmGetList 82219->82221 82223 4e36d8 error_info_injector 82220->82223 82225 4e375c 82220->82225 82222 4e368b 82221->82222 82222->82220 82224 4e3699 RmShutdown 82222->82224 82223->82215 82224->82220 82226 433500 std::_Throw_Cpp_error 33 API calls 82225->82226 82227 4e3761 __fread_nolock 82226->82227 82228 4e37a5 RmStartSession 82227->82228 82229 4e387c RmEndSession SetLastError 82228->82229 82230 4e37c1 82228->82230 82231 416470 33 API calls 82229->82231 82232 413a80 35 API calls 82230->82232 82233 4e3894 82231->82233 82234 4e37cd RmRegisterResources 82232->82234 82235 4e3841 82234->82235 82236 4e37f4 RmGetList 82234->82236 82235->82229 82238 4e3872 error_info_injector 82235->82238 82240 4e38a6 82235->82240 82237 4e381c 82236->82237 82237->82235 82239 4e3829 RmShutdown 82237->82239 82238->82229 82239->82235 82241 433500 std::_Throw_Cpp_error 33 API calls 82240->82241 82249 4e38ab error_info_injector 82241->82249 82242 4e3aed 82285 416210 33 API calls 2 library calls 82242->82285 82244 4e3b25 error_info_injector 82245 4e3aff 82245->82244 82246 433500 std::_Throw_Cpp_error 33 API calls 82245->82246 82247 4e3b4f 82246->82247 82248 4e3b45 82286 403110 35 API calls 2 library calls 82248->82286 82249->82242 82249->82245 82249->82248 82251 41b4a0 35 API calls 82249->82251 82251->82249 82287 42c697 82252->82287 82254 424c7e 82255 424d1a 82254->82255 82256 424cc2 82254->82256 82257 424d2f 82254->82257 82255->82213 82292 42c6b4 MultiByteToWideChar GetLastError 82256->82292 82295 403cd0 35 API calls 2 library calls 82257->82295 82260 424d34 82296 404060 RaiseException Concurrency::cancel_current_task 82260->82296 82261 424cce 82261->82260 82263 424cd4 82261->82263 82268 424cdb 82263->82268 82293 4164d0 35 API calls 3 library calls 82263->82293 82264 424d16 82264->82255 82297 404060 RaiseException Concurrency::cancel_current_task 82264->82297 82294 42c6b4 MultiByteToWideChar GetLastError 82268->82294 82271 413aa8 82270->82271 82272 413b20 82271->82272 82276 413ab2 82271->82276 82300 403110 35 API calls 2 library calls 82272->82300 82274 413ab7 82274->82219 82275 413b25 82276->82274 82299 420a50 35 API calls 3 library calls 82276->82299 82278 413afa __Strxfrm 82278->82219 82280 41649c error_info_injector 82279->82280 82281 41647b 82279->82281 82280->82205 82281->82280 82282 433500 std::_Throw_Cpp_error 33 API calls 82281->82282 82283 4164c2 82282->82283 82284->82212 82285->82245 82286->82245 82298 43e588 33 API calls __Getctype 82287->82298 82289 42c69c 82290 42c6a5 82289->82290 82291 42c6a8 AreFileApisANSI 82289->82291 82290->82254 82291->82254 82292->82261 82293->82268 82294->82264 82295->82260 82298->82289 82299->82278 82300->82275 82301 508060 82302 508081 82301->82302 82303 508075 82301->82303 82304 5561f0 2 API calls 82302->82304 82305 508095 82302->82305 82304->82305 82306 41a7f0 82307 416210 82306->82307 82308 41a7fa 82306->82308 82309 416254 error_info_injector 82307->82309 82314 419620 82307->82314 82312 433500 std::_Throw_Cpp_error 33 API calls 82313 41627c 82312->82313 82315 416222 82314->82315 82316 41962a error_info_injector 82314->82316 82315->82309 82315->82312 82316->82315 82317 433500 std::_Throw_Cpp_error 33 API calls 82316->82317 82318 41967f 82317->82318 82319 52c420 82320 52c43f 82319->82320 82330 52c4e5 82319->82330 82321 52c448 82320->82321 82326 52c460 82320->82326 82333 553960 RtlFreeHeap GetLastError 82321->82333 82323 52c456 82324 52c4c3 82325 555dc0 2 API calls 82324->82325 82324->82330 82327 52c4de 82325->82327 82326->82324 82328 52c513 82326->82328 82326->82330 82327->82330 82331 5561f0 2 API calls 82327->82331 82334 553960 RtlFreeHeap GetLastError 82328->82334 82332 52c555 82331->82332 82333->82323 82334->82327 82335 52c0e0 82336 52c102 82335->82336 82351 52c14c __Strxfrm 82335->82351 82352 537e60 82336->82352 82338 52c138 82340 52c158 82338->82340 82341 52c13f 82338->82341 82347 52c183 82340->82347 82365 535430 RtlFreeHeap GetLastError 82340->82365 82364 553960 RtlFreeHeap GetLastError 82341->82364 82344 52c2ad 82345 5561f0 2 API calls 82344->82345 82348 52c2c8 82344->82348 82345->82348 82346 52c168 82346->82347 82350 5561f0 2 API calls 82346->82350 82349 5561f0 2 API calls 82347->82349 82347->82351 82349->82351 82350->82347 82351->82348 82366 535430 RtlFreeHeap GetLastError 82351->82366 82353 537e6e 82352->82353 82354 537e76 82352->82354 82353->82338 82355 537e60 48 API calls 82354->82355 82363 537ec5 82354->82363 82356 537e9c 82355->82356 82357 537e60 48 API calls 82356->82357 82356->82363 82358 537eaa 82357->82358 82359 537ebc 82358->82359 82362 537ed6 82358->82362 82358->82363 82360 537ba0 48 API calls 82359->82360 82360->82363 82361 537e60 48 API calls 82361->82362 82362->82361 82362->82363 82363->82338 82364->82351 82365->82346 82366->82344 82367 547d20 82368 547d3a 82367->82368 82373 547d7f 82368->82373 82375 548420 82368->82375 82371 53f6a0 RtlFreeHeap GetLastError 82374 547d72 82371->82374 82374->82371 82374->82373 82388 548750 6 API calls __Strxfrm 82374->82388 82389 549ad0 82374->82389 82376 54844e 82375->82376 82377 548438 82375->82377 82379 5484b5 82376->82379 82380 548465 82376->82380 82378 54843c 82377->82378 82382 5561f0 2 API calls 82377->82382 82378->82374 82381 549ad0 6 API calls 82379->82381 82384 5484a8 82380->82384 82394 54b930 6 API calls 82380->82394 82381->82384 82382->82376 82383 5484cc 82383->82374 82384->82383 82395 5485b0 82384->82395 82388->82374 82390 54b720 6 API calls 82389->82390 82392 549aed 82390->82392 82391 549b44 82391->82374 82392->82391 82399 54b930 6 API calls 82392->82399 82394->82380 82396 548547 82395->82396 82397 5485c7 82395->82397 82396->82374 82398 549ad0 6 API calls 82397->82398 82398->82396 82399->82391 82400 4b36b0 82401 414090 std::_Throw_Cpp_error 35 API calls 82400->82401 82402 4b36de 82401->82402 82403 414090 std::_Throw_Cpp_error 35 API calls 82402->82403 82404 4b36ee 82403->82404 82406 4b3704 82404->82406 82584 41f330 35 API calls 4 library calls 82404->82584 82538 407cc0 82406->82538 82408 4b3788 error_info_injector 82409 4b3720 error_info_injector 82409->82408 82410 433500 std::_Throw_Cpp_error 33 API calls 82409->82410 82411 4b37a5 __fread_nolock 82410->82411 82412 4b382c SHGetFolderPathA 82411->82412 82413 4b3860 82412->82413 82413->82413 82414 4b5e1a 82413->82414 82415 41b4a0 35 API calls 82413->82415 82607 403110 35 API calls 2 library calls 82414->82607 82417 4b389f 82415->82417 82419 4b3c5a 82417->82419 82420 4b38d0 82417->82420 82418 4b5e1f 82608 4063c0 35 API calls std::_Throw_Cpp_error 82418->82608 82589 412fa0 35 API calls 82419->82589 82422 414090 std::_Throw_Cpp_error 35 API calls 82420->82422 82425 4b38e1 82422->82425 82424 4b5e24 82428 403260 std::_Throw_Cpp_error 35 API calls 82424->82428 82426 4d0620 65 API calls 82425->82426 82427 4b38f0 82426->82427 82431 4b3912 82427->82431 82498 4b3989 82427->82498 82432 4b5e3b 82428->82432 82429 4b3c58 82430 4b3d33 82429->82430 82440 4b3d0c 82429->82440 82590 420640 82429->82590 82433 417ea0 35 API calls 82430->82433 82585 416210 33 API calls 2 library calls 82431->82585 82609 406e90 82432->82609 82438 4b3ddf 82433->82438 82434 4b3c49 82588 416210 33 API calls 2 library calls 82434->82588 82543 4f3750 82438->82543 82443 4031c0 std::_Throw_Cpp_error 33 API calls 82440->82443 82443->82430 82444 4b3ded 82447 4186a0 42 API calls 82444->82447 82463 4b41f5 82444->82463 82450 4b3e47 82447->82450 82448 41b4a0 35 API calls 82448->82498 82561 4180f0 82450->82561 82453 416aa0 std::_Throw_Cpp_error 35 API calls 82453->82498 82455 433500 std::_Throw_Cpp_error 33 API calls 82459 4b5e86 82455->82459 82456 4b4d39 error_info_injector 82479 4b5d50 error_info_injector 82456->82479 82606 416210 33 API calls 2 library calls 82456->82606 82458 4b4319 82458->82414 82462 4b4455 82458->82462 82467 417710 35 API calls 82459->82467 82475 4b5ea4 82459->82475 82465 41b4a0 35 API calls 82462->82465 82463->82414 82463->82456 82463->82458 82466 41b4a0 35 API calls 82463->82466 82470 4b4482 82465->82470 82466->82458 82472 4b5ed4 82467->82472 82469 4d0620 65 API calls 82469->82498 82474 41b310 35 API calls 82470->82474 82471 4b391d error_info_injector 82476 414090 std::_Throw_Cpp_error 35 API calls 82472->82476 82478 4b44ad 82474->82478 82477 4031c0 std::_Throw_Cpp_error 33 API calls 82477->82498 82482 4f3750 77 API calls 82478->82482 82479->82455 82479->82471 82498->82414 82498->82434 82498->82448 82498->82453 82498->82469 82498->82477 82501 414090 std::_Throw_Cpp_error 35 API calls 82498->82501 82586 420750 35 API calls std::_Throw_Cpp_error 82498->82586 82587 416210 33 API calls 2 library calls 82498->82587 82501->82498 82540 407ccb error_info_injector 82538->82540 82539 407d28 error_info_injector 82539->82409 82540->82539 82541 433500 std::_Throw_Cpp_error 33 API calls 82540->82541 82542 407d4c 82541->82542 82544 4340b0 35 API calls 82543->82544 82545 4f3849 82544->82545 82546 437e86 60 API calls 82545->82546 82549 4f38c2 82545->82549 82548 4f385f 82546->82548 82547 4f38eb error_info_injector 82547->82444 82550 433c3b 40 API calls 82548->82550 82549->82547 82551 433500 std::_Throw_Cpp_error 33 API calls 82549->82551 82552 4f3868 82550->82552 82553 4f390f 82551->82553 82554 437e86 60 API calls 82552->82554 82555 4f3879 82554->82555 82556 416930 35 API calls 82555->82556 82557 4f3883 82555->82557 82556->82557 82558 43c92f __fread_nolock 49 API calls 82557->82558 82559 4f38ba 82558->82559 82560 437938 63 API calls 82559->82560 82560->82549 82562 418135 82561->82562 82563 418128 82561->82563 82565 4182b5 82562->82565 82566 41814a 82562->82566 82564 415ab0 35 API calls 82563->82564 82564->82562 82567 403260 std::_Throw_Cpp_error 35 API calls 82565->82567 82568 4034e0 std::_Throw_Cpp_error 35 API calls 82566->82568 82569 4182c5 82567->82569 82577 418183 82568->82577 82570 406e90 35 API calls 82569->82570 82571 4181e5 82572 418306 82577->82571 82577->82572 82582 41824c 82577->82582 82584->82406 82585->82471 82586->82498 82587->82498 82588->82429 82589->82429 82591 420749 82590->82591 82594 420680 82590->82594 82634 403750 35 API calls std::_Throw_Cpp_error 82591->82634 82623 423240 82594->82623 82596 4206bb 82597 420717 82596->82597 82631 425140 33 API calls 82596->82631 82632 425140 33 API calls 82597->82632 82600 42072c 82633 423a30 33 API calls 82600->82633 82602 42073d 82602->82440 82606->82479 82607->82418 82608->82424 82635 406410 82609->82635 82611 406f0b 82612 416aa0 std::_Throw_Cpp_error 35 API calls 82611->82612 82616 406f29 error_info_injector 82612->82616 82613 406fd0 error_info_injector 82614 42f3a5 ___std_exception_copy 34 API calls 82613->82614 82619 407015 82614->82619 82615 40706a 82617 433500 std::_Throw_Cpp_error 33 API calls 82615->82617 82616->82613 82616->82615 82617->82619 82618 40704b error_info_injector 82619->82618 82620 433500 std::_Throw_Cpp_error 33 API calls 82619->82620 82624 42328c 82623->82624 82625 423249 82623->82625 82624->82624 82625->82624 82626 423263 82625->82626 82628 42df02 std::_Facet_Register 35 API calls 82625->82628 82627 42326c 82626->82627 82629 42df02 std::_Facet_Register 35 API calls 82626->82629 82627->82596 82628->82626 82630 423285 82629->82630 82630->82596 82631->82597 82632->82600 82633->82602 82656 4047a0 35 API calls std::_Throw_Cpp_error 82635->82656 82637 406453 82638 406470 82637->82638 82639 406621 82637->82639 82641 41b4a0 35 API calls 82638->82641 82657 403110 35 API calls 2 library calls 82639->82657 82642 40648d 82641->82642 82644 416aa0 std::_Throw_Cpp_error 35 API calls 82642->82644 82643 433500 std::_Throw_Cpp_error 33 API calls 82645 40662b 82643->82645 82646 4064a0 82644->82646 82658 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 82645->82658 82649 41b310 35 API calls 82646->82649 82648 406646 82659 42f408 RtlFreeHeap GetLastError std::locale::_Locimp::~_Locimp 82648->82659 82651 4064d8 82649->82651 82653 416aa0 std::_Throw_Cpp_error 35 API calls 82651->82653 82652 406655 error_info_injector 82652->82611 82655 4064eb error_info_injector 82653->82655 82654 406602 error_info_injector 82654->82611 82655->82643 82655->82654 82656->82637 82657->82655 82658->82648 82659->82652

                                                                                                                                      Executed Functions

                                                                                                                                      Function 0045578C Relevance: 82.6, APIs: 39, Strings: 6, Instructions: 3900sleeplibraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045586E
                                                                                                                                      • GetLastError.KERNEL32 ref: 00455880
                                                                                                                                      • Sleep.KERNEL32(00000529), ref: 004558A5
                                                                                                                                      • Sleep.KERNEL32(0000002F), ref: 00455985
                                                                                                                                      • shutdown.WS2_32(00000002), ref: 004559A3
                                                                                                                                      • closesocket.WS2_32 ref: 004559AF
                                                                                                                                      • WSACleanup.WS2_32 ref: 004559B5
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00455A77
                                                                                                                                      • Sleep.KERNELBASE(00000065), ref: 00455CD9
                                                                                                                                      • Sleep.KERNEL32(00000000), ref: 00455D96
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004567CD
                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000), ref: 004567DB
                                                                                                                                      • OutputDebugStringA.KERNELBASE(Dk43l_dwmk438*,?,00000018,0000000A,Function_000031C0,?,?,?,?,?,?,?,?,?,?), ref: 004567EF
                                                                                                                                      • OutputDebugStringA.KERNELBASE(ewetwertyer eytdryrtdy,?,?), ref: 004569BE
                                                                                                                                      • OutputDebugStringA.KERNEL32(td ydrthrhfty,?,?,?,?,?,?,?), ref: 00456F72
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep$DebugOutputString$AddressCleanupCreateCurrentErrorLastMutexProcProcessUnothrow_t@std@@@__ehfuncinfo$??2@closesocketshutdown
                                                                                                                                      • String ID: 43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch$ewetwertyer eytdryrtdy$ntdll.dll$td ydrthrhfty
                                                                                                                                      • API String ID: 3261302857-3574556348
                                                                                                                                      • Opcode ID: 80741dde7cb54c13108023b5ba987e2ca95ace5b307270e7db37f7bfc9f11f61
                                                                                                                                      • Instruction ID: b7004e79db67d020d65fac00f85910b7803af71aabf98f32d17772c606b18a4d
                                                                                                                                      • Opcode Fuzzy Hash: 80741dde7cb54c13108023b5ba987e2ca95ace5b307270e7db37f7bfc9f11f61
                                                                                                                                      • Instruction Fuzzy Hash: 74A302B45083818FC335CF19C491AABBBE1BFD8344F54495EE8899B352DB34A949CF86
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00453C30 Relevance: 68.1, APIs: 33, Strings: 5, Instructions: 1568sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00000025), ref: 00453C44
                                                                                                                                        • Part of subcall function 004E2FA0: __Xtime_get_ticks.LIBCPMT ref: 004E2FA1
                                                                                                                                        • Part of subcall function 004E2FA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E2FAF
                                                                                                                                      • GetCurrentProcess.KERNEL32(00008000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001), ref: 00453DCD
                                                                                                                                      • SetPriorityClass.KERNELBASE(00000000), ref: 00453DD4
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(0045A780), ref: 00453DDF
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ClassCurrentExceptionFilterPriorityProcessSleepUnhandledUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                                                                      • String ID: 131$147.45.47.93:58709$43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch
                                                                                                                                      • API String ID: 1211644118-3950233817
                                                                                                                                      • Opcode ID: 0ac0a5490fc185f1bf0b204bcce8c132e5f6f89f1fc6e605dcb6ff368d608395
                                                                                                                                      • Instruction ID: 58df280d1c5bcf31294a4ea42ed0208b52652377ae8c263acff41185647b5a58
                                                                                                                                      • Opcode Fuzzy Hash: 0ac0a5490fc185f1bf0b204bcce8c132e5f6f89f1fc6e605dcb6ff368d608395
                                                                                                                                      • Instruction Fuzzy Hash: F70326B45083829FC324DF29C491AABBBE4FFD8345F40491EE98997352DB30A549CF96
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004091BF Relevance: 49.3, APIs: 25, Strings: 1, Instructions: 3810COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004F2F40: GetModuleHandleA.KERNEL32(?), ref: 004F3048
                                                                                                                                        • Part of subcall function 004F2F40: GetProcAddress.KERNEL32(00000000,?), ref: 004F3053
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCreateDirectoryHandleModuleProc
                                                                                                                                      • String ID: U5I
                                                                                                                                      • API String ID: 2385557062-2587217555
                                                                                                                                      • Opcode ID: 917595ce0c92c6884b07a30600ae673a975f8174c60f98ae381c5ae076f0d1ba
                                                                                                                                      • Instruction ID: 4cdd386919e838af970f59fa8ac5a494f476b57722eda99af27e3df303c9e173
                                                                                                                                      • Opcode Fuzzy Hash: 917595ce0c92c6884b07a30600ae673a975f8174c60f98ae381c5ae076f0d1ba
                                                                                                                                      • Instruction Fuzzy Hash: EAA3DFB4D052689BDB25CFA9D991ADDFBB0BF48304F1081DAE849B7341DB306A84CF65
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0049D110 Relevance: 41.6, APIs: 18, Strings: 4, Instructions: 3107registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?,?,?,?,?,?,?,?,?), ref: 0049D33D
                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0049D374
                                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0049D39A
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0049D53A
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,00000104), ref: 0049D7A8
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 0049D895
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049D9D6
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DAC3
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DBB0
                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,00000003,?,?), ref: 0049DC9D
                                                                                                                                        • Part of subcall function 0042FC4B: RaiseException.KERNEL32(E06D7363,00000001,00000003,00417EFB,?,?,?,0042C598,00417EFB,005784EC,?,00417EFB), ref: 0042FCAB
                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0049EE67
                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0049EEA0
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049EEB4
                                                                                                                                      Strings
                                                                                                                                      • invalid stoi argument, xrefs: 004A002F
                                                                                                                                      • cannot use operator[] with a string argument with , xrefs: 0049EF75
                                                                                                                                      • stoi argument out of range, xrefs: 004A0025
                                                                                                                                      • cannot use push_back() with , xrefs: 0049EF16
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: QueryValue$CloseEnumOpen$ExceptionRaise
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $invalid stoi argument$stoi argument out of range
                                                                                                                                      • API String ID: 2021570681-1606007317
                                                                                                                                      • Opcode ID: 676ef7a70a303ec808f10bcd67f5a21b0b6396324d99fca486544f797c673394
                                                                                                                                      • Instruction ID: 57cc1c8c03c56a0844d741e814d2024dbcff269c685614372db8ad591986b9b7
                                                                                                                                      • Opcode Fuzzy Hash: 676ef7a70a303ec808f10bcd67f5a21b0b6396324d99fca486544f797c673394
                                                                                                                                      • Instruction Fuzzy Hash: 726336B4D002689FDB25CF68C885BEEBBB5BF49304F1481EAE449A7341DB346A85CF54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0045504E Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 544sleepsynchronizationthreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_000D23C0,00000000,00000000,00000000), ref: 0045518C
                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00455193
                                                                                                                                      • Sleep.KERNELBASE(00000001), ref: 00455259
                                                                                                                                      • GetTempPathA.KERNELBASE(000000FC,?,?), ref: 00455358
                                                                                                                                        • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                        • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                        • Part of subcall function 004F2870: FindFirstFileA.KERNELBASE(?,?,00588E90,?,?,?,\*.*,00000004), ref: 004F298C
                                                                                                                                        • Part of subcall function 004F2870: FindNextFileA.KERNELBASE(00000000,00000010), ref: 004F2B28
                                                                                                                                        • Part of subcall function 004F2870: FindClose.KERNEL32(00000000), ref: 004F2B38
                                                                                                                                        • Part of subcall function 004F2870: GetLastError.KERNEL32 ref: 004F2B3E
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00455601
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00455628
                                                                                                                                        • Part of subcall function 00407B10: GetFileAttributesA.KERNEL32(?,7FFFFFFF,?,?,?,?,00000000,00558869,000000FF,?,?,00000000,00000001), ref: 00407B6A
                                                                                                                                        • Part of subcall function 00407B10: CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,00558869,000000FF,?,?,00000000), ref: 00407BF2
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045563F
                                                                                                                                      • OutputDebugStringA.KERNELBASE(43t res tgy45yfhyrt), ref: 0045A295
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 0045A407
                                                                                                                                      • GetLastError.KERNEL32 ref: 0045A419
                                                                                                                                      • Sleep.KERNEL32(00007530), ref: 0045A435
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create$FileFind$DirectoryErrorLast$AttributesCloseSleep$ChangeDebugFirstMutexNextNotificationOutputPathStringTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID: 43t res tgy45yfhyrt
                                                                                                                                      • API String ID: 2654281156-696058833
                                                                                                                                      • Opcode ID: bbbbf47c8a5e06c1d7690fa1e27cfe45ee61c4ba94deedae21c20f28b54deb4a
                                                                                                                                      • Instruction ID: 9c8f78141530d7c3e3186ab54bd11a1a12a778bbd7b21b6fbf1c18c7b6f6a787
                                                                                                                                      • Opcode Fuzzy Hash: bbbbf47c8a5e06c1d7690fa1e27cfe45ee61c4ba94deedae21c20f28b54deb4a
                                                                                                                                      • Instruction Fuzzy Hash: 52425AB45093819FC324DF29C491AAEBBE1FFD8344F40491EE98997352DB34A949CF86
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F2870 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 351fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 3921 4f2870-4f28bc call 42d429 3924 4f2c44-4f2c46 call 42cdc4 3921->3924 3925 4f28c2-4f28cc 3921->3925 3927 4f2c4b-4f2c57 call 42cdc4 3924->3927 3925->3927 3928 4f28d2-4f290b 3925->3928 3929 4f2c5c call 403110 3927->3929 3928->3929 3930 4f2911-4f2917 3928->3930 3936 4f2c61-4f2c82 call 433500 call 42d429 3929->3936 3932 4f291b-4f2936 call 41b4a0 3930->3932 3933 4f2919 3930->3933 3940 4f2938-4f2944 3932->3940 3941 4f2964-4f299a FindFirstFileA 3932->3941 3933->3932 3951 4f2cab-4f2cad call 42cdc4 3936->3951 3952 4f2c84-4f2c8e 3936->3952 3943 4f295a-4f2961 call 42e183 3940->3943 3944 4f2946-4f2954 3940->3944 3945 4f2b98 3941->3945 3946 4f29a0-4f29a9 3941->3946 3943->3941 3944->3936 3944->3943 3949 4f2b9a-4f2ba0 3945->3949 3950 4f29b0-4f29b5 3946->3950 3954 4f2bce-4f2be6 3949->3954 3955 4f2ba2-4f2bae 3949->3955 3950->3950 3956 4f29b7-4f29c2 3950->3956 3959 4f2cb2-4f2cc3 call 42cdc4 3951->3959 3952->3959 3960 4f2c90-4f2c9f CreateDirectoryA call 42d43a 3952->3960 3957 4f2be8-4f2bf4 3954->3957 3958 4f2c10-4f2c43 call 42d43a 3954->3958 3962 4f2bc4-4f2bcb call 42e183 3955->3962 3963 4f2bb0-4f2bbe 3955->3963 3964 4f29cd-4f29d0 3956->3964 3965 4f29c4-4f29c7 3956->3965 3968 4f2c06-4f2c0d call 42e183 3957->3968 3969 4f2bf6-4f2c04 3957->3969 3978 4f2ca4-4f2caa 3960->3978 3962->3954 3963->3936 3963->3962 3966 4f29e3-4f2a05 3964->3966 3967 4f29d2-4f29d5 3964->3967 3965->3964 3974 4f2b20-4f2b31 FindNextFileA 3965->3974 3966->3929 3976 4f2a0b-4f2a11 3966->3976 3967->3966 3975 4f29d7-4f29dd 3967->3975 3968->3958 3969->3936 3969->3968 3974->3946 3980 4f2b37-4f2b49 FindClose GetLastError 3974->3980 3975->3966 3975->3974 3983 4f2a15-4f2a34 call 41b4a0 3976->3983 3984 4f2a13 3976->3984 3980->3949 3986 4f2b4b-4f2b51 3980->3986 3995 4f2a37-4f2a3c 3983->3995 3984->3983 3988 4f2b55-4f2b63 SetFileAttributesA 3986->3988 3989 4f2b53 3986->3989 3991 4f2b65-4f2b6e 3988->3991 3992 4f2b70-4f2b74 3988->3992 3989->3988 3991->3949 3993 4f2b78-4f2b81 RemoveDirectoryA 3992->3993 3994 4f2b76 3992->3994 3993->3945 3997 4f2b83-4f2b8c 3993->3997 3994->3993 3995->3995 3998 4f2a3e-4f2a96 call 416aa0 call 4031c0 3995->3998 3997->3949 4004 4f2a98-4f2aa4 3998->4004 4005 4f2ac4-4f2acb 3998->4005 4008 4f2aba-4f2ac1 call 42e183 4004->4008 4009 4f2aa6-4f2ab4 4004->4009 4006 4f2acd-4f2ae0 call 4f2870 4005->4006 4007 4f2aeb-4f2b04 SetFileAttributesA 4005->4007 4006->3949 4016 4f2ae6-4f2ae9 4006->4016 4012 4f2b8e-4f2b96 GetLastError 4007->4012 4013 4f2b0a-4f2b1e DeleteFileA 4007->4013 4008->4005 4009->3936 4009->4008 4012->3949 4013->3974 4013->4012 4016->3974
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileA.KERNELBASE(?,?,00588E90,?,?,?,\*.*,00000004), ref: 004F298C
                                                                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,00588E90,?,?), ref: 004F2AFC
                                                                                                                                      • DeleteFileA.KERNEL32(?), ref: 004F2B16
                                                                                                                                      • FindNextFileA.KERNELBASE(00000000,00000010), ref: 004F2B28
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 004F2B38
                                                                                                                                      • GetLastError.KERNEL32 ref: 004F2B3E
                                                                                                                                      • SetFileAttributesA.KERNELBASE(?,00000080), ref: 004F2B5B
                                                                                                                                      • RemoveDirectoryA.KERNELBASE(?), ref: 004F2B79
                                                                                                                                      • GetLastError.KERNEL32 ref: 004F2B8E
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C46
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C57
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000,00000005), ref: 004F2C92
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CAD
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CBE
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Cpp_errorThrow_std::_$Find$AttributesDirectoryErrorLast$CloseCreateDeleteFirstNextRemove
                                                                                                                                      • String ID: \*.*
                                                                                                                                      • API String ID: 2701998425-1173974218
                                                                                                                                      • Opcode ID: 3f1b56a47a2a23220f003d827ea7f97c620c789100f4a682782f552b8e55963f
                                                                                                                                      • Instruction ID: 6c1dec9a71fc218d50f2f533adda7eb018bfb0a0a602ed1d80391e42354044fb
                                                                                                                                      • Opcode Fuzzy Hash: 3f1b56a47a2a23220f003d827ea7f97c620c789100f4a682782f552b8e55963f
                                                                                                                                      • Instruction Fuzzy Hash: 37C17830D002089BDB24DF68CD897FEBBB5EF15314F14421AE944A7392DBB8AA85CB55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004CC610 Relevance: 23.1, APIs: 1, Strings: 11, Instructions: 2064COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,8C8DEFFF), ref: 004CC77E
                                                                                                                                        • Part of subcall function 004D0620: FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFindFirstFolderPath
                                                                                                                                      • String ID: $r($MjL$cannot use operator[] with a string argument with $cannot use push_back() with $fGVm$fGVm$k>2$xH>$I$I$I
                                                                                                                                      • API String ID: 2195519125-3021718430
                                                                                                                                      • Opcode ID: ac6d604072661fe4c4676738c85422ba399c9a1032f14f84be955ce2e61e24eb
                                                                                                                                      • Instruction ID: 58fff7fa39e1a7d59a690a9eb2d20e9a3d742f11dd313cf94c949deb9fb380dd
                                                                                                                                      • Opcode Fuzzy Hash: ac6d604072661fe4c4676738c85422ba399c9a1032f14f84be955ce2e61e24eb
                                                                                                                                      • Instruction Fuzzy Hash: 5143DAB4D052688BDB65CF68C991BDDBBB5BF48304F1081DAE809BB281DB346E84CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0045B010 Relevance: 20.2, APIs: 12, Instructions: 2241COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004091BF: CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045B14B
                                                                                                                                      • CreateDirectoryA.KERNEL32(0000000F,00000000,?,?), ref: 0045B6CD
                                                                                                                                      • CreateDirectoryA.KERNEL32(0000000F,00000000,0000000F,00000000,?,?), ref: 0045B8E9
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,0000000F,00000000,?,?), ref: 0045BA77
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0045C326
                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000,?,?,?,?,?), ref: 0045C8B2
                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?), ref: 0045C8BD
                                                                                                                                        • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(004F2D39), ref: 0042D44E
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?), ref: 0045C90D
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,6F2977B7,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0045CB49
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,6F2977B7,?,?,6F2977B7,?,00000000,00000000,?,?,?,?,?,?,6F2977B7), ref: 0045D1EF
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0045DB22
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 0045DB33
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorExclusiveFileLastLockRelease
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4067333799-0
                                                                                                                                      • Opcode ID: 6c67059c5e63add424eb0f0712fba8c52b150270e0a7de0dffa12fca63891b96
                                                                                                                                      • Instruction ID: 68c8495f6346b6796ce830d8594ba972bb16e4ec352a3aae9e85973fddee60a8
                                                                                                                                      • Opcode Fuzzy Hash: 6c67059c5e63add424eb0f0712fba8c52b150270e0a7de0dffa12fca63891b96
                                                                                                                                      • Instruction Fuzzy Hash: E1334770D042689BDB25CF68CD847EDBBB5BF49304F1082DAE849A7242DB346E89CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00453E0C Relevance: 20.2, APIs: 9, Strings: 2, Instructions: 911libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 00453EDB
                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000200,?,?,?,00000000), ref: 00454150
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004545B7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileLibraryLoadModuleNameUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID: 0Dl$}Y5
                                                                                                                                      • API String ID: 930999232-1570795750
                                                                                                                                      • Opcode ID: 21cceb69790c5630be04a10a755475bbac4ffb76be7b30abaaa74e4562c39815
                                                                                                                                      • Instruction ID: 10a045a72fdef8fbde72ed29e00345329cee5710bca7ea7815d978a91b3df7d8
                                                                                                                                      • Opcode Fuzzy Hash: 21cceb69790c5630be04a10a755475bbac4ffb76be7b30abaaa74e4562c39815
                                                                                                                                      • Instruction Fuzzy Hash: CEA21BB45083828FC324CF19C49069AFBE1FFD9344F15491EE9999B352DB30A989CF96
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D23C0 Relevance: 18.4, APIs: 12, Instructions: 351networksleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 5967 4d23c0-4d23f8 5968 4d23fe 5967->5968 5969 4d2870-4d2884 5967->5969 5970 4d2404-4d240c 5968->5970 5971 4d240e-4d2434 call 4d3150 5970->5971 5972 4d2447-4d2490 setsockopt recv WSAGetLastError 5970->5972 5975 4d2439-4d2441 5971->5975 5972->5969 5974 4d2496-4d2499 5972->5974 5976 4d249f-4d24a6 5974->5976 5977 4d27da-4d2804 call 42d8f9 call 452ef0 5974->5977 5975->5972 5979 4d285b-4d286a Sleep 5975->5979 5980 4d24ac-4d24f3 call 416930 recv 5976->5980 5981 4d27c8-4d27d8 recv 5976->5981 5982 4d284d-4d2855 Sleep 5977->5982 5992 4d2806 5977->5992 5979->5969 5979->5970 5988 4d24f9-4d2514 recv 5980->5988 5989 4d2784-4d2791 5980->5989 5981->5982 5982->5979 5988->5989 5990 4d251a-4d2551 5988->5990 5989->5982 5991 4d2797-4d27a3 5989->5991 5993 4d25b4-4d25e4 call 414090 5990->5993 5994 4d2553-4d25b1 call 416930 setsockopt recv 5990->5994 5995 4d27b9-4d27c3 call 42e183 5991->5995 5996 4d27a5-4d27b3 5991->5996 5997 4d2808-4d280e 5992->5997 5998 4d2810-4d2837 call 4081e0 5992->5998 6010 4d25ea 5993->6010 6011 4d2704-4d2753 call 4d2890 5993->6011 5994->5993 5995->5982 5996->5995 6001 4d2885-4d288a call 433500 5996->6001 5997->5982 5997->5998 6004 4d283c-4d2848 5998->6004 6004->5982 6012 4d25f0-4d2608 6010->6012 6011->5989 6020 4d2755-4d2764 6011->6020 6014 4d261a-4d2629 6012->6014 6015 4d260a-4d2615 6012->6015 6017 4d2639-4d2645 6014->6017 6018 4d262b-4d2634 6014->6018 6019 4d26e9 6015->6019 6023 4d2655-4d2661 6017->6023 6024 4d2647-4d2650 6017->6024 6018->6019 6025 4d26ec-4d26fe 6019->6025 6021 4d277a-4d277c call 42e183 6020->6021 6022 4d2766-4d2774 6020->6022 6029 4d2781 6021->6029 6022->6001 6022->6021 6027 4d266e-4d267a 6023->6027 6028 4d2663-4d266c 6023->6028 6024->6019 6025->6011 6025->6012 6030 4d267c-4d2685 6027->6030 6031 4d2687-4d2693 6027->6031 6028->6019 6029->5989 6030->6019 6032 4d2695-4d269e 6031->6032 6033 4d26a0-4d26ac 6031->6033 6032->6019 6034 4d26ae-4d26b7 6033->6034 6035 4d26b9-4d26c5 6033->6035 6034->6019 6036 4d26c7-4d26d0 6035->6036 6037 4d26d2-4d26db 6035->6037 6036->6019 6037->6025 6038 4d26dd-4d26e5 6037->6038 6038->6019
                                                                                                                                      APIs
                                                                                                                                      • setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                                                                        • Part of subcall function 004D3150: WSAStartup.WS2_32 ref: 004D317A
                                                                                                                                        • Part of subcall function 004D3150: getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                                                                        • Part of subcall function 004D3150: socket.WS2_32(?,?,?), ref: 004D321D
                                                                                                                                        • Part of subcall function 004D3150: connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                                                                        • Part of subcall function 004D3150: closesocket.WS2_32(00000000), ref: 004D323D
                                                                                                                                        • Part of subcall function 004D3150: freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                                                                        • Part of subcall function 004D3150: WSACleanup.WS2_32 ref: 004D3250
                                                                                                                                      • recv.WS2_32(?,00000004,00000008), ref: 004D27D6
                                                                                                                                      • __Xtime_get_ticks.LIBCPMT ref: 004D27DA
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D27E8
                                                                                                                                      • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004D284F
                                                                                                                                      • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004D285D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4125349891-0
                                                                                                                                      • Opcode ID: 0faf3052afb1c00782cdab9ebe53fd988e07a330ab3ea123e73c5a32e3e42a17
                                                                                                                                      • Instruction ID: 15ea99ae058cf58d21446cf462f8f8b9c5c04bab4b96d95aa166a16db5b48a04
                                                                                                                                      • Opcode Fuzzy Hash: 0faf3052afb1c00782cdab9ebe53fd988e07a330ab3ea123e73c5a32e3e42a17
                                                                                                                                      • Instruction Fuzzy Hash: 55E13230900244DFDB15DBA4CDA07ADBBF1BF66310F24425BE841AB2D2DBB45C8ADB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040F27E Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1141fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6414 40f27e-40f2a8 call 417ea0 call 414090 call 4ec100 6421 40f2b2-40f37a call 417ea0 call 403420 call 4f2cd0 6414->6421 6422 40f2aa-40f2ae 6414->6422 6429 40f380-40f44b call 417ea0 call 403420 6421->6429 6430 40f44d 6421->6430 6422->6421 6429->6430 6431 40f451-40f456 6429->6431 6430->6431 6433 40f458-40f464 call 4031c0 6431->6433 6434 40f469-40f46d 6431->6434 6433->6434 6437 40f551-40f619 call 417ea0 call 403420 call 4f2cd0 6434->6437 6438 40f473-40f547 call 417ea0 call 414090 call 4ec100 6434->6438 6454 40f6e7 6437->6454 6455 40f61f-40f6e5 call 417ea0 call 403420 6437->6455 6438->6437 6456 40f549-40f54d 6438->6456 6458 40f6eb-40f6f1 6454->6458 6455->6454 6455->6458 6456->6437 6460 40f6f3-40f6f9 call 4031c0 6458->6460 6461 40f6fe-40f702 6458->6461 6460->6461 6462 40f7e6-40f8b9 call 417ea0 call 403420 call 403260 call 4f2d70 6461->6462 6463 40f708-40f7dc call 417ea0 call 414090 call 4ec100 6461->6463 6483 40f9a6-40f9e5 call 4031c0 * 5 6462->6483 6484 40f8bf-40f99c call 417ea0 call 403420 * 2 CopyFileA call 4031c0 6462->6484 6463->6462 6480 40f7de-40f7e2 6463->6480 6480->6462 6504 40f9e7-40f9f6 call 4f2870 6483->6504 6505 40f9f9-40face call 4031c0 call 417ea0 call 403420 CreateDirectoryA 6483->6505 6484->6483 6502 40f99e-40f9a2 6484->6502 6502->6483 6504->6505 6514 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 6505->6514 6515 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 6505->6515 6565 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 6514->6565 6566 4100bc-4100cb call 4f2870 6514->6566 6525 410611-410615 6515->6525 6526 4101ba-41026a call 4034c0 6515->6526 6527 410617-410626 call 4f2870 6525->6527 6528 410629-410681 call 4031c0 * 7 6525->6528 6538 410270-410275 6526->6538 6527->6528 6580 410687-41074f call 417ea0 call 403420 CreateDirectoryA 6528->6580 6581 410b5c-410b6e 6528->6581 6538->6538 6541 410277-410339 call 4034e0 call 43cc71 6538->6541 6556 410340-410345 6541->6556 6556->6556 6559 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 6556->6559 6602 4105f0-4105ff call 4f2870 6559->6602 6603 41038d-410446 call 417ea0 call 4f2d70 6559->6603 6615 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 6565->6615 6616 40fda8-40fe84 call 413b90 6565->6616 6578 4100ce-4100e8 call 416210 call 4031c0 6566->6578 6578->6515 6600 410b51-410b57 call 4031c0 6580->6600 6601 410755-410872 6580->6601 6600->6581 6601->6600 6613 410602-41060c call 4031c0 6602->6613 6603->6602 6620 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 6603->6620 6613->6525 6633 410085-4100b0 call 4031c0 call 416470 call 4031c0 6615->6633 6656 41007d-410081 6615->6656 6616->6615 6626 40fe8a-40ff5a call 413b90 6616->6626 6620->6602 6657 4105ea-4105ee 6620->6657 6626->6615 6626->6633 6633->6565 6654 4100b6-4100ba 6633->6654 6654->6566 6654->6578 6656->6633 6657->6613
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004EC100: FindFirstFileA.KERNEL32(00000000,?,?,?,0040EE72,?,?,?,74DF3100,00000000), ref: 004EC2D1
                                                                                                                                        • Part of subcall function 004EC100: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,0056AD5C,00000001,0000002E,0000002F,?,?), ref: 004EC51B
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040F987
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041005B
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004101B0
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004105C4
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040FACA
                                                                                                                                        • Part of subcall function 004F2870: FindFirstFileA.KERNELBASE(?,?,00588E90,?,?,?,\*.*,00000004), ref: 004F298C
                                                                                                                                        • Part of subcall function 004D0620: FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$CopyCreateDirectoryFindFirst
                                                                                                                                      • String ID: O$R
                                                                                                                                      • API String ID: 373589188-4027237009
                                                                                                                                      • Opcode ID: 6ff6d5013c8434a8ee4947cc14be3fe5061ef08630dbc4a813d58d2dd30fbd95
                                                                                                                                      • Instruction ID: 017b9f8166701b81c76e149bd8a39be73d8c81c57d3f3376f9e00ba9977ba801
                                                                                                                                      • Opcode Fuzzy Hash: 6ff6d5013c8434a8ee4947cc14be3fe5061ef08630dbc4a813d58d2dd30fbd95
                                                                                                                                      • Instruction Fuzzy Hash: A0E2C1B4D1426C9BCB24CFA9D891ADDBBB0BF48308F4081DAE819B7351EB345A85CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040EFAF Relevance: 13.5, APIs: 6, Strings: 1, Instructions: 1248COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6658 40efaf-40efcf call 417ea0 call 403420 call 4f2cd0 6665 40efd5-40f0d8 6658->6665 6666 40f128-40f131 6658->6666 6665->6666 6667 40f133-40f13f call 4031c0 6666->6667 6668 40f144-40f148 6666->6668 6667->6668 6670 40f2b2-40f37a call 417ea0 call 403420 call 4f2cd0 6668->6670 6671 40f14e-40f254 6668->6671 6678 40f380-40f44b call 417ea0 call 403420 6670->6678 6679 40f44d 6670->6679 6671->6670 6678->6679 6680 40f451-40f456 6678->6680 6679->6680 6682 40f458-40f464 call 4031c0 6680->6682 6683 40f469-40f46d 6680->6683 6682->6683 6686 40f551-40f619 call 417ea0 call 403420 call 4f2cd0 6683->6686 6687 40f473-40f547 call 417ea0 call 414090 call 4ec100 6683->6687 6703 40f6e7 6686->6703 6704 40f61f-40f6e5 call 417ea0 call 403420 6686->6704 6687->6686 6705 40f549-40f54d 6687->6705 6707 40f6eb-40f6f1 6703->6707 6704->6703 6704->6707 6705->6686 6709 40f6f3-40f6f9 call 4031c0 6707->6709 6710 40f6fe-40f702 6707->6710 6709->6710 6711 40f7e6-40f8b9 call 417ea0 call 403420 call 403260 call 4f2d70 6710->6711 6712 40f708-40f7dc call 417ea0 call 414090 call 4ec100 6710->6712 6732 40f9a6-40f9e5 call 4031c0 * 5 6711->6732 6733 40f8bf-40f99c call 417ea0 call 403420 * 2 CopyFileA call 4031c0 6711->6733 6712->6711 6729 40f7de-40f7e2 6712->6729 6729->6711 6753 40f9e7-40f9f6 call 4f2870 6732->6753 6754 40f9f9-40face call 4031c0 call 417ea0 call 403420 CreateDirectoryA 6732->6754 6733->6732 6751 40f99e-40f9a2 6733->6751 6751->6732 6753->6754 6763 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 6754->6763 6764 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 6754->6764 6814 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 6763->6814 6815 4100bc-4100cb call 4f2870 6763->6815 6774 410611-410615 6764->6774 6775 4101ba-41026a call 4034c0 6764->6775 6776 410617-410626 call 4f2870 6774->6776 6777 410629-410681 call 4031c0 * 7 6774->6777 6787 410270-410275 6775->6787 6776->6777 6829 410687-41074f call 417ea0 call 403420 CreateDirectoryA 6777->6829 6830 410b5c-410b6e 6777->6830 6787->6787 6790 410277-410339 call 4034e0 call 43cc71 6787->6790 6805 410340-410345 6790->6805 6805->6805 6808 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 6805->6808 6851 4105f0-4105ff call 4f2870 6808->6851 6852 41038d-410446 call 417ea0 call 4f2d70 6808->6852 6864 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 6814->6864 6865 40fda8-40fe84 call 413b90 6814->6865 6827 4100ce-4100e8 call 416210 call 4031c0 6815->6827 6827->6764 6849 410b51-410b57 call 4031c0 6829->6849 6850 410755-410872 6829->6850 6849->6830 6850->6849 6862 410602-41060c call 4031c0 6851->6862 6852->6851 6869 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 6852->6869 6862->6774 6882 410085-4100b0 call 4031c0 call 416470 call 4031c0 6864->6882 6905 41007d-410081 6864->6905 6865->6864 6875 40fe8a-40ff5a call 413b90 6865->6875 6869->6851 6906 4105ea-4105ee 6869->6906 6875->6864 6875->6882 6882->6814 6903 4100b6-4100ba 6882->6903 6903->6815 6903->6827 6905->6882 6906->6862
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesErrorFileLast
                                                                                                                                      • String ID: O
                                                                                                                                      • API String ID: 1799206407-878818188
                                                                                                                                      • Opcode ID: 6b37fd79ffc1c9e46e022225280fd59d41bce1fa78d96697caf820a1ef18fd7c
                                                                                                                                      • Instruction ID: a1bdfb379abbadc3b7a25386895afbd508209c9c3625fe49d26d3726bebe9a46
                                                                                                                                      • Opcode Fuzzy Hash: 6b37fd79ffc1c9e46e022225280fd59d41bce1fa78d96697caf820a1ef18fd7c
                                                                                                                                      • Instruction Fuzzy Hash: 9FF2C0B8D1426C9BCB24CFA9D891ADDFBB0BF48304F4081AAE819B7351DB345A85CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00516730 Relevance: 12.0, Strings: 9, Instructions: 760COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $%s.%s$%s: %s$%s: %s.%s$no such table$no such table: %s$no tables specified$sqlite_subquery_%p_$too many columns in result set
                                                                                                                                      • API String ID: 0-1803442545
                                                                                                                                      • Opcode ID: ed3eb76e38432dfcf2c41c3c2ff9c64b0abde587c075ee60f4f1a0e99f832519
                                                                                                                                      • Instruction ID: dbcf86031569527fedc52a40f5d4d288d03f0ee8d1881843e8073522b91ea1c3
                                                                                                                                      • Opcode Fuzzy Hash: ed3eb76e38432dfcf2c41c3c2ff9c64b0abde587c075ee60f4f1a0e99f832519
                                                                                                                                      • Instruction Fuzzy Hash: DE626F746043428FE720DF28C484B9ABFE1BF88314F14896DE8999B352E775ED85CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00409010 Relevance: 11.5, APIs: 5, Strings: 1, Instructions: 1046COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004F2F40: GetModuleHandleA.KERNEL32(?), ref: 004F3048
                                                                                                                                        • Part of subcall function 004F2F40: GetProcAddress.KERNEL32(00000000,?), ref: 004F3053
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                      Strings
                                                                                                                                      • cannot use operator[] with a string argument with , xrefs: 0040A47B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressCreateDirectoryHandleModuleProc
                                                                                                                                      • String ID: cannot use operator[] with a string argument with
                                                                                                                                      • API String ID: 2385557062-2766135566
                                                                                                                                      • Opcode ID: f03af19c7f16ad732d3f9550e3d4c6533829a0b28d9025b2e739b9ffc88b3ed4
                                                                                                                                      • Instruction ID: ded7b3acff67d6fc93a9f934a04086679630f068c6daeca2e519d3ea19527e87
                                                                                                                                      • Opcode Fuzzy Hash: f03af19c7f16ad732d3f9550e3d4c6533829a0b28d9025b2e739b9ffc88b3ed4
                                                                                                                                      • Instruction Fuzzy Hash: 74C210B4D042689BDB25CF58C984BDDBBB0BF58304F1481DAE849B7381DB746A84CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F6660 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 909COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00424C30: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00424CC9
                                                                                                                                        • Part of subcall function 00424C30: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 00424D11
                                                                                                                                      • GetFileAttributesA.KERNELBASE(?), ref: 004F6A45
                                                                                                                                      • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004F7081
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_convert_narrow_to_wide@20$AttributesFileIos_base_dtorstd::ios_base::_
                                                                                                                                      • String ID: .zip$@G@$recursive_directory_iterator::recursive_directory_iterator$status
                                                                                                                                      • API String ID: 3330089674-1374571796
                                                                                                                                      • Opcode ID: a254c811bd66006a2e106c1ce27d34735d39606b8b5d0ca17b880f5d563773b2
                                                                                                                                      • Instruction ID: 5c112c02936b25d4fb78ed62e4cf61e9fc9cdc42541c04c932bd90300030b25b
                                                                                                                                      • Opcode Fuzzy Hash: a254c811bd66006a2e106c1ce27d34735d39606b8b5d0ca17b880f5d563773b2
                                                                                                                                      • Instruction Fuzzy Hash: 8482CE70D002588FDB14DF68C884BEEBBB1BF55304F1441AEE549A7292DB38AE85CF95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 005209F0 Relevance: 11.3, Strings: 8, Instructions: 1305COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: WITHOUT ROWID$WITHOUT ROWID$d$library routine called out of sequence$out of memory$pkU$unknown error$hU
                                                                                                                                      • API String ID: 0-3288033085
                                                                                                                                      • Opcode ID: 068cd0329f20d8736a8f955442bc76b3a7b22ac43507fa51aa49c9a64e506910
                                                                                                                                      • Instruction ID: 497802968e842dde83b933efc766fcc9b30b40c45d497888dbf4db774b5c934f
                                                                                                                                      • Opcode Fuzzy Hash: 068cd0329f20d8736a8f955442bc76b3a7b22ac43507fa51aa49c9a64e506910
                                                                                                                                      • Instruction Fuzzy Hash: 5CB2CF70605B52DFC728CF28E494A6BBBF1BF96304F14492DE88A97391D731E845CB86
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0045A5C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 8678 45a5c0-45a5d3 GetCursorPos 8679 45a5d5-45a5e1 GetCursorPos 8678->8679 8680 45a5e7-45a5ed 8679->8680 8681 45a6a8-45a6b1 GetPEB 8679->8681 8680->8681 8682 45a5f3-45a5ff GetPEB 8680->8682 8683 45a6b4-45a6c8 8681->8683 8684 45a600-45a614 8682->8684 8685 45a719-45a71b 8683->8685 8686 45a6ca-45a6cf 8683->8686 8687 45a664-45a666 8684->8687 8688 45a616-45a61b 8684->8688 8685->8683 8686->8685 8689 45a6d1-45a6d9 8686->8689 8687->8684 8688->8687 8691 45a61d-45a623 8688->8691 8690 45a6e0-45a6f3 8689->8690 8692 45a6f5-45a708 8690->8692 8693 45a712-45a717 8690->8693 8694 45a625-45a638 8691->8694 8692->8692 8695 45a70a-45a710 8692->8695 8693->8685 8693->8690 8696 45a65d-45a662 8694->8696 8697 45a63a 8694->8697 8695->8693 8698 45a71d-45a742 Sleep 8695->8698 8696->8687 8696->8694 8699 45a640-45a653 8697->8699 8698->8679 8699->8699 8700 45a655-45a65b 8699->8700 8700->8696 8701 45a668-45a69a Sleep GetCursorPos 8700->8701 8701->8681 8702 45a69c-45a6a2 8701->8702 8702->8681 8703 45a747-45a758 call 4f6620 8702->8703 8706 45a75e 8703->8706 8707 45a75a-45a75c 8703->8707 8708 45a760-45a77d call 4f6620 8706->8708 8707->8708
                                                                                                                                      APIs
                                                                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D3
                                                                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D9
                                                                                                                                      • Sleep.KERNELBASE(000003E9,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A688
                                                                                                                                      • GetCursorPos.USER32(?), ref: 0045A68E
                                                                                                                                      • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A73A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cursor$Sleep
                                                                                                                                      • String ID: =E
                                                                                                                                      • API String ID: 1847515627-2289002813
                                                                                                                                      • Opcode ID: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                                                                      • Instruction ID: 823f227e19ebc1f4262c84ee3b7a9e46c16cc5b48225767440be61142120e435
                                                                                                                                      • Opcode Fuzzy Hash: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                                                                      • Instruction Fuzzy Hash: B151CC35A00215CFCB18CF58C4C4EAAB7B1FF49705F19429AD945AB312D739ED1ACB81
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004B36B0 Relevance: 10.4, APIs: 1, Strings: 4, Instructions: 1610COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 004B384B
                                                                                                                                        • Part of subcall function 0041A800: ___std_exception_destroy.LIBVCRUNTIME ref: 0041A959
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FolderPath___std_exception_destroy
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $I$I$I
                                                                                                                                      • API String ID: 3548636424-122575368
                                                                                                                                      • Opcode ID: c6eec8c008951a87c4008fa0c80814e9d5c82aea64a0d09529715c28e4b507bf
                                                                                                                                      • Instruction ID: df9c875d8cc877c3b3a93ee254c84c4b376f22100dfb1a1e0afc37ba53127f04
                                                                                                                                      • Opcode Fuzzy Hash: c6eec8c008951a87c4008fa0c80814e9d5c82aea64a0d09529715c28e4b507bf
                                                                                                                                      • Instruction Fuzzy Hash: 2803F0B4D002689BDB29CF68D980BDDBBB5AF49304F1481DAE449BB341DB346E85CF64
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040D468 Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 697COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 9037 40d468-40d485 call 403260 call 403420 call 4f2cd0 9044 40d48b-40d584 9037->9044 9045 40d5cf-40d5e3 call 403420 call 4f2cd0 9037->9045 9044->9045 9050 40de50-40de5a call 4f2870 9045->9050 9051 40d5e9-40d62d call 414090 call 4d0620 call 412f70 call 412f60 9045->9051 9055 40de5f 9050->9055 9073 40d633-40d748 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9051->9073 9074 40d8bc-40d984 call 417ea0 call 403420 call 4f2cd0 9051->9074 9057 40de62-40de68 9055->9057 9059 40de71-40de75 9057->9059 9060 40de6c call 4031c0 9057->9060 9061 40de77-40de81 call 4f2870 9059->9061 9062 40de89-40deec call 4031c0 * 8 9059->9062 9060->9059 9067 40de86 9061->9067 9122 40def2-40dfba call 417ea0 call 403420 CreateDirectoryA 9062->9122 9123 41067d-410681 9062->9123 9067->9062 9124 40d88b-40d8b6 call 4031c0 call 416470 call 4031c0 9073->9124 9125 40d74e-40d881 call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 9073->9125 9095 40d98a-40da57 call 417ea0 call 403420 CreateDirectoryA 9074->9095 9096 40da5f 9074->9096 9100 40da65 9095->9100 9119 40da59-40da5d 9095->9119 9096->9100 9104 40da69-40da6e 9100->9104 9108 40da70-40da7c call 4031c0 9104->9108 9109 40da81-40da85 9104->9109 9108->9109 9114 40db69 9109->9114 9115 40da8b-40db5f call 417ea0 call 414090 call 4ec100 9109->9115 9120 40db6f call 49b950 9114->9120 9115->9114 9157 40db61-40db65 9115->9157 9119->9104 9126 40db74-40db8f 9120->9126 9160 40dfc0-40e08a call 417ea0 call 403420 CreateDirectoryA 9122->9160 9161 41066b-410678 call 4031c0 9122->9161 9128 410687-41074f call 417ea0 call 403420 CreateDirectoryA 9123->9128 9129 410b5c-410b6e 9123->9129 9124->9073 9124->9074 9125->9124 9198 40d883-40d887 9125->9198 9133 40de25-40de4e call 416210 call 4031c0 call 416210 9126->9133 9134 40db95-40dcfa call 417ea0 call 403420 call 4340b0 9126->9134 9166 410b51-410b57 call 4031c0 9128->9166 9167 410755-410872 9128->9167 9133->9050 9133->9057 9177 40dd00-40dd20 9134->9177 9178 40de12-40de20 call 4031c0 9134->9178 9157->9114 9186 40e090-40e209 9160->9186 9187 40e397-40e45d call 417ea0 call 403420 CreateDirectoryA 9160->9187 9161->9123 9166->9129 9167->9166 9183 40dd26 9177->9183 9184 40de07-40de0f call 437938 9177->9184 9178->9133 9189 40dd28-40ddd0 call 403420 call 403770 9183->9189 9184->9178 9186->9187 9203 40e6d2-40e798 call 417ea0 call 403420 CreateDirectoryA 9187->9203 9204 40e463-40e55c 9187->9204 9202 40ddd5-40ddfb 9189->9202 9198->9124 9202->9189 9205 40de01 9202->9205 9210 40e987-40ea4d call 417ea0 call 403420 CreateDirectoryA 9203->9210 9211 40e79e-40e923 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9203->9211 9204->9203 9205->9184 9221 40ea53-40ebdc call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9210->9221 9222 40fa08-40face call 417ea0 call 403420 CreateDirectoryA 9210->9222 9250 40e925-40e95e call 414090 * 2 call 4ec100 9211->9250 9251 40e966-40e970 call 4f2870 9211->9251 9281 40ebe2-40ecaa call 417ea0 call 403420 call 4f2cd0 9221->9281 9282 40f9e7-40f9f1 call 4f2870 9221->9282 9237 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 9222->9237 9238 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 9222->9238 9329 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9237->9329 9330 4100bc-4100c6 call 4f2870 9237->9330 9258 410611-410615 9238->9258 9259 4101ba-41026a call 4034c0 9238->9259 9250->9251 9290 40e960-40e964 9250->9290 9260 40e975 9251->9260 9263 410617-410621 call 4f2870 9258->9263 9264 410629-410666 call 4031c0 * 6 9258->9264 9280 410270-410275 9259->9280 9267 40e978-40e982 call 4031c0 9260->9267 9277 410626 9263->9277 9264->9161 9267->9210 9277->9264 9280->9280 9288 410277-410339 call 4034e0 call 43cc71 9280->9288 9314 40ecb0-40ed7b call 417ea0 call 403420 CreateDirectoryA 9281->9314 9315 40ed7d 9281->9315 9291 40f9f6-40fa03 call 4031c0 9282->9291 9312 410340-410345 9288->9312 9290->9267 9291->9222 9312->9312 9318 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 9312->9318 9314->9315 9320 40ed81-40ed86 9314->9320 9315->9320 9367 4105f0-4105fa call 4f2870 9318->9367 9368 41038d-410446 call 417ea0 call 4f2d70 9318->9368 9327 40ed88-40ed94 call 4031c0 9320->9327 9328 40ed99-40ed9d 9320->9328 9327->9328 9335 40ee81-40ef80 9328->9335 9336 40eda3-40ee77 call 417ea0 call 414090 call 4ec100 9328->9336 9379 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 9329->9379 9380 40fda8-40fe84 call 413b90 9329->9380 9341 4100cb 9330->9341 9335->9282 9336->9335 9363 40ee79-40ee7d 9336->9363 9345 4100ce-4100e8 call 416210 call 4031c0 9341->9345 9345->9238 9363->9335 9374 4105ff 9367->9374 9368->9367 9384 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 9368->9384 9377 410602-41060c call 4031c0 9374->9377 9377->9258 9397 410085-4100b0 call 4031c0 call 416470 call 4031c0 9379->9397 9420 41007d-410081 9379->9420 9380->9379 9390 40fe8a-40ff5a call 413b90 9380->9390 9384->9367 9421 4105ea-4105ee 9384->9421 9390->9379 9390->9397 9397->9329 9418 4100b6-4100ba 9397->9418 9418->9330 9418->9345 9420->9397 9421->9377
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesErrorFileLast
                                                                                                                                      • String ID: 0
                                                                                                                                      • API String ID: 1799206407-4108050209
                                                                                                                                      • Opcode ID: 20c5174ce98549ec0c6dd1ca7c0aa0ae184400a2f8ba70ec022d77deb839179e
                                                                                                                                      • Instruction ID: d3553316db2c8dc36a3c53aaf8957dde30e24de572f0d1dfc5b1ab8cdc92ac15
                                                                                                                                      • Opcode Fuzzy Hash: 20c5174ce98549ec0c6dd1ca7c0aa0ae184400a2f8ba70ec022d77deb839179e
                                                                                                                                      • Instruction Fuzzy Hash: 9F82D1B4D1526C9BDB25DFA9D881ADCFBB4BF58304F0081AAE819B7341DB346A84CF54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040D5B3 Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 643fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 9422 40d5b3-40d5c4 call 403260 call 413fa0 9427 40d5cf-40d5e3 call 403420 call 4f2cd0 9422->9427 9428 40d5ca call 4031c0 9422->9428 9433 40de50-40de5f call 4f2870 9427->9433 9434 40d5e9-40d62d call 414090 call 4d0620 call 412f70 call 412f60 9427->9434 9428->9427 9440 40de62-40de68 9433->9440 9456 40d633-40d748 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9434->9456 9457 40d8bc-40d984 call 417ea0 call 403420 call 4f2cd0 9434->9457 9442 40de71-40de75 9440->9442 9443 40de6c call 4031c0 9440->9443 9444 40de77-40de86 call 4f2870 9442->9444 9445 40de89-40deec call 4031c0 * 8 9442->9445 9443->9442 9444->9445 9505 40def2-40dfba call 417ea0 call 403420 CreateDirectoryA 9445->9505 9506 41067d-410681 9445->9506 9507 40d88b-40d8b6 call 4031c0 call 416470 call 4031c0 9456->9507 9508 40d74e-40d881 call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 9456->9508 9478 40d98a-40da57 call 417ea0 call 403420 CreateDirectoryA 9457->9478 9479 40da5f 9457->9479 9483 40da65 9478->9483 9502 40da59-40da5d 9478->9502 9479->9483 9487 40da69-40da6e 9483->9487 9491 40da70-40da7c call 4031c0 9487->9491 9492 40da81-40da85 9487->9492 9491->9492 9497 40db69-40db8f call 49b950 9492->9497 9498 40da8b-40db5f call 417ea0 call 414090 call 4ec100 9492->9498 9516 40de25-40de4e call 416210 call 4031c0 call 416210 9497->9516 9517 40db95-40dcfa call 417ea0 call 403420 call 4340b0 9497->9517 9498->9497 9540 40db61-40db65 9498->9540 9502->9487 9543 40dfc0-40e08a call 417ea0 call 403420 CreateDirectoryA 9505->9543 9544 41066b-410678 call 4031c0 9505->9544 9511 410687-41074f call 417ea0 call 403420 CreateDirectoryA 9506->9511 9512 410b5c-410b6e 9506->9512 9507->9456 9507->9457 9508->9507 9581 40d883-40d887 9508->9581 9549 410b51-410b57 call 4031c0 9511->9549 9550 410755-410872 9511->9550 9516->9433 9516->9440 9560 40dd00-40dd20 9517->9560 9561 40de12-40de20 call 4031c0 9517->9561 9540->9497 9569 40e090-40e209 9543->9569 9570 40e397-40e45d call 417ea0 call 403420 CreateDirectoryA 9543->9570 9544->9506 9549->9512 9550->9549 9566 40dd26 9560->9566 9567 40de07-40de0f call 437938 9560->9567 9561->9516 9572 40dd28-40ddfb call 403420 call 403770 9566->9572 9567->9561 9569->9570 9586 40e6d2-40e798 call 417ea0 call 403420 CreateDirectoryA 9570->9586 9587 40e463-40e55c 9570->9587 9588 40de01 9572->9588 9581->9507 9593 40e987-40ea4d call 417ea0 call 403420 CreateDirectoryA 9586->9593 9594 40e79e-40e923 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9586->9594 9587->9586 9588->9567 9604 40ea53-40ebdc call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9593->9604 9605 40fa08-40face call 417ea0 call 403420 CreateDirectoryA 9593->9605 9633 40e925-40e95e call 414090 * 2 call 4ec100 9594->9633 9634 40e966-40e975 call 4f2870 9594->9634 9664 40ebe2-40ecaa call 417ea0 call 403420 call 4f2cd0 9604->9664 9665 40f9e7-40fa03 call 4f2870 call 4031c0 9604->9665 9620 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 9605->9620 9621 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 9605->9621 9712 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9620->9712 9713 4100bc-4100cb call 4f2870 9620->9713 9641 410611-410615 9621->9641 9642 4101ba-41026a call 4034c0 9621->9642 9633->9634 9673 40e960-40e964 9633->9673 9650 40e978-40e982 call 4031c0 9634->9650 9646 410617-410626 call 4f2870 9641->9646 9647 410629-410666 call 4031c0 * 6 9641->9647 9663 410270-410275 9642->9663 9646->9647 9647->9544 9650->9593 9663->9663 9671 410277-410339 call 4034e0 call 43cc71 9663->9671 9697 40ecb0-40ed7b call 417ea0 call 403420 CreateDirectoryA 9664->9697 9698 40ed7d 9664->9698 9665->9605 9695 410340-410345 9671->9695 9673->9650 9695->9695 9701 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 9695->9701 9697->9698 9703 40ed81-40ed86 9697->9703 9698->9703 9750 4105f0-4105ff call 4f2870 9701->9750 9751 41038d-410446 call 417ea0 call 4f2d70 9701->9751 9710 40ed88-40ed94 call 4031c0 9703->9710 9711 40ed99-40ed9d 9703->9711 9710->9711 9718 40ee81-40ef80 9711->9718 9719 40eda3-40ee77 call 417ea0 call 414090 call 4ec100 9711->9719 9762 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 9712->9762 9763 40fda8-40fe84 call 413b90 9712->9763 9728 4100ce-4100e8 call 416210 call 4031c0 9713->9728 9718->9665 9719->9718 9746 40ee79-40ee7d 9719->9746 9728->9621 9746->9718 9760 410602-41060c call 4031c0 9750->9760 9751->9750 9767 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 9751->9767 9760->9641 9780 410085-4100b0 call 4031c0 call 416470 call 4031c0 9762->9780 9803 41007d-410081 9762->9803 9763->9762 9773 40fe8a-40ff5a call 413b90 9763->9773 9767->9750 9804 4105ea-4105ee 9767->9804 9773->9762 9773->9780 9780->9712 9801 4100b6-4100ba 9780->9801 9801->9713 9801->9728 9803->9780 9804->9760
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                        • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040DFB6
                                                                                                                                        • Part of subcall function 004D0620: FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040D861
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040DA53
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$CreateDirectory$AttributesCopyErrorFindFirstLast
                                                                                                                                      • String ID: 0
                                                                                                                                      • API String ID: 1992414881-4108050209
                                                                                                                                      • Opcode ID: 3e68c3b3d457e3452e11eb820172a8cb170b5eb6bc13edacf9ab9f801514a970
                                                                                                                                      • Instruction ID: ec346d06faf5f83f79fa264e4de1f910cfb6169a76344738abf340e848d07b8c
                                                                                                                                      • Opcode Fuzzy Hash: 3e68c3b3d457e3452e11eb820172a8cb170b5eb6bc13edacf9ab9f801514a970
                                                                                                                                      • Instruction Fuzzy Hash: AD72D1B4D152689BDB25DFA9D881ADCFBB4BF58304F0081EAE819B7341DB346A84CF54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040CA55 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 509fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 9805 40ca55-40cb46 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 403260 call 4f2d70 9820 40cc31-40cc3b call 4f2870 9805->9820 9821 40cb4c-40cc29 call 417ea0 call 403420 * 2 CopyFileA call 4031c0 9805->9821 9825 40cc40 9820->9825 9821->9820 9839 40cc2b-40cc2f 9821->9839 9827 40cc43-40cc49 9825->9827 9829 40cc52-40cd18 call 417ea0 call 403420 CreateDirectoryA 9827->9829 9830 40cc4d call 4031c0 9827->9830 9840 40d270-40d336 call 417ea0 call 403420 CreateDirectoryA 9829->9840 9841 40cd1e-40ced8 call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 9829->9841 9830->9829 9839->9827 9850 40de71-40de75 9840->9850 9851 40d33c-40d435 9840->9851 9879 40d23e-40d248 call 4f2870 9841->9879 9880 40cede 9841->9880 9854 40de77-40de81 call 4f2870 9850->9854 9855 40de89-40deec call 4031c0 * 8 9850->9855 9851->9850 9860 40de86 9854->9860 9897 40def2-40dfba call 417ea0 call 403420 CreateDirectoryA 9855->9897 9898 41067d-410681 9855->9898 9860->9855 9885 40d24d 9879->9885 9883 40cee0-40d012 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9880->9883 9926 40d018-40d0f4 call 413b90 9883->9926 9927 40d0fa-40d1fd call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 9883->9927 9889 40d250-40d26a call 416210 call 4031c0 9885->9889 9889->9840 9916 40dfc0-40e08a call 417ea0 call 403420 CreateDirectoryA 9897->9916 9917 41066b-410678 call 4031c0 9897->9917 9901 410687-41074f call 417ea0 call 403420 CreateDirectoryA 9898->9901 9902 410b5c-410b6e 9898->9902 9920 410b51-410b57 call 4031c0 9901->9920 9921 410755-410872 9901->9921 9933 40e090-40e209 9916->9933 9934 40e397-40e45d call 417ea0 call 403420 CreateDirectoryA 9916->9934 9917->9898 9920->9902 9921->9920 9926->9927 9938 40d207-40d232 call 4031c0 call 416470 call 4031c0 9926->9938 9927->9938 9967 40d1ff-40d203 9927->9967 9933->9934 9950 40e6d2-40e798 call 417ea0 call 403420 CreateDirectoryA 9934->9950 9951 40e463-40e55c 9934->9951 9938->9883 9958 40d238-40d23c 9938->9958 9964 40e987-40ea4d call 417ea0 call 403420 CreateDirectoryA 9950->9964 9965 40e79e-40e923 call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9950->9965 9951->9950 9958->9879 9958->9889 9976 40ea53-40ebdc call 403260 call 43cc71 call 417fd0 call 4031c0 call 403420 call 4f2cd0 9964->9976 9977 40fa08-40face call 417ea0 call 403420 CreateDirectoryA 9964->9977 10005 40e925-40e95e call 414090 * 2 call 4ec100 9965->10005 10006 40e966-40e970 call 4f2870 9965->10006 9967->9938 10036 40ebe2-40ecaa call 417ea0 call 403420 call 4f2cd0 9976->10036 10037 40f9e7-40f9f1 call 4f2870 9976->10037 9992 40fad4-40fc8e call 403260 call 43cc71 call 417fd0 call 4031c0 call 414090 call 4d0620 call 412f70 call 412f60 9977->9992 9993 4100ee-4101b4 call 417ea0 call 403420 CreateDirectoryA 9977->9993 10084 40fc94-40fda2 call 414090 call 417e60 call 405140 call 417aa0 call 416470 call 413b90 9992->10084 10085 4100bc-4100c6 call 4f2870 9992->10085 10013 410611-410615 9993->10013 10014 4101ba-41026a call 4034c0 9993->10014 10005->10006 10045 40e960-40e964 10005->10045 10015 40e975 10006->10015 10018 410617-410621 call 4f2870 10013->10018 10019 410629-410666 call 4031c0 * 6 10013->10019 10035 410270-410275 10014->10035 10022 40e978-40e982 call 4031c0 10015->10022 10032 410626 10018->10032 10019->9917 10022->9964 10032->10019 10035->10035 10043 410277-410339 call 4034e0 call 43cc71 10035->10043 10069 40ecb0-40ed7b call 417ea0 call 403420 CreateDirectoryA 10036->10069 10070 40ed7d 10036->10070 10046 40f9f6-40fa03 call 4031c0 10037->10046 10067 410340-410345 10043->10067 10045->10022 10046->9977 10067->10067 10073 410347-410387 call 41c4c0 call 403210 call 4031c0 call 403420 call 4f2cd0 10067->10073 10069->10070 10075 40ed81-40ed86 10069->10075 10070->10075 10122 4105f0-4105fa call 4f2870 10073->10122 10123 41038d-410446 call 417ea0 call 4f2d70 10073->10123 10082 40ed88-40ed94 call 4031c0 10075->10082 10083 40ed99-40ed9d 10075->10083 10082->10083 10090 40ee81-40ef80 10083->10090 10091 40eda3-40ee77 call 417ea0 call 414090 call 4ec100 10083->10091 10134 40ff60-41007b call 417ea0 call 418040 call 403420 * 2 CopyFileA call 4031c0 * 2 10084->10134 10135 40fda8-40fe84 call 413b90 10084->10135 10096 4100cb 10085->10096 10090->10037 10091->10090 10118 40ee79-40ee7d 10091->10118 10100 4100ce-4100e8 call 416210 call 4031c0 10096->10100 10100->9993 10118->10090 10129 4105ff 10122->10129 10123->10122 10139 41044c-4105e8 call 417ea0 call 403420 call 417ea0 call 403420 CopyFileA call 4031c0 * 2 10123->10139 10132 410602-41060c call 4031c0 10129->10132 10132->10013 10152 410085-4100b0 call 4031c0 call 416470 call 4031c0 10134->10152 10175 41007d-410081 10134->10175 10135->10134 10145 40fe8a-40ff5a call 413b90 10135->10145 10139->10122 10176 4105ea-4105ee 10139->10176 10145->10134 10145->10152 10152->10084 10173 4100b6-4100ba 10152->10173 10173->10085 10173->10100 10175->10152 10176->10132
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040CC14
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040CD14
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040D1DD
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040D332
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyCreateDirectoryFile
                                                                                                                                      • String ID: !
                                                                                                                                      • API String ID: 3761107634-2657877971
                                                                                                                                      • Opcode ID: 6e410194fcd50901128c0766d10c1e75220fdc67d70d05ee7b3424c3a4a01f65
                                                                                                                                      • Instruction ID: e66ea828580897357c3337ece30a7bcdfe6fa77db8e0ad74278681913a0db402
                                                                                                                                      • Opcode Fuzzy Hash: 6e410194fcd50901128c0766d10c1e75220fdc67d70d05ee7b3424c3a4a01f65
                                                                                                                                      • Instruction Fuzzy Hash: DF52E2B8D052689BDB24DF69D981ADCBBB0BF48314F1481EAE849B7341DB305E84CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040E58B Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 531COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                        • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040E794
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040EA49
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                      • String ID: B
                                                                                                                                      • API String ID: 2267087916-1255198513
                                                                                                                                      • Opcode ID: 4675d498882eaab8bcb66d508d4128d8251963df79c65c724d9ca310621736ae
                                                                                                                                      • Instruction ID: 18f978b0f6646b41db9d4fa06ff2f241acb7d76137c4f260d1526695a4699fe5
                                                                                                                                      • Opcode Fuzzy Hash: 4675d498882eaab8bcb66d508d4128d8251963df79c65c724d9ca310621736ae
                                                                                                                                      • Instruction Fuzzy Hash: 385204B4D1526C9BDB25CFA9E981ADCFBB4BF48304F0081AAE919B7341D7341A84CF59
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0045A790 Relevance: 7.0, APIs: 4, Instructions: 978COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 490ef61a838fcbfa894a6fe40ce936e2c0c96c3f993b8de2707439853f73c299
                                                                                                                                      • Instruction ID: 9c4df05857bd84bc3601df45bbcef84d76791ef7a0d211089cd22e916cc2e826
                                                                                                                                      • Opcode Fuzzy Hash: 490ef61a838fcbfa894a6fe40ce936e2c0c96c3f993b8de2707439853f73c299
                                                                                                                                      • Instruction Fuzzy Hash: 63A23470C042689BDB25CF68CD84BEDBBB5AF59304F1082DAE849B7252DB345E89CF54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D0620 Relevance: 6.8, APIs: 4, Instructions: 813fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileA.KERNELBASE(?,?,?,?,?,00000000,?,?), ref: 004D0771
                                                                                                                                      • FindNextFileA.KERNELBASE(0000000F,00000010), ref: 004D0A36
                                                                                                                                      • GetLastError.KERNEL32 ref: 004D0A44
                                                                                                                                      • FindClose.KERNEL32(0000000F), ref: 004D0A56
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseErrorFirstLastNext
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 819619735-0
                                                                                                                                      • Opcode ID: 670de599fd2c045ba831aa5506c8298e033969c34e72791b2ef53cc8419cf420
                                                                                                                                      • Instruction ID: e03e187f96ff4dfc0117b7cb6e2bb59febb9782db7a0b13eee296deb0d69a62d
                                                                                                                                      • Opcode Fuzzy Hash: 670de599fd2c045ba831aa5506c8298e033969c34e72791b2ef53cc8419cf420
                                                                                                                                      • Instruction Fuzzy Hash: C7827BB0D002499FDB14CFA4C9917EEBBB1FF58304F14829AD8496B342D734AA85CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00454577 Relevance: 6.2, APIs: 4, Instructions: 179windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • MessageBoxA.USER32 ref: 00454582
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004545B7
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00454623
                                                                                                                                      • GetProcessId.KERNELBASE(0000A9BE,00000000,00000000,00000003,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00454685
                                                                                                                                        • Part of subcall function 004E2C80: IsDebuggerPresent.KERNEL32 ref: 004E2C93
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$DebuggerMessagePresentProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4109920361-0
                                                                                                                                      • Opcode ID: a55321b5548f037b8ecd5a9ea3b9d8cefd08b925cd4ac8e08664165a2c44be84
                                                                                                                                      • Instruction ID: c12a46aea3045f5eb56cfd6aac46948695978722b9a007b8c1f4006fdd805c17
                                                                                                                                      • Opcode Fuzzy Hash: a55321b5548f037b8ecd5a9ea3b9d8cefd08b925cd4ac8e08664165a2c44be84
                                                                                                                                      • Instruction Fuzzy Hash: 0671BF756083818BC325CF18C84075ABBE1FFD9319F154A1FEC859B352DB349888CB8A
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004479BE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 408timeCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00447E03,00000000,00000000,00000000), ref: 00447CC2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InformationTimeZone
                                                                                                                                      • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                      • API String ID: 565725191-690618308
                                                                                                                                      • Opcode ID: 45ed093c542864df7f6f6bfdd000931ff422ff8c2949e65a0c88095de6a35219
                                                                                                                                      • Instruction ID: ea3c3819e00c7610c2bdce84c30dacc5ed2750e9284a6662424918e6eb4f3f86
                                                                                                                                      • Opcode Fuzzy Hash: 45ed093c542864df7f6f6bfdd000931ff422ff8c2949e65a0c88095de6a35219
                                                                                                                                      • Instruction Fuzzy Hash: A2C13771D04115ABEB10BF65DC02ABF7BA9EF04758F64445BF900EB281EB389E42C798
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D1240 Relevance: 4.6, APIs: 3, Instructions: 116encryptionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004D1275
                                                                                                                                      • LocalFree.KERNEL32(?), ref: 004D12A4
                                                                                                                                      • LocalFree.KERNEL32(?,?), ref: 004D1365
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeLocal$CryptDataUnprotect
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2835072361-0
                                                                                                                                      • Opcode ID: f437a319516cb71d49f51f1e3b8985fecd22a3b95341de68aad5641ad33ff639
                                                                                                                                      • Instruction ID: edacca0892e7d6bf58cfe28d189f09218ecc2b188b76278acbc21aeb1f3e2cb0
                                                                                                                                      • Opcode Fuzzy Hash: f437a319516cb71d49f51f1e3b8985fecd22a3b95341de68aad5641ad33ff639
                                                                                                                                      • Instruction Fuzzy Hash: DD312631D001086BEB00ABA9DC857FEB779EF59314F00817BEC18B7351EB3959858BA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00551070 Relevance: 4.6, APIs: 3, Instructions: 71COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                                                                      • GetVersionExA.KERNEL32(?), ref: 005510AE
                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000000), ref: 005510CD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Version$AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1468075466-0
                                                                                                                                      • Opcode ID: 1f021440039f82121490b15b1f236fdf0807d9e2ac99034605e0c2f6a5d68cd3
                                                                                                                                      • Instruction ID: 1b6ae3cb7f5bf0e907ef9fa77f2bed44bd693e69e760e1f883d9a1ea48be3fa6
                                                                                                                                      • Opcode Fuzzy Hash: 1f021440039f82121490b15b1f236fdf0807d9e2ac99034605e0c2f6a5d68cd3
                                                                                                                                      • Instruction Fuzzy Hash: 9A112736A006148BC720DF7DE988BAA7FE9FB59325F0001A7ED08D3250DA30DD48CBA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0042C82B Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindClose.KERNEL32(000000FF,?,004209DA,?), ref: 0042C837
                                                                                                                                      • FindFirstFileExW.KERNELBASE(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,004209DA,?), ref: 0042C866
                                                                                                                                      • GetLastError.KERNEL32(?,004209DA,?), ref: 0042C878
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$CloseErrorFileFirstLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4020440971-0
                                                                                                                                      • Opcode ID: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                                                                      • Instruction ID: 8a27f9886f01e289c274a129579c59828a859e60d8a88321f661c1881ad45666
                                                                                                                                      • Opcode Fuzzy Hash: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                                                                      • Instruction Fuzzy Hash: B4F0B431100518BFDB103F79EC488BE3B9CEF14371B508626F969D11B1D7718965D664
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0054B990 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BB45
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BE47
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 885266447-0
                                                                                                                                      • Opcode ID: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                                                                      • Instruction ID: a8910782226fa043b0ca02c89601bdb6306c66060be7ccd375e3029c486516c8
                                                                                                                                      • Opcode Fuzzy Hash: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                                                                      • Instruction Fuzzy Hash: 0402A470604602AFEB14CF29C850BEABBE4FF88318F04866DE959C7650D774ED65CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 005041A0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ~IP
                                                                                                                                      • API String ID: 0-3959306736
                                                                                                                                      • Opcode ID: dbfb1a47ef4cf21015feb22a88fe898811b1a6b4d210efab5350a3fb83807d7f
                                                                                                                                      • Instruction ID: 0e36e89e1f9e1fd0a3757911ecfb7ec23bbf8a2227642b7cf3c9c86fbdf17ad5
                                                                                                                                      • Opcode Fuzzy Hash: dbfb1a47ef4cf21015feb22a88fe898811b1a6b4d210efab5350a3fb83807d7f
                                                                                                                                      • Instruction Fuzzy Hash: 4942CDB1A00649CBDB14CE78C8407ADFFA1FF46311F1886ADE5A5E7781D734994ACBA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043A8BD Relevance: .3, Instructions: 318COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 44be82ed036defe528c0ad6c951de0c396452293fa162e62365eb90ba0a48132
                                                                                                                                      • Instruction ID: 20f36868057f2dc5694f653adca667ab833700143c84c98609cf2c37f38438c9
                                                                                                                                      • Opcode Fuzzy Hash: 44be82ed036defe528c0ad6c951de0c396452293fa162e62365eb90ba0a48132
                                                                                                                                      • Instruction Fuzzy Hash: BEB1D37158060A8BCB28DE6885556BFB7A1AF0C304F142A1FD5D2A7381C73CAD65CB9B
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00506920 Relevance: .3, Instructions: 313COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 162f077abf4ece743e342fc7a8eb5a3408877318c4d8ee47aeae2a44dea6da9b
                                                                                                                                      • Instruction ID: 21ea325e3d8e9dd88ad6d2e4823945e325a7d4879c9c0f24fc1850b01c051b63
                                                                                                                                      • Opcode Fuzzy Hash: 162f077abf4ece743e342fc7a8eb5a3408877318c4d8ee47aeae2a44dea6da9b
                                                                                                                                      • Instruction Fuzzy Hash: 10D19F70600B41CBE724CF39C45079ABBE0FF45314F148A6DD4EA8B781EB74A489CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00506DD0 Relevance: .3, Instructions: 294COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ae081eef026d20fb71c04ac6eddb48da90b3bd952cd5193e48f6a1899cdbfde1
                                                                                                                                      • Instruction ID: 7a6889ae545e6ec7e5da51a817b46c2a83bd4d4ff43436e387e76d31d11313cc
                                                                                                                                      • Opcode Fuzzy Hash: ae081eef026d20fb71c04ac6eddb48da90b3bd952cd5193e48f6a1899cdbfde1
                                                                                                                                      • Instruction Fuzzy Hash: 97B1B0756087019FC720CF68C840A6BBBE5FF88324F144B2DF8AAD3690D774EA558B52
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00453450 Relevance: .2, Instructions: 220COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6afd7cca9d3f29b836e8ff968d881141292596375e872e9d8850748854bd48ee
                                                                                                                                      • Instruction ID: 4760c8aac2775d88ce5afe2aa9a6c194579425224feb06dc2f39e30c9f8e2f3f
                                                                                                                                      • Opcode Fuzzy Hash: 6afd7cca9d3f29b836e8ff968d881141292596375e872e9d8850748854bd48ee
                                                                                                                                      • Instruction Fuzzy Hash: FB8100B0E00245AFDB118F69C9907BBBBA4EB1A346F4401AADC54A7343D7399A0DD7A4
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004E35A0 Relevance: 24.5, APIs: 16, Instructions: 493fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 4017 4e35a0-4e35d1 GetLastError 4018 4e35d7-4e35dd 4017->4018 4019 4e3715-4e3728 CopyFileA 4017->4019 4020 4e35e0-4e35e5 4018->4020 4021 4e372a-4e3733 GetLastError 4019->4021 4022 4e3749-4e375b 4019->4022 4020->4020 4024 4e35e7-4e362a call 424c30 call 430240 RmStartSession 4020->4024 4021->4022 4023 4e3735-4e3746 call 4f3910 CopyFileA 4021->4023 4023->4022 4031 4e36f6-4e3710 RmEndSession SetLastError call 416470 4024->4031 4032 4e3630-4e3661 call 413a80 RmRegisterResources 4024->4032 4031->4019 4036 4e36a8-4e36ae 4032->4036 4037 4e3663-4e3689 RmGetList 4032->4037 4040 4e36e2-4e36f2 4036->4040 4041 4e36b0-4e36c2 4036->4041 4038 4e368b-4e3691 4037->4038 4039 4e3693-4e3697 4037->4039 4038->4036 4038->4039 4039->4036 4042 4e3699-4e36a6 RmShutdown 4039->4042 4040->4031 4043 4e36d8-4e36df call 42e183 4041->4043 4044 4e36c4-4e36d2 4041->4044 4042->4036 4043->4040 4044->4043 4045 4e375c-4e37bb call 433500 call 430240 RmStartSession 4044->4045 4052 4e387c-4e38a5 RmEndSession SetLastError call 416470 4045->4052 4053 4e37c1-4e37f2 call 413a80 RmRegisterResources 4045->4053 4058 4e3846-4e384c 4053->4058 4059 4e37f4-4e381a RmGetList 4053->4059 4058->4052 4060 4e384e-4e3860 4058->4060 4061 4e381c-4e3822 4059->4061 4062 4e3824-4e3827 4059->4062 4063 4e3872-4e3879 call 42e183 4060->4063 4064 4e3862-4e3870 4060->4064 4061->4058 4061->4062 4065 4e3829-4e383f RmShutdown 4062->4065 4066 4e3841 4062->4066 4063->4052 4064->4063 4067 4e38a6-4e390e call 433500 4064->4067 4065->4058 4066->4058 4072 4e3914-4e3919 4067->4072 4073 4e3af3 4067->4073 4075 4e3920-4e3922 4072->4075 4074 4e3af7-4e3b05 call 416210 4073->4074 4085 4e3b2f-4e3b44 4074->4085 4086 4e3b07-4e3b13 4074->4086 4077 4e3928-4e3932 4075->4077 4078 4e3a95-4e3aa0 4075->4078 4079 4e3936-4e3954 call 419950 4077->4079 4080 4e3934 4077->4080 4082 4e3aa4-4e3abe call 419950 4078->4082 4083 4e3aa2 4078->4083 4092 4e395a-4e39d0 4079->4092 4093 4e3a45 4079->4093 4080->4079 4096 4e3ac1 4082->4096 4083->4082 4089 4e3b25-4e3b2c call 42e183 4086->4089 4090 4e3b15-4e3b23 4086->4090 4089->4085 4090->4089 4094 4e3b4a-4e3b4f call 433500 4090->4094 4098 4e39d4-4e39d9 4092->4098 4097 4e3a48 4093->4097 4101 4e3aed-4e3af1 4096->4101 4102 4e3ac3-4e3ae3 4096->4102 4105 4e3a4c-4e3a51 4097->4105 4098->4098 4106 4e39db-4e39e9 4098->4106 4101->4074 4102->4073 4104 4e3ae5-4e3ae8 4102->4104 4104->4075 4107 4e3a8f-4e3a93 4105->4107 4108 4e3a53-4e3a5f 4105->4108 4109 4e39ef-4e39f3 4106->4109 4110 4e3b45 call 403110 4106->4110 4107->4096 4108->4107 4111 4e3a61-4e3a6c 4108->4111 4112 4e39f7-4e3a3d call 41b4a0 call 419950 4109->4112 4113 4e39f5 4109->4113 4110->4094 4115 4e3a6e-4e3a7c 4111->4115 4116 4e3a82-4e3a8c call 42e183 4111->4116 4112->4097 4123 4e3a3f-4e3a43 4112->4123 4113->4112 4115->4094 4115->4116 4116->4107 4123->4105
                                                                                                                                      APIs
                                                                                                                                      • GetLastError.KERNEL32 ref: 004E35C8
                                                                                                                                      • RmStartSession.RSTRTMGR(?,00000000,?), ref: 004E3620
                                                                                                                                      • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004E3657
                                                                                                                                      • RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 004E367F
                                                                                                                                      • RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004E36A0
                                                                                                                                      • RmEndSession.RSTRTMGR(?), ref: 004E36F9
                                                                                                                                      • SetLastError.KERNEL32(00000000), ref: 004E3700
                                                                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004E371F
                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 004E372A
                                                                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004E3742
                                                                                                                                      • RmStartSession.RSTRTMGR(?,00000000,?,?,00000000), ref: 004E37B1
                                                                                                                                      • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004E37E8
                                                                                                                                      • RmGetList.RSTRTMGR(?,?,?,?,?,?,00000000), ref: 004E3810
                                                                                                                                      • RmShutdown.RSTRTMGR(?,00000001,00000000,?,00000000), ref: 004E3830
                                                                                                                                      • RmEndSession.RSTRTMGR(?,?,00000000), ref: 004E387F
                                                                                                                                      • SetLastError.KERNEL32(00000000,?,00000000), ref: 004E3886
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLastSession$CopyFileListRegisterResourcesShutdownStart
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1315383477-0
                                                                                                                                      • Opcode ID: 9f1c935bf69e85cb9b9760aee873f7302ef3c0541c401a44e83cc19aa013ab35
                                                                                                                                      • Instruction ID: 5bf62267ccc7f4fe4693b81ad114fb0840f9afa76d5c815397b18ace0e574e84
                                                                                                                                      • Opcode Fuzzy Hash: 9f1c935bf69e85cb9b9760aee873f7302ef3c0541c401a44e83cc19aa013ab35
                                                                                                                                      • Instruction Fuzzy Hash: AC02AD71D00259AFCB15DFA5D888BEEBBB8FF08315F14022AE815A7391D7389E44CB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043D563 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6039 43d563-43d593 call 43d2b1 6042 43d595-43d5a0 call 43bf7c 6039->6042 6043 43d5ae-43d5ba call 44902a 6039->6043 6048 43d5a2-43d5a9 call 43bf8f 6042->6048 6049 43d5d3-43d61c call 43d21c 6043->6049 6050 43d5bc-43d5d1 call 43bf7c call 43bf8f 6043->6050 6060 43d888-43d88c 6048->6060 6058 43d689-43d692 GetFileType 6049->6058 6059 43d61e-43d627 6049->6059 6050->6048 6064 43d694-43d6c5 GetLastError __dosmaperr CloseHandle 6058->6064 6065 43d6db-43d6de 6058->6065 6062 43d629-43d62d 6059->6062 6063 43d65e-43d684 GetLastError __dosmaperr 6059->6063 6062->6063 6068 43d62f-43d65c call 43d21c 6062->6068 6063->6048 6064->6048 6069 43d6cb-43d6d6 call 43bf8f 6064->6069 6066 43d6e0-43d6e5 6065->6066 6067 43d6e7-43d6ed 6065->6067 6071 43d6f1-43d73f call 448f75 6066->6071 6067->6071 6072 43d6ef 6067->6072 6068->6058 6068->6063 6069->6048 6078 43d741-43d74d call 43d42b 6071->6078 6079 43d75e-43d786 call 43cfc6 6071->6079 6072->6071 6078->6079 6086 43d74f 6078->6086 6084 43d78b-43d7cc 6079->6084 6085 43d788-43d789 6079->6085 6088 43d7ce-43d7d2 6084->6088 6089 43d7ed-43d7fb 6084->6089 6087 43d751-43d759 call 44365f 6085->6087 6086->6087 6087->6060 6088->6089 6090 43d7d4-43d7e8 6088->6090 6091 43d801-43d805 6089->6091 6092 43d886 6089->6092 6090->6089 6091->6092 6094 43d807-43d83a CloseHandle call 43d21c 6091->6094 6092->6060 6098 43d86e-43d882 6094->6098 6099 43d83c-43d868 GetLastError __dosmaperr call 44913d 6094->6099 6098->6092 6099->6098
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 0043D21C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0043D239
                                                                                                                                      • GetLastError.KERNEL32 ref: 0043D677
                                                                                                                                      • __dosmaperr.LIBCMT ref: 0043D67E
                                                                                                                                      • GetFileType.KERNELBASE(00000000), ref: 0043D68A
                                                                                                                                      • GetLastError.KERNEL32 ref: 0043D694
                                                                                                                                      • __dosmaperr.LIBCMT ref: 0043D69D
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0043D6BD
                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0043D80A
                                                                                                                                      • GetLastError.KERNEL32 ref: 0043D83C
                                                                                                                                      • __dosmaperr.LIBCMT ref: 0043D843
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                      • String ID: H
                                                                                                                                      • API String ID: 4237864984-2852464175
                                                                                                                                      • Opcode ID: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                                                                      • Instruction ID: deea7823187220b22c69116efca66525af397024c1424d0dae53dd4a9d4c69af
                                                                                                                                      • Opcode Fuzzy Hash: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                                                                      • Instruction Fuzzy Hash: 47A17C31E14114AFCF19AF68EC467AE3BB1EB0A324F14215EF811DB391DB388816DB55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D2190 Relevance: 16.9, APIs: 11, Instructions: 404networkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6102 4d2190-4d21d6 call 42d429 6105 4d21dc-4d21e6 6102->6105 6106 4d238f-4d2391 call 42cdc4 6102->6106 6108 4d21ec-4d2262 6105->6108 6109 4d2396-4d23a2 call 42cdc4 6105->6109 6106->6109 6111 4d2266-4d226b 6108->6111 6112 4d23a7 call 403110 6109->6112 6111->6111 6113 4d226d-4d227b 6111->6113 6116 4d23ac call 433500 6112->6116 6113->6112 6115 4d2281-4d22ae call 41b4a0 6113->6115 6121 4d22b0-4d22d1 6115->6121 6122 4d22d3-4d22e2 call 420640 6115->6122 6120 4d23b1-4d23f8 call 433500 6116->6120 6134 4d23fe 6120->6134 6135 4d2870-4d2884 6120->6135 6124 4d22e5-4d22ec 6121->6124 6122->6124 6128 4d22ee-4d22fa 6124->6128 6129 4d231a-4d2350 call 42d43a call 414090 call 4081e0 6124->6129 6131 4d22fc-4d230a 6128->6131 6132 4d2310-4d2317 call 42e183 6128->6132 6151 4d237d-4d238e 6129->6151 6152 4d2352-4d235e 6129->6152 6131->6116 6131->6132 6132->6129 6138 4d2404-4d240c 6134->6138 6141 4d240e-4d2441 call 4d3150 6138->6141 6142 4d2447-4d2490 setsockopt recv WSAGetLastError 6138->6142 6141->6142 6154 4d285b-4d286a Sleep 6141->6154 6142->6135 6146 4d2496-4d2499 6142->6146 6149 4d249f-4d24a6 6146->6149 6150 4d27da-4d2804 call 42d8f9 call 452ef0 6146->6150 6155 4d24ac-4d24f3 call 416930 recv 6149->6155 6156 4d27c8-4d27d8 recv 6149->6156 6159 4d284d-4d2855 Sleep 6150->6159 6171 4d2806 6150->6171 6157 4d2370-4d237a call 42e183 6152->6157 6158 4d2360-4d236e 6152->6158 6154->6135 6154->6138 6167 4d24f9-4d2514 recv 6155->6167 6168 4d2784-4d2791 6155->6168 6156->6159 6157->6151 6158->6120 6158->6157 6159->6154 6167->6168 6169 4d251a-4d2551 6167->6169 6168->6159 6170 4d2797-4d27a3 6168->6170 6172 4d25b4-4d25e4 call 414090 6169->6172 6173 4d2553-4d25b1 call 416930 setsockopt recv 6169->6173 6174 4d27b9-4d27c3 call 42e183 6170->6174 6175 4d27a5-4d27b3 6170->6175 6176 4d2808-4d280e 6171->6176 6177 4d2810-4d2848 call 4081e0 6171->6177 6189 4d25ea 6172->6189 6190 4d2704-4d2753 call 4d2890 6172->6190 6173->6172 6174->6159 6175->6174 6180 4d2885-4d288a call 433500 6175->6180 6176->6159 6176->6177 6177->6159 6191 4d25f0-4d2608 6189->6191 6190->6168 6199 4d2755-4d2764 6190->6199 6193 4d261a-4d2629 6191->6193 6194 4d260a-4d2615 6191->6194 6196 4d2639-4d2645 6193->6196 6197 4d262b-4d2634 6193->6197 6198 4d26e9 6194->6198 6202 4d2655-4d2661 6196->6202 6203 4d2647-4d2650 6196->6203 6197->6198 6204 4d26ec-4d26fe 6198->6204 6200 4d277a-4d2781 call 42e183 6199->6200 6201 4d2766-4d2774 6199->6201 6200->6168 6201->6180 6201->6200 6206 4d266e-4d267a 6202->6206 6207 4d2663-4d266c 6202->6207 6203->6198 6204->6190 6204->6191 6209 4d267c-4d2685 6206->6209 6210 4d2687-4d2693 6206->6210 6207->6198 6209->6198 6211 4d2695-4d269e 6210->6211 6212 4d26a0-4d26ac 6210->6212 6211->6198 6213 4d26ae-4d26b7 6212->6213 6214 4d26b9-4d26c5 6212->6214 6213->6198 6215 4d26c7-4d26d0 6214->6215 6216 4d26d2-4d26db 6214->6216 6215->6198 6216->6204 6217 4d26dd-4d26e5 6216->6217 6217->6198
                                                                                                                                      APIs
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D2391
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D23A2
                                                                                                                                      • setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: recv$Cpp_errorThrow_setsockoptstd::_$ErrorLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4262120464-0
                                                                                                                                      • Opcode ID: d02ee23e8d58502d72fa09aa745b8378fa7757ac069d19a7d433680d37297696
                                                                                                                                      • Instruction ID: f7b17b8e68668ba49e7fca0522a5bdce23b6917c1ff1aba89fdf03a1c4391d3e
                                                                                                                                      • Opcode Fuzzy Hash: d02ee23e8d58502d72fa09aa745b8378fa7757ac069d19a7d433680d37297696
                                                                                                                                      • Instruction Fuzzy Hash: 8AF10070D00248DBDB14DFA8DD95BAEBBB1FF54314F10821AE804AB392DB786985DF94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00421F3C Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 635COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6218 421f3c-421f56 call 425710 6221 421f60-421f68 call 428220 6218->6221 6222 421f58-421f5e 6218->6222 6223 421f6d-421f7b call 41c660 6221->6223 6222->6223 6227 421f86-421f89 6223->6227 6228 421f7d-421f81 6223->6228 6230 422804-422892 call 41b7b0 call 406670 call 41bd60 6227->6230 6231 421f8f-421fb2 call 415c20 call 41c660 6227->6231 6229 422503-422508 6228->6229 6237 422d70-422d74 6229->6237 6238 42250e-42252b call 423be0 6229->6238 6265 422898-42289e 6230->6265 6266 423059-423092 call 416c30 call 42fc4b call 423f30 call 42fc4b 6230->6266 6253 422660-4226fa call 4036f0 call 41b7b0 call 406670 call 41bd60 6231->6253 6254 421fb8-421fcc 6231->6254 6239 422ff6-423013 call 411310 6237->6239 6240 422fe8-422fef call 42e183 6237->6240 6250 422531-42253c call 41c660 6238->6250 6251 4225dd-4225e8 call 41c660 6238->6251 6256 422ff2 6240->6256 6271 422542-422545 6250->6271 6272 422013-42202a call 41c660 6250->6272 6273 422604-422612 call 41c660 6251->6273 6274 4225ea-4225ed 6251->6274 6332 422700-422706 6253->6332 6333 423035-42304e call 416c30 6253->6333 6261 421fce-421fd5 6254->6261 6262 421fef-421ff6 6254->6262 6256->6239 6268 421fd7-421feb 6261->6268 6269 421fed 6261->6269 6270 421ff9-42200e call 41dfb0 6262->6270 6275 4228a0-4228ac 6265->6275 6276 4228cc-422919 call 42f408 * 2 6265->6276 6342 423097-4230b1 call 416c30 call 42fc4b 6266->6342 6268->6270 6269->6262 6270->6272 6280 4225f3-4225ff call 423ab0 6271->6280 6281 42254b-4225d2 call 41b7b0 call 406670 call 41bd60 6271->6281 6272->6229 6307 422cd7-422d65 call 41b7b0 call 406670 call 41bd60 6273->6307 6308 422618-42263b call 415c20 call 41c660 6273->6308 6274->6280 6282 422b9e-422c27 call 41b7b0 call 406670 call 41bd60 6274->6282 6283 4228c2-4228c9 call 42e183 6275->6283 6284 4228ae-4228bc 6275->6284 6317 4227b2-4227d3 6276->6317 6318 42291f-42292e 6276->6318 6280->6229 6353 423016-423030 call 416c30 call 42fc4b 6281->6353 6354 4225d8 6281->6354 6282->6342 6355 422c2d 6282->6355 6283->6276 6284->6283 6293 423054 call 433500 6284->6293 6293->6266 6376 4230d5-42316f call 416c30 call 42fc4b call 416c30 call 42fc4b call 416c30 call 42fc4b 6307->6376 6377 422d6b 6307->6377 6346 422c32-422ccc call 4036f0 call 41b7b0 call 406670 call 41bd60 6308->6346 6347 422641-422644 call 41c660 6308->6347 6317->6256 6327 4227d9-4227e5 6317->6327 6325 422934-422942 6318->6325 6326 4227a8-4227af call 42e183 6318->6326 6325->6293 6335 422948 6325->6335 6326->6317 6327->6240 6337 4227eb-4227f9 6327->6337 6343 422734-422781 call 42f408 * 2 6332->6343 6344 422708-422714 6332->6344 6333->6293 6363 42304f call 42fc4b 6333->6363 6335->6326 6348 422b34-422b83 call 4031c0 call 42f408 * 2 call 4031c0 6335->6348 6337->6293 6351 4227ff 6337->6351 6381 4230b6-4230d0 call 416c30 call 42fc4b 6342->6381 6343->6317 6387 422783-422792 6343->6387 6358 422716-422724 6344->6358 6359 42272a-422731 call 42e183 6344->6359 6346->6381 6405 422cd2 6346->6405 6371 422649-422658 6347->6371 6348->6239 6404 422b89-422b99 call 403430 6348->6404 6351->6240 6353->6333 6354->6348 6355->6348 6358->6293 6358->6359 6359->6343 6363->6293 6371->6253 6377->6237 6381->6376 6387->6326 6390 422794-4227a2 6387->6390 6390->6293 6390->6326 6404->6239 6405->6307
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422757
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422770
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004228EF
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422908
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $$array$object
                                                                                                                                      • API String ID: 4194217158-1261123851
                                                                                                                                      • Opcode ID: 8ad5d53e16a425efb3008508f62d81adc97be10aa7c72d6539d92b8b8dc31230
                                                                                                                                      • Instruction ID: 729c381a9a0c7f986160d18f999e66225a9d9459ed6648384f1f9576d23ff93e
                                                                                                                                      • Opcode Fuzzy Hash: 8ad5d53e16a425efb3008508f62d81adc97be10aa7c72d6539d92b8b8dc31230
                                                                                                                                      • Instruction Fuzzy Hash: 6642F370D0025DAFDB14DFA0D984BEEBBB4FF15304F50416EE405A7642EB78AA88CB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004431A0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 6907 4431a0-4431b0 6908 4431b2-4431c5 call 43bf7c call 43bf8f 6907->6908 6909 4431ca-4431cc 6907->6909 6924 443524 6908->6924 6911 4431d2-4431d8 6909->6911 6912 44350c-443519 call 43bf7c call 43bf8f 6909->6912 6911->6912 6915 4431de-443207 6911->6915 6928 44351f call 4334f0 6912->6928 6915->6912 6918 44320d-443216 6915->6918 6921 443230-443232 6918->6921 6922 443218-44322b call 43bf7c call 43bf8f 6918->6922 6926 443508-44350a 6921->6926 6927 443238-44323c 6921->6927 6922->6928 6929 443527-44352a 6924->6929 6926->6929 6927->6926 6931 443242-443246 6927->6931 6928->6924 6931->6922 6932 443248-44325f 6931->6932 6935 443294-44329a 6932->6935 6936 443261-443264 6932->6936 6940 44329c-4432a3 6935->6940 6941 44326e-443285 call 43bf7c call 43bf8f call 4334f0 6935->6941 6938 443266-44326c 6936->6938 6939 44328a-443292 6936->6939 6938->6939 6938->6941 6943 443307-443326 6939->6943 6944 4432a5 6940->6944 6945 4432a7-4432c5 call 445924 call 4458aa * 2 6940->6945 6972 44343f 6941->6972 6947 4433e2-4433eb call 44e474 6943->6947 6948 44332c-443338 6943->6948 6944->6945 6976 4432c7-4432dd call 43bf8f call 43bf7c 6945->6976 6977 4432e2-443305 call 43ce8d 6945->6977 6961 44345c 6947->6961 6962 4433ed-4433ff 6947->6962 6948->6947 6953 44333e-443340 6948->6953 6953->6947 6954 443346-443367 6953->6954 6954->6947 6958 443369-44337f 6954->6958 6958->6947 6963 443381-443383 6958->6963 6965 443460-443476 ReadFile 6961->6965 6962->6961 6967 443401-443410 GetConsoleMode 6962->6967 6963->6947 6968 443385-4433a8 6963->6968 6970 4434d4-4434df GetLastError 6965->6970 6971 443478-44347e 6965->6971 6967->6961 6973 443412-443416 6967->6973 6968->6947 6975 4433aa-4433c0 6968->6975 6978 4434e1-4434f3 call 43bf8f call 43bf7c 6970->6978 6979 4434f8-4434fb 6970->6979 6971->6970 6980 443480 6971->6980 6974 443442-44344c call 4458aa 6972->6974 6973->6965 6981 443418-443430 ReadConsoleW 6973->6981 6974->6929 6975->6947 6983 4433c2-4433c4 6975->6983 6976->6972 6977->6943 6978->6972 6988 443501-443503 6979->6988 6989 443438-44343e __dosmaperr 6979->6989 6986 443483-443495 6980->6986 6990 443451-44345a 6981->6990 6991 443432 GetLastError 6981->6991 6983->6947 6993 4433c6-4433dd 6983->6993 6986->6974 6996 443497-44349b 6986->6996 6988->6974 6989->6972 6990->6986 6991->6989 6993->6947 7000 4434b4-4434c1 6996->7000 7001 44349d-4434ad call 442eb2 6996->7001 7002 4434c3 call 443009 7000->7002 7003 4434cd-4434d2 call 442cf8 7000->7003 7012 4434b0-4434b2 7001->7012 7010 4434c8-4434cb 7002->7010 7003->7010 7010->7012 7012->6974
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 0-3907804496
                                                                                                                                      • Opcode ID: b462a36e6bb30e1ebe37cca350b7bdb3d0fdcfd033a52d65a3f9a67cac222ce0
                                                                                                                                      • Instruction ID: e3239ec4e1ee32b8324d570a22e522ef24bddbe65fd960e714ad45a7b0e040b8
                                                                                                                                      • Opcode Fuzzy Hash: b462a36e6bb30e1ebe37cca350b7bdb3d0fdcfd033a52d65a3f9a67cac222ce0
                                                                                                                                      • Instruction Fuzzy Hash: 77B12670A04244AFEB01DF59C881BBE7BB1FF49715F14419AE90197382CB789E41CBA9
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D3150 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 7013 4d3150-4d3182 WSAStartup 7014 4d3188-4d31b2 call 4f6620 * 2 7013->7014 7015 4d3256-4d325f 7013->7015 7020 4d31be-4d3204 getaddrinfo 7014->7020 7021 4d31b4-4d31b8 7014->7021 7022 4d3206-4d320c 7020->7022 7023 4d3250 WSACleanup 7020->7023 7021->7015 7021->7020 7024 4d320e 7022->7024 7025 4d3264-4d326e freeaddrinfo 7022->7025 7023->7015 7026 4d3214-4d3228 socket 7024->7026 7025->7023 7027 4d3270-4d3278 7025->7027 7026->7023 7028 4d322a-4d323a connect 7026->7028 7029 4d323c-4d3244 closesocket 7028->7029 7030 4d3260 7028->7030 7029->7026 7031 4d3246-4d324a freeaddrinfo 7029->7031 7030->7025 7031->7023
                                                                                                                                      APIs
                                                                                                                                      • WSAStartup.WS2_32 ref: 004D317A
                                                                                                                                      • getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                                                                      • socket.WS2_32(?,?,?), ref: 004D321D
                                                                                                                                      • connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                                                                      • closesocket.WS2_32(00000000), ref: 004D323D
                                                                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                                                                      • WSACleanup.WS2_32 ref: 004D3250
                                                                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D3265
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 58224237-0
                                                                                                                                      • Opcode ID: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                                                                      • Instruction ID: 66b7f2af6e1e00109afe9fd9f1c3058fd8df4c895de65cf13c46908161227474
                                                                                                                                      • Opcode Fuzzy Hash: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                                                                      • Instruction Fuzzy Hash: 7731E631A047009BD7209F29DC4862BB7E5FF85735F104B5FF9A4933E0D37899489696
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0041A800 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 378COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 10177 41a800-41a840 10178 41a846-41a864 10177->10178 10179 41aa68-41aa89 call 421ed0 10177->10179 10180 41a873-41a8ad call 41b670 call 420db0 call 41c660 10178->10180 10181 41a866-41a870 10178->10181 10184 41aa8e-41aa9c call 41c660 10179->10184 10202 41a8b3-41a940 call 41b7b0 call 406670 call 41bd60 10180->10202 10203 41a9bd-41a9c4 10180->10203 10181->10180 10191 41abb2-41abb6 10184->10191 10192 41aaa2-41ab2c call 41b7b0 call 406670 call 41bd60 10184->10192 10195 41ac3c-41ac41 10191->10195 10196 41abbc-41abf9 call 415ab0 call 411940 10191->10196 10231 41ab32-41ab84 call 4031c0 call 42f408 * 2 call 4031c0 10192->10231 10232 41ac8e-41aca2 call 416c30 call 42fc4b 10192->10232 10199 41ac43-41ac53 10195->10199 10200 41ac27-41ac39 10195->10200 10196->10200 10228 41abfb-41ac0b 10196->10228 10205 41ac55-41ac63 10199->10205 10206 41ac1d-41ac24 call 42e183 10199->10206 10226 41ac6a-41ac84 call 416c30 call 42fc4b 10202->10226 10251 41a946-41a98f call 4031c0 call 42f408 * 2 call 4031c0 10202->10251 10212 41a9c6-41a9cc 10203->10212 10213 41a9ce-41a9d1 10203->10213 10205->10206 10211 41ac65 call 433500 10205->10211 10206->10200 10211->10226 10219 41a9dd-41aa0a call 415ab0 call 411940 10212->10219 10220 41a9d3-41a9db 10213->10220 10221 41aa0f-41aa22 call 411940 10213->10221 10219->10221 10220->10219 10236 41aa42-41aa63 call 411310 * 3 10221->10236 10237 41aa24-41aa38 10221->10237 10253 41ac89 call 433500 10226->10253 10228->10206 10235 41ac0d-41ac1b 10228->10235 10231->10191 10277 41ab86-41ab92 10231->10277 10254 41aca7-41acb9 call 433500 10232->10254 10235->10206 10235->10211 10236->10200 10237->10236 10251->10203 10289 41a991-41a99d 10251->10289 10253->10232 10268 41ace3-41acf6 10254->10268 10269 41acbb-41acc5 10254->10269 10273 41acc7-41acd5 10269->10273 10274 41acd9-41acdb call 42e183 10269->10274 10278 41acf7-41ad04 call 433500 10273->10278 10279 41acd7 10273->10279 10284 41ace0 10274->10284 10282 41ab94-41aba2 10277->10282 10283 41aba8-41abaf call 42e183 10277->10283 10291 41ad06-41ad08 10278->10291 10292 41ad0c 10278->10292 10279->10274 10282->10254 10282->10283 10283->10191 10284->10268 10293 41a9b3-41a9ba call 42e183 10289->10293 10294 41a99f-41a9ad 10289->10294 10291->10292 10293->10203 10294->10253 10294->10293
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A959
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A972
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB4E
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB67
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: value
                                                                                                                                      • API String ID: 4194217158-494360628
                                                                                                                                      • Opcode ID: 7de34780600d4b1dabe19f14ffe17dc70708db038589e88eb6431569b9f7661d
                                                                                                                                      • Instruction ID: 9f034d729ebebe199f4f723a1c14bfd040db2caa5f80a11ca9a640f2ae4bdf80
                                                                                                                                      • Opcode Fuzzy Hash: 7de34780600d4b1dabe19f14ffe17dc70708db038589e88eb6431569b9f7661d
                                                                                                                                      • Instruction Fuzzy Hash: 8DF10370D002488FDB14DF65C844BEEBBB4BF15304F14829EE455A7782E7786A88CFA6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040A4B2 Relevance: 7.8, APIs: 5, Instructions: 319COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040A601
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040A6D1
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040A706
                                                                                                                                        • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                        • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040A911
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040A940
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040ACD3
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040ADA3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$FolderPath$AttributesErrorFileLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3066340180-0
                                                                                                                                      • Opcode ID: 19c4d3283afc54cd7afabba50036feaba4a00939002738fbcb30bee4d7362651
                                                                                                                                      • Instruction ID: 0dc40a6cb04ba276704b867a860c5201117d836184c1faeb6618881e0654ecfd
                                                                                                                                      • Opcode Fuzzy Hash: 19c4d3283afc54cd7afabba50036feaba4a00939002738fbcb30bee4d7362651
                                                                                                                                      • Instruction Fuzzy Hash: 84F1DCB8D042589ADB25DF98C981BDDBBF4AF58314F1410DAE809B7381DB316E84CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00407D50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381libraryloadernetworkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408127
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00408132
                                                                                                                                      • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000), ref: 0040814B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProcSend
                                                                                                                                      • String ID: Ws2_32.dll
                                                                                                                                      • API String ID: 2819740048-3093949381
                                                                                                                                      • Opcode ID: d1ce78f9ae48063a26ae24d189bcc4b00fbdf36e4b44d7184625d12e189acc5b
                                                                                                                                      • Instruction ID: 4cf5a73f60aaa9aa04889aa359a8f1718852bcf292be34ef81f356f0aae57edb
                                                                                                                                      • Opcode Fuzzy Hash: d1ce78f9ae48063a26ae24d189bcc4b00fbdf36e4b44d7184625d12e189acc5b
                                                                                                                                      • Instruction Fuzzy Hash: 1FF18D70E042468FCB25CF58C880A6EBBB1BF45314F24456EE5A5AB3D2D7356C42CBD6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004081E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 332libraryloadernetworkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408566
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00408574
                                                                                                                                      • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408589
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProcSend
                                                                                                                                      • String ID: Ws2_32.dll
                                                                                                                                      • API String ID: 2819740048-3093949381
                                                                                                                                      • Opcode ID: 56d94f30f56239b9f6a30b9d4a5a515b5cb323a29f0ba089c1967f76d3ef3ef0
                                                                                                                                      • Instruction ID: b889a33a35ddf0adef0218ac58701f77bdbbaba15cb1320cc4c9efeef27d22b6
                                                                                                                                      • Opcode Fuzzy Hash: 56d94f30f56239b9f6a30b9d4a5a515b5cb323a29f0ba089c1967f76d3ef3ef0
                                                                                                                                      • Instruction Fuzzy Hash: 1BE1BC70D00258EFDF15CBA4DD917EDBBB0AF56704F14029EE8857B282DB34198ACB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00446260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DeleteFileW.KERNELBASE(A{C,?,00437B41,?), ref: 00446268
                                                                                                                                      • GetLastError.KERNEL32(?,00437B41,?), ref: 00446272
                                                                                                                                      • __dosmaperr.LIBCMT ref: 00446279
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                                      • String ID: A{C
                                                                                                                                      • API String ID: 1545401867-2902953714
                                                                                                                                      • Opcode ID: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                                                                      • Instruction ID: 82298aed12121fbb76aae4bd86d3a8824ef8c8c9545724addf748e8f9a95ec58
                                                                                                                                      • Opcode Fuzzy Hash: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                                                                      • Instruction Fuzzy Hash: E2D02232018A093B8B002BFAFC0C81B3F1CDAC23B4B112212F12CC21A0DF79C880E540
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F2CD0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                      • GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D4E
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D5F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 995686243-0
                                                                                                                                      • Opcode ID: dfba1b075285273309578ffbf089447c7c1ac741728f75895561d4347c87bb62
                                                                                                                                      • Instruction ID: 325128bde6972141eaafbb0e95bf719766b08d5b5670bbe0189b29004b96e682
                                                                                                                                      • Opcode Fuzzy Hash: dfba1b075285273309578ffbf089447c7c1ac741728f75895561d4347c87bb62
                                                                                                                                      • Instruction Fuzzy Hash: 3401C071641118129A342A35ED4907F370D8713328BA80F1BEE25973D5D9DFCC45875A
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00551E30 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00551E4F
                                                                                                                                      • GetLastError.KERNEL32 ref: 00551E5A
                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00551E82
                                                                                                                                      • GetLastError.KERNEL32 ref: 00551E8C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFileLast$PointerRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2170121939-0
                                                                                                                                      • Opcode ID: b49e815b288db118013f7b31ade0b5ee7bcb2275d16c9ff237f0887fb9d13391
                                                                                                                                      • Instruction ID: 1c07d7795fbcd358c5ccab0054a22981654648c43a30ee7f67c6bd12fb941fbd
                                                                                                                                      • Opcode Fuzzy Hash: b49e815b288db118013f7b31ade0b5ee7bcb2275d16c9ff237f0887fb9d13391
                                                                                                                                      • Instruction Fuzzy Hash: BE116D32600509ABDB108FA9EC06B9ABFACEB55371F104266FD1CC7690D771D8649BD0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00405DE0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 308COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406029
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406070
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_directory_iterator_advance@8
                                                                                                                                      • String ID: .
                                                                                                                                      • API String ID: 2610647541-248832578
                                                                                                                                      • Opcode ID: 24110669fa94efa93dbf60294f552bae376b896653ba069dd2a2053fc70e762d
                                                                                                                                      • Instruction ID: 096b34988356738832717cd8d53d0dabcf9a03e197ae697f4c60f7eb60d7375d
                                                                                                                                      • Opcode Fuzzy Hash: 24110669fa94efa93dbf60294f552bae376b896653ba069dd2a2053fc70e762d
                                                                                                                                      • Instruction Fuzzy Hash: EBB1ED31A00A269FCB24DF28C484AABB3A5FF44314F14467AE956AB7C0D739AD55CFC4
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040BBAA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040BF0B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                      • String ID: D5I$gO>
                                                                                                                                      • API String ID: 4241100979-9669375
                                                                                                                                      • Opcode ID: a70bc843fb75804f0c6dcccdee84c4d7299bd1d366e2e2686d92fec8723b3657
                                                                                                                                      • Instruction ID: 1c99b7db082cbe4170b2a8c48b056c73716a310fc73452a91fe799afa8dbbf6b
                                                                                                                                      • Opcode Fuzzy Hash: a70bc843fb75804f0c6dcccdee84c4d7299bd1d366e2e2686d92fec8723b3657
                                                                                                                                      • Instruction Fuzzy Hash: 38E14AB4D052588FCB64CF98DA91ADCBBF1AB4C324F6451A9E449B7340DB315E81CF68
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040AED5 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040B094
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040B194
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyCreateDirectoryFile
                                                                                                                                      • String ID: d:P
                                                                                                                                      • API String ID: 3761107634-1316356323
                                                                                                                                      • Opcode ID: 9834d24a3142c173cffbc2ab538e9bcef5bf588c3bed871f4eefa6fbed3306b3
                                                                                                                                      • Instruction ID: b46fb8f498fe19e45c2de27f9ae2aa4bcfe055eec9d79a59652231d92f533978
                                                                                                                                      • Opcode Fuzzy Hash: 9834d24a3142c173cffbc2ab538e9bcef5bf588c3bed871f4eefa6fbed3306b3
                                                                                                                                      • Instruction Fuzzy Hash: C0D17BB8D052588BDB25CF98D991ADCBBF0AB4C314F2451DAE809B7340DB316E84CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040C5CC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040C78B
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040C88B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyCreateDirectoryFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3761107634-3916222277
                                                                                                                                      • Opcode ID: 6230a3c5e97c4a67157d6a67fc00dc778ed06bd17ee8d2d2cab1e9c77b27c71c
                                                                                                                                      • Instruction ID: fea31fcc1739ab290db98ead6b4672fbdfba05a45897d1c47918ee6387bb05c2
                                                                                                                                      • Opcode Fuzzy Hash: 6230a3c5e97c4a67157d6a67fc00dc778ed06bd17ee8d2d2cab1e9c77b27c71c
                                                                                                                                      • Instruction Fuzzy Hash: D6D17AB8D052588BDB28CF98D991ADCBBF0AF58324F2411E9D809B7340DB315E84CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040BDCF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040BDEF
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040BF0B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyCreateDirectoryFile
                                                                                                                                      • String ID: gO>
                                                                                                                                      • API String ID: 3761107634-815838113
                                                                                                                                      • Opcode ID: 79ca3bfd0f87e6d2c923574700e48bcd02e0336f1f128ec40a70bb761074c344
                                                                                                                                      • Instruction ID: 9418e816ee5ff452795ce5d94e31d7cf594980c5612f767f219b469b450b4b33
                                                                                                                                      • Opcode Fuzzy Hash: 79ca3bfd0f87e6d2c923574700e48bcd02e0336f1f128ec40a70bb761074c344
                                                                                                                                      • Instruction Fuzzy Hash: 9FA15AB4D052588BCB64CF98DA90ADCBBF1BB4C324F24519AE449B7340DB715E81CF68
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00447C50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156timeCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004458AA: RtlFreeHeap.NTDLL(00000000,00000000,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458C0
                                                                                                                                        • Part of subcall function 004458AA: GetLastError.KERNEL32(?,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458CB
                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00447E03,00000000,00000000,00000000), ref: 00447CC2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFreeHeapInformationLastTimeZone
                                                                                                                                      • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                      • API String ID: 3335090040-690618308
                                                                                                                                      • Opcode ID: 53cfa0c2b2e8e1c4497564ba13a148606d804052baa25eea3ebd75a2ff8e0b0f
                                                                                                                                      • Instruction ID: 95fec9e7b2ee5416ea09e91f5883e66808fc8b830f7b48389ead0be8655ac52d
                                                                                                                                      • Opcode Fuzzy Hash: 53cfa0c2b2e8e1c4497564ba13a148606d804052baa25eea3ebd75a2ff8e0b0f
                                                                                                                                      • Instruction Fuzzy Hash: 7641D471D04225ABEB10BF76DC0696E7FB8EF04358F60415BF814B7291EB389D069B98
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040C37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040C39A
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040C49A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyCreateDirectoryFile
                                                                                                                                      • String ID: U5I
                                                                                                                                      • API String ID: 3761107634-2587217555
                                                                                                                                      • Opcode ID: 66b2524eb8a07fd23d5aa4cb1cda167927eeeac49ec39440f90acb96c5dc2362
                                                                                                                                      • Instruction ID: e5f4e7ff2e2fcc63228e79b94ae8c256ee4266638f27ae636944e61a4eef9a7f
                                                                                                                                      • Opcode Fuzzy Hash: 66b2524eb8a07fd23d5aa4cb1cda167927eeeac49ec39440f90acb96c5dc2362
                                                                                                                                      • Instruction Fuzzy Hash: CC518CB4D052188BDB24DF98D995ADCBBF1AF48324F641199E809B7340DB356E84CF29
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F8D20 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 250COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast
                                                                                                                                      • String ID: -1L$-2L
                                                                                                                                      • API String ID: 1452528299-3975959154
                                                                                                                                      • Opcode ID: 7cbc2765ffe9876f453631ab618cea2cdf271d2230653e7288edc8667744d0af
                                                                                                                                      • Instruction ID: 8532e58cabc42239c9a206463210862c2cf1955d45b676afb1905f123e481057
                                                                                                                                      • Opcode Fuzzy Hash: 7cbc2765ffe9876f453631ab618cea2cdf271d2230653e7288edc8667744d0af
                                                                                                                                      • Instruction Fuzzy Hash: 8BA1A071E102489BDB18DBA4CC95BFEB771FF58304F14821EE905BB281EB746A85CB54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040AA6A Relevance: 4.7, APIs: 3, Instructions: 227fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040AB87
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?), ref: 0040ACD3
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040ADA3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$CopyFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 379462554-0
                                                                                                                                      • Opcode ID: aa0bf1944e415d055ad1ba2bd394d683157b89170457a394d18422a3be082895
                                                                                                                                      • Instruction ID: fa5d3aefcb5318aac483c8dab34aecfa374d65c0e00a15c095fa280417b77c72
                                                                                                                                      • Opcode Fuzzy Hash: aa0bf1944e415d055ad1ba2bd394d683157b89170457a394d18422a3be082895
                                                                                                                                      • Instruction Fuzzy Hash: EEC1CEB8D042188ADB25DF98C991ADDBBF0AF5C324F1411E9D809B7380DB356E84CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043DE79 Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32(75FF50CA,?,0043DE73,00000016,004332F3,?,75FF50CA,84D436BD,004332F3,75FF50CA), ref: 0043DE8A
                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,0043DE73,00000016,004332F3,?,75FF50CA,84D436BD,004332F3,75FF50CA), ref: 0043DE91
                                                                                                                                      • ExitProcess.KERNEL32 ref: 0043DEA3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                      • Opcode ID: 7d470379b508b403f4ab401723c09fedd286a175a0f2e09b2a992ce8b19c4fb8
                                                                                                                                      • Instruction ID: 5fe30eb41a0399f7e166aae356d18006ddc47655100d151fd05e604e3206ade8
                                                                                                                                      • Opcode Fuzzy Hash: 7d470379b508b403f4ab401723c09fedd286a175a0f2e09b2a992ce8b19c4fb8
                                                                                                                                      • Instruction Fuzzy Hash: 2CD05E31804A04ABCF003F65EC0E85A3F25AF24345F005015F9194B131CB798989EA84
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043CFC6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221fileCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0043D239
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFile
                                                                                                                                      • String ID: @
                                                                                                                                      • API String ID: 823142352-2766056989
                                                                                                                                      • Opcode ID: 15f19a1f7690f80218afbcd4fd66329c079a2cb147d96d8989a4609ec7928676
                                                                                                                                      • Instruction ID: dc00e106188675afe22aef0fe0e5de5fe1af6006a7ca4effd60217809a668f9c
                                                                                                                                      • Opcode Fuzzy Hash: 15f19a1f7690f80218afbcd4fd66329c079a2cb147d96d8989a4609ec7928676
                                                                                                                                      • Instruction Fuzzy Hash: 4361F671D00109ABEF294E68FC85BBF3B64EB1C318F286167F914D6391D23CCD829259
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040B362 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0040B5A7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CopyFile
                                                                                                                                      • String ID: bV#
                                                                                                                                      • API String ID: 1304948518-2557208531
                                                                                                                                      • Opcode ID: 2e174e6643ddc55f21fd3496af49bc0eec1a3949b4a986039ec58223d0844ec1
                                                                                                                                      • Instruction ID: cae23ce53105954d6f992f15396b4822f88a54db382455c53f0dce72c0814f2e
                                                                                                                                      • Opcode Fuzzy Hash: 2e174e6643ddc55f21fd3496af49bc0eec1a3949b4a986039ec58223d0844ec1
                                                                                                                                      • Instruction Fuzzy Hash: 2BC18DB4D052598FCB25CF98DA916DCBBF1AB4C324F2451AAD809B7340DB356E81CF68
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040C155 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040C49A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                      • String ID: U5I
                                                                                                                                      • API String ID: 4241100979-2587217555
                                                                                                                                      • Opcode ID: c096f63529a2d04bfeae6dc2135d5aab1f1a4f86739ed3dadbb568acd2f4c664
                                                                                                                                      • Instruction ID: ac674b7b51f05a57ce70314e7f00a6b42712f57d929c2611c6f576c432607ed5
                                                                                                                                      • Opcode Fuzzy Hash: c096f63529a2d04bfeae6dc2135d5aab1f1a4f86739ed3dadbb568acd2f4c664
                                                                                                                                      • Instruction Fuzzy Hash: A4C16BB4D052188FDB24CF98DA91ADCBBF1AB4C324F645199E809B7340DB316E85CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0040E250 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004F2CD0: GetFileAttributesA.KERNELBASE(?,?,?,0055A5B3,000000FF), ref: 004F2D0C
                                                                                                                                        • Part of subcall function 004F2CD0: GetLastError.KERNEL32(?,?,0055A5B3,000000FF), ref: 004F2D17
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040E459
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                      • String ID: =
                                                                                                                                      • API String ID: 674977465-2322244508
                                                                                                                                      • Opcode ID: c01e006192443c623b1345774e7bd4ae881e867d2a563e42cd0be2be54deea90
                                                                                                                                      • Instruction ID: 4c31c2b4ab6c20c136918818f105c81bd143b56d6cc430cbfc3e2680d29ed538
                                                                                                                                      • Opcode Fuzzy Hash: c01e006192443c623b1345774e7bd4ae881e867d2a563e42cd0be2be54deea90
                                                                                                                                      • Instruction Fuzzy Hash: 2091F2B4D1526C9BDB25CFA9E981ADCFBB4BF48304F00819AE858B7341DB346A84CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00410887 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 004108A1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                      • String ID: k
                                                                                                                                      • API String ID: 4241100979-140662621
                                                                                                                                      • Opcode ID: c404385334f48e69bc3d99d72a58cc6b4349818a5b857a9d5148564d291bfd69
                                                                                                                                      • Instruction ID: 1f0ba2e685299aad9cd7c917c7bb047ec0820a6efdb3c6e343f4a662026f26a4
                                                                                                                                      • Opcode Fuzzy Hash: c404385334f48e69bc3d99d72a58cc6b4349818a5b857a9d5148564d291bfd69
                                                                                                                                      • Instruction Fuzzy Hash: 68417BB4D05268DBCB28CF99E990ADCFBB1FB48304F4081AAE819B7350DB746941CF45
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D2890 Relevance: 3.6, APIs: 2, Instructions: 560COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcess.KERNEL32(?,6F2977B7,?,?,?,?,?,?,?,00000000,00000001,74D723A0,00000000), ref: 004D2D54
                                                                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                                                                        • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(004F2D39), ref: 0042D44E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$AllocMemoryVirtualWrite$CurrentExclusiveLockRelease
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 666592346-0
                                                                                                                                      • Opcode ID: 36bdb181790bc6e9ce34960c3b1bcb2e23f1027d8802b3b0fa36cb7caa308c08
                                                                                                                                      • Instruction ID: 26b9c72b6ddc4c31c1f3b4b91af9721e671e16450a7e1798ce2a3c04c8b5f315
                                                                                                                                      • Opcode Fuzzy Hash: 36bdb181790bc6e9ce34960c3b1bcb2e23f1027d8802b3b0fa36cb7caa308c08
                                                                                                                                      • Instruction Fuzzy Hash: 7432DF70900208CBDB14DF68C9957EDBBB1FF58304F14419AE8096B392DB789E85CFA6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0041FD60 Relevance: 3.3, APIs: 2, Instructions: 323COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0041FF44
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0042013E
                                                                                                                                        • Part of subcall function 00403070: ___std_exception_copy.LIBVCRUNTIME ref: 004030AE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task$___std_exception_copy
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 270002120-0
                                                                                                                                      • Opcode ID: 060430c55af8b6ea1c615aab261a260ab76fea60cbfa4c02fe2dacebd12a2d03
                                                                                                                                      • Instruction ID: 187ba38e436fa24eb54e9b6ebc159b9d6d0155e37d19f8bc819051910fa96c6e
                                                                                                                                      • Opcode Fuzzy Hash: 060430c55af8b6ea1c615aab261a260ab76fea60cbfa4c02fe2dacebd12a2d03
                                                                                                                                      • Instruction Fuzzy Hash: F8B13672B012108FC718DF2CED816BE77A5EB94304B95417BDC06AF369EA34ED898794
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00444019 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 0044372F: GetConsoleOutputCP.KERNEL32(84D436BD,00000000,00000000,00437957), ref: 00443792
                                                                                                                                      • WriteFile.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?,004F2E1F,?,00437877,004F2E1F,?,00578900,00000010,00437957), ref: 0044419E
                                                                                                                                      • GetLastError.KERNEL32(?,00437877,004F2E1F,?,00578900,00000010,00437957,004F2E1F,?,00000000,?), ref: 004441A8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2915228174-0
                                                                                                                                      • Opcode ID: 66e0ddea0cb217b6ae80d1a32b3b59e934d250a7623237bbde176196d2ee28a3
                                                                                                                                      • Instruction ID: 0628d0172fcac0a10c399004d6184d52a202fa31f39ed19b8586a1ab0f8a80ff
                                                                                                                                      • Opcode Fuzzy Hash: 66e0ddea0cb217b6ae80d1a32b3b59e934d250a7623237bbde176196d2ee28a3
                                                                                                                                      • Instruction Fuzzy Hash: 2B61C471900119AFEF11CFA8DC84BEFBBB9BF99304F14014AE900A7202D779D955DB65
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004122A0 Relevance: 3.2, APIs: 2, Instructions: 185COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2638373210-0
                                                                                                                                      • Opcode ID: a6de1df37dfb96f7904da2523f795a48f12aff5b6393de5a7868983c18ffdd9b
                                                                                                                                      • Instruction ID: b5ec34bd29a15183def94e688a440539f4bf7795f8ca6c39a07d260135894a7b
                                                                                                                                      • Opcode Fuzzy Hash: a6de1df37dfb96f7904da2523f795a48f12aff5b6393de5a7868983c18ffdd9b
                                                                                                                                      • Instruction Fuzzy Hash: 82615B326042058FCB18CF2DD9809AA77E1EF88720F05866EFC58CB345E775DC698B99
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044368F Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436E5
                                                                                                                                      • GetLastError.KERNEL32(?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436EF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1687624791-0
                                                                                                                                      • Opcode ID: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                                                                      • Instruction ID: 5b9e54e71ebf2813978f3334a6ac8d2e590d94fd15b88a1802dc34040f0fcd9e
                                                                                                                                      • Opcode Fuzzy Hash: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                                                                      • Instruction Fuzzy Hash: 0B118C326041153AF6302A34AC4DB3F67898B82F39F26014FF908873C2DE6D8D409658
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043CDAC Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00437957,00000000,00000002,00000000,00000000,00000000,00000000,?,0043CEE6,00000000,00000000,00437957,00000002,00000000), ref: 0043CDE8
                                                                                                                                      • GetLastError.KERNEL32(00000000,?,0043CEE6,00000000,00000000,00437957,00000002,00000000,?,004440BE,00000000,00000000,00000000,00000002,00437957,00000000), ref: 0043CDF5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                      • Opcode ID: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                                                                      • Instruction ID: 056746620e1e5b2230fb06e89194d4bad5ac0bf9516e57b03a2b19a767fcc837
                                                                                                                                      • Opcode Fuzzy Hash: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                                                                      • Instruction Fuzzy Hash: 62012632614119AFCF058F59CC49D9E3F2AEF89320F24020AF811AB2D0EA75ED41DBD4
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00405D90 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405D9E
                                                                                                                                        • Part of subcall function 0042C80A: FindNextFileW.KERNELBASE(?,?,?,00405DA3,?,?), ref: 0042C813
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405DB7
                                                                                                                                        • Part of subcall function 0042C80A: GetLastError.KERNEL32(?,00405DA3,?,?), ref: 0042C821
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_directory_iterator_advance@8$ErrorFileFindLastNext
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1771861590-0
                                                                                                                                      • Opcode ID: eb254d40bdae5997d1b915ee938d47a4925237b4d84c79f510e65dea7e6ef008
                                                                                                                                      • Instruction ID: 0108473d78f0f304d06e31c26ecc01ded597c2f8cb716c03f48c3c202a603d91
                                                                                                                                      • Opcode Fuzzy Hash: eb254d40bdae5997d1b915ee938d47a4925237b4d84c79f510e65dea7e6ef008
                                                                                                                                      • Instruction Fuzzy Hash: 02E09232200A212299503513AD055EFAB5EEE913A4740403BFA05A7781EB38EC1285E9
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004458AA Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458C0
                                                                                                                                      • GetLastError.KERNEL32(?,?,0044C3D9,?,00000000,?,?,0044C67A,?,00000007,?,?,0044CB6E,?,?), ref: 004458CB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                      • Opcode ID: faeb12ccb0e26dc965f9d80f3c1b711b705900c11bc95a42bd6c0ce8c2310291
                                                                                                                                      • Instruction ID: 23237336ed7649a93a226213d1d5fd37ccb1674bfa2126fe5f49bd5de7ec7b5d
                                                                                                                                      • Opcode Fuzzy Hash: faeb12ccb0e26dc965f9d80f3c1b711b705900c11bc95a42bd6c0ce8c2310291
                                                                                                                                      • Instruction Fuzzy Hash: 75E086315006146BDB113FB9EC0DBAA3BA8EB44355F519026F709D7161CF788854D7C8
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D1860 Relevance: 2.0, APIs: 1, Instructions: 549fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DeleteFileA.KERNELBASE(?), ref: 004D1911
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DeleteFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4033686569-0
                                                                                                                                      • Opcode ID: a4067626d450e140927f30566bcb3f5f13dc5ee24b7ebb62ed89108156141035
                                                                                                                                      • Instruction ID: 595fb68b70b26d2d20b0dfc54c8cde64091a38ddc6938181b846cdeea2eef5ff
                                                                                                                                      • Opcode Fuzzy Hash: a4067626d450e140927f30566bcb3f5f13dc5ee24b7ebb62ed89108156141035
                                                                                                                                      • Instruction Fuzzy Hash: 3C22C1B0D002099FCB14DFA8D995BAEBBB1FF48304F14825EE805AB352D734AA45CF95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00425390 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 004254A7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 0135a771d94612305155d4bedf15d44cb2e9a3041a2a59555f0273477d00dd07
                                                                                                                                      • Instruction ID: c4b725e649f7e58322d65e55cd69c4218f7731d497adffb4160b667c7d72a65a
                                                                                                                                      • Opcode Fuzzy Hash: 0135a771d94612305155d4bedf15d44cb2e9a3041a2a59555f0273477d00dd07
                                                                                                                                      • Instruction Fuzzy Hash: D7810372700515AFC708EF38E98597EB7A9EF443207A4832EE819C7385EA34EE55C794
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F3550 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2638373210-0
                                                                                                                                      • Opcode ID: ac2fe1fdd1d305da311f708790251e2dbeebfcc096343714379e97417a5c921e
                                                                                                                                      • Instruction ID: 32bcb13d06159bcbf1e711c284ff9f9cb594162b32a10293023583a718d1283d
                                                                                                                                      • Opcode Fuzzy Hash: ac2fe1fdd1d305da311f708790251e2dbeebfcc096343714379e97417a5c921e
                                                                                                                                      • Instruction Fuzzy Hash: 8C51A1B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8046B342D7799A41CB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F3350 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2638373210-0
                                                                                                                                      • Opcode ID: ef3477f15171163ca3a83896ce0a7433280ff029a887a87f02df4f291d8d58ed
                                                                                                                                      • Instruction ID: 6ce4f48939319f72f3aec6a6d9b50e6fff9bcb1e6f6dae555552d8831335830b
                                                                                                                                      • Opcode Fuzzy Hash: ef3477f15171163ca3a83896ce0a7433280ff029a887a87f02df4f291d8d58ed
                                                                                                                                      • Instruction Fuzzy Hash: 2551A0B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8146B341E779AA41CBA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00433692 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: eede66d756e0c1a0b5e07baf9b01a7231fde42cae16d6e993eff2dc43bb1a5b1
                                                                                                                                      • Instruction ID: 8d691b3f4dbeef2f936747217c2848be1b4780fc272094865f28ed7dea4c0760
                                                                                                                                      • Opcode Fuzzy Hash: eede66d756e0c1a0b5e07baf9b01a7231fde42cae16d6e993eff2dc43bb1a5b1
                                                                                                                                      • Instruction Fuzzy Hash: 7B51E3B4A00104AFDB14DF59CC85AAABBF1EF4D324F24915AF8099B352D379EE41CB94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F3750 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2638373210-0
                                                                                                                                      • Opcode ID: 1c393b77a678177202ae0a4b35ab124da8259f0f62cb0e23b0d2acb6517c6524
                                                                                                                                      • Instruction ID: cd4a1da141f317168313a104556b472c5763c058f69814c45053fc560e84e052
                                                                                                                                      • Opcode Fuzzy Hash: 1c393b77a678177202ae0a4b35ab124da8259f0f62cb0e23b0d2acb6517c6524
                                                                                                                                      • Instruction Fuzzy Hash: 6A5180B0D002099BDB24DF59D982BAEFBF0FF44714F14061EE5416B341D779AA44CBA6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004035B0 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 004036E7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 900155ca0dd1314eead5f8e5303eee4f11c8eb786659eda044bee85053514b91
                                                                                                                                      • Instruction ID: b9d4245d5dcab57e39e5a3b07e56f9f2a2320c6166ca48ee61a96fda454eaaa4
                                                                                                                                      • Opcode Fuzzy Hash: 900155ca0dd1314eead5f8e5303eee4f11c8eb786659eda044bee85053514b91
                                                                                                                                      • Instruction Fuzzy Hash: EA414872B00000AFC718DE3DC98586EBBADEF85314714867EE815DB385EA35EE058765
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00405AD0 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 00405BB1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_directory_iterator_open@12
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 29801545-0
                                                                                                                                      • Opcode ID: f696d6151f309be9193cc7c85e873ba70de42943ce5765209a9c4d3a5a8c60fc
                                                                                                                                      • Instruction ID: d5a1cf4f232f5c6ac5430c54351a6ee74597bd081f23ad9fa31e924e3bde2b96
                                                                                                                                      • Opcode Fuzzy Hash: f696d6151f309be9193cc7c85e873ba70de42943ce5765209a9c4d3a5a8c60fc
                                                                                                                                      • Instruction Fuzzy Hash: 8741CF72E146049BDB18DF49D8817AEB7B4FB84320F14466AEC11637C1EB397D50CA95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004254C0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 004255BB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 662d4eb6b92c4b89937c882f51579e2c24e781042207b5e4d8dfa5cecce3f860
                                                                                                                                      • Instruction ID: b55e259dbeb527f6be1e3a55ae8afcab0a3919011b56be8b9cf3d81180561e7d
                                                                                                                                      • Opcode Fuzzy Hash: 662d4eb6b92c4b89937c882f51579e2c24e781042207b5e4d8dfa5cecce3f860
                                                                                                                                      • Instruction Fuzzy Hash: 79316B72B00024AFC704DE3DD98587E7BBADF84350794427AF818CB349EA38DE4583A5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00408980 Relevance: 1.6, APIs: 1, Instructions: 108libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNEL32(?,00000000), ref: 00408A31
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                      • Opcode ID: e778ac258585310e7fe4938e31092008cd6e18a3a51d75130e0cc209c0f13ca7
                                                                                                                                      • Instruction ID: d2c8f323ac81831e6b5d26602da7a52bd27c9e45b28783f3ac091e4753249403
                                                                                                                                      • Opcode Fuzzy Hash: e778ac258585310e7fe4938e31092008cd6e18a3a51d75130e0cc209c0f13ca7
                                                                                                                                      • Instruction Fuzzy Hash: DD514AB8D05218EBDB14CF98DA90ADDFBB1BB48350F2081AAD849B7340DB306B84DF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044550F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __wsopen_s
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3347428461-0
                                                                                                                                      • Opcode ID: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                                                                      • Instruction ID: e92d0ab7a98c68cd7689e4ea664d55cb742e11440dbe97f573872f5ababe4450
                                                                                                                                      • Opcode Fuzzy Hash: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                                                                      • Instruction Fuzzy Hash: D6112A71A0410AAFDF05DF58E94199F7BF5EF48304F14405AF805EB352D670DA15CB69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004036F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040373F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: e5a001d352be6fc784b676a6f4ac94111781e1afefaa75c774d19f4d874569f3
                                                                                                                                      • Instruction ID: 1f83190ccb7284a945d627c352a8af0deec80e54417847a9b28e6d6de5687d5d
                                                                                                                                      • Opcode Fuzzy Hash: e5a001d352be6fc784b676a6f4ac94111781e1afefaa75c774d19f4d874569f3
                                                                                                                                      • Instruction Fuzzy Hash: F6F024F26000009BCB14AF61E4429FAB7ECDE243A7750447FF989D7282E73EDA448788
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00444EEA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000008,0042C58A,00417EFF,?,00444870,00000001,00000364,00417EFF,00000008,000000FF,?,0042F3CF,00417EFD,00417EFB,?,?), ref: 00444F2B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                      • Opcode ID: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                                                                      • Instruction ID: 086544c5e523b8e02c2757f3417cf7e9bd7439c420b709eac9e7cfb6d4d974b4
                                                                                                                                      • Opcode Fuzzy Hash: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                                                                      • Instruction Fuzzy Hash: CEF0B4316155246BBB215E629C05B7B7788ABD17A1F158417FD04E7280CE38D80886E9
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F1F00 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetupDiGetClassDevsA.SETUPAPI(00562560,00000000,00000000,00000012), ref: 004F1F17
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ClassDevsSetup
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2330331845-0
                                                                                                                                      • Opcode ID: bdd51cae4c084c57fcc4901e949a17f5d6d576fa70ecaa2978942f43ecf13d9a
                                                                                                                                      • Instruction ID: bee270daeaff66964e48d3d321f2ef6a0a83fe545a7604eea2b81030ab9a0a7d
                                                                                                                                      • Opcode Fuzzy Hash: bdd51cae4c084c57fcc4901e949a17f5d6d576fa70ecaa2978942f43ecf13d9a
                                                                                                                                      • Instruction Fuzzy Hash: E4F0E970B1071857D3309F28AC05357BBE49B51B14F10075EF5458B3C1E7F5699853D6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00445924 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00417EFF,00417EFB,?,0042F3CF,00417EFD,00417EFB,?,?,?,0040390D,0042C58A,00417EFF,00417EFB,0042C58A), ref: 00445956
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                      • Opcode ID: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                                                                      • Instruction ID: 47241cb67a9c7b30d4e0b830f1b418076ccf533a730137c1b779a77b3e9f7ccf
                                                                                                                                      • Opcode Fuzzy Hash: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                                                                      • Instruction Fuzzy Hash: 1CE0E571202A20EBFE252F265C0576B3648DB413B0F080113FD05F6292DB68CC0482ED
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00405AA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00405AB3
                                                                                                                                        • Part of subcall function 0042C80A: FindNextFileW.KERNELBASE(?,?,?,00405DA3,?,?), ref: 0042C813
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3878998205-0
                                                                                                                                      • Opcode ID: 81b8d4adac4151a37c88ea3531144291c0ed1dde65bf57112f3d275560818ac6
                                                                                                                                      • Instruction ID: f6ea285aba16a13ea3ec76640246895ff5761922bd5c6c82d3b00af4906e1a90
                                                                                                                                      • Opcode Fuzzy Hash: 81b8d4adac4151a37c88ea3531144291c0ed1dde65bf57112f3d275560818ac6
                                                                                                                                      • Instruction Fuzzy Hash: BED0A721300930115E65712738405FF4A5ACED2778B04017FB904F33C2EA2C4C038CED
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00440F65 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: H_prolog3
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                      • Opcode ID: 6a1e62305c3acb8e5222b1c12e093a7fef9c21457bd0ab900d0622aaa7e19f4a
                                                                                                                                      • Instruction ID: aff0934107e9bc2afc1ed01947bee51e3b082187fcc3c1abf97fb91d30d5be1b
                                                                                                                                      • Opcode Fuzzy Hash: 6a1e62305c3acb8e5222b1c12e093a7fef9c21457bd0ab900d0622aaa7e19f4a
                                                                                                                                      • Instruction Fuzzy Hash: 95E09A72D0020D9ADB00DFD5D456BEFBBB8AB08314F50416BA605E7181EB785748CBE5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043D21C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 0043D239
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                      • Opcode ID: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                                                                      • Instruction ID: 7ae74b51c889a2cb05e6a06522f477e8d6926b4a8c7f3733491aa3a38d366a2c
                                                                                                                                      • Opcode Fuzzy Hash: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                                                                      • Instruction Fuzzy Hash: 92D06C3200010DBBDF028F84DC06EDA3BAAFB4C714F014040FA1866120C772E822EB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00408FE0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FreeLibrary.KERNELBASE(6C590000), ref: 00408FF3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                      • Opcode ID: 308e6b39f116d145aea3c2b24b2b05ac875d59807b2ada3de83e787a582b006c
                                                                                                                                      • Instruction ID: c70e8580a0d1111b0a5d225c9a9e9d8cc6a6b0ca9556e84d53e49695d3c6a0de
                                                                                                                                      • Opcode Fuzzy Hash: 308e6b39f116d145aea3c2b24b2b05ac875d59807b2ada3de83e787a582b006c
                                                                                                                                      • Instruction Fuzzy Hash: 2FC0027450414156D7159738DC487623B54A761758FC810769841B2AE2CE789448EB55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00408FE1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FreeLibrary.KERNELBASE(6C590000), ref: 00408FF3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                      • Opcode ID: e1b8b5312981e26a60b0176e6b126c99adc267963dcf4990b13cab83b377898a
                                                                                                                                      • Instruction ID: 490db17b99ce191f58a9b4e04f03cf5ce589e7a007bfd414fe16c1c7cc511007
                                                                                                                                      • Opcode Fuzzy Hash: e1b8b5312981e26a60b0176e6b126c99adc267963dcf4990b13cab83b377898a
                                                                                                                                      • Instruction Fuzzy Hash: 23C012680082C29BCB0693358848365AE00AF23218F8804AE8880A66D3CDA94008DB15
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D2040 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D52), ref: 004D2093
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 83f2b2eca9ec0b48552a48ca10ae59a4487ce3495c761ca9039c3b03c55a5e39
                                                                                                                                      • Instruction ID: 5725677e75a6ac36c440eb726a8cd5388f75a9debdf55df4042df7e65aebbe00
                                                                                                                                      • Opcode Fuzzy Hash: 83f2b2eca9ec0b48552a48ca10ae59a4487ce3495c761ca9039c3b03c55a5e39
                                                                                                                                      • Instruction Fuzzy Hash: 20F0E221A0025016EA22B2792D0673A3F85A7A6724F48018BEF423B7D2DAD82D0983D6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D20B0 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00000065), ref: 004D2103
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 35fb44faf0a8fc100d841d81db4c77c8e28ab7600db3ad407436fbe4614108cb
                                                                                                                                      • Instruction ID: 16727208b5f08e4bea599353fbf53a6d413f31fbfb73884cdf8f34aab55cbcc4
                                                                                                                                      • Opcode Fuzzy Hash: 35fb44faf0a8fc100d841d81db4c77c8e28ab7600db3ad407436fbe4614108cb
                                                                                                                                      • Instruction Fuzzy Hash: B8F0A731B0025416EA26736D7E06B3B3F8997A5765F48009FEE403BBD2DDD9280987D6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D2120 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D4D), ref: 004D2173
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: cb4445f8f23e35d184d7bbbb276354b3f66d002ad20050ef745446d9cc5894b3
                                                                                                                                      • Instruction ID: 90a6c49b21b0fd82ae87a0f264113b7d17b526517561dc18198510732a1b952e
                                                                                                                                      • Opcode Fuzzy Hash: cb4445f8f23e35d184d7bbbb276354b3f66d002ad20050ef745446d9cc5894b3
                                                                                                                                      • Instruction Fuzzy Hash: 53F0E225A0024016EA21B26D2D07B3B3FA587E5724F48008BEE403B7E2E998690D93D6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D1F60 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00000065), ref: 004D1FB3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 8cc8233da0b4eadc4345afef26914da44cd989e3a36f9e64d21921473576aba7
                                                                                                                                      • Instruction ID: 96813e4978320da69047605bdc5ebc2db0ede144c46c0996891fef61e0d73129
                                                                                                                                      • Opcode Fuzzy Hash: 8cc8233da0b4eadc4345afef26914da44cd989e3a36f9e64d21921473576aba7
                                                                                                                                      • Instruction Fuzzy Hash: F1F02731B0425026EA25736D7D06B3A3F858795724F48018FED002BBE3DE99280987D7
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D1FD0 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNEL32(00000065,?,?,?,?,?,?,?,?,?,?,?,00458D57), ref: 004D2023
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                      • Opcode ID: 023d8daf2c2feeef625063db40c37107e19a346fd89d2fc77cc72de507247420
                                                                                                                                      • Instruction ID: 649beb9cb224a865d551f479db4d9118ca68f30c140776fc94dbe4ded046f890
                                                                                                                                      • Opcode Fuzzy Hash: 023d8daf2c2feeef625063db40c37107e19a346fd89d2fc77cc72de507247420
                                                                                                                                      • Instruction Fuzzy Hash: 76F0E921A4224016DA2272693D067363F8587A5764F04104FEF00377D2D9D42809C7D6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 004F2150 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 154windowfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GdiplusStartup.GDIPLUS(?,0045A92C,00000000,7FFFFFFF,?), ref: 004F2189
                                                                                                                                      • GetSystemMetrics.USER32(00000001), ref: 004F219F
                                                                                                                                      • GetSystemMetrics.USER32(00000000), ref: 004F21A5
                                                                                                                                      • GetDC.USER32(00000000), ref: 004F21AB
                                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004F21BF
                                                                                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 004F21D3
                                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 004F21E8
                                                                                                                                      • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 004F2201
                                                                                                                                      • GdipCreateBitmapFromHBITMAP.GDIPLUS(00584418,00000000,00000000), ref: 004F2217
                                                                                                                                      • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004F2233
                                                                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F225A
                                                                                                                                      • GdipSaveImageToFile.GDIPLUS(00000000,6F2977B7,?,?), ref: 004F22FD
                                                                                                                                      • DeleteObject.GDI32(00584418), ref: 004F2306
                                                                                                                                      • GdipDisposeImage.GDIPLUS(00000000), ref: 004F230D
                                                                                                                                      • DeleteObject.GDI32(?), ref: 004F2316
                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 004F231F
                                                                                                                                      • GdiplusShutdown.GDIPLUS(?), ref: 004F2328
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Gdip$Image$CreateObject$BitmapCompatibleDeleteEncodersGdiplusMetricsSystem$DisposeFileFromReleaseSaveSelectShutdownSizeStartup
                                                                                                                                      • String ID: image/png
                                                                                                                                      • API String ID: 258367123-2966254431
                                                                                                                                      • Opcode ID: fb1bbdcbdec57114dd12a1ee1549e3a4fa01625a0ff2eb2c6bcf6a3c4bb0fd9d
                                                                                                                                      • Instruction ID: db5a99caf6ac0e95f343f652cfce475829ccb6d2aa326760d5af157a7b9552c8
                                                                                                                                      • Opcode Fuzzy Hash: fb1bbdcbdec57114dd12a1ee1549e3a4fa01625a0ff2eb2c6bcf6a3c4bb0fd9d
                                                                                                                                      • Instruction Fuzzy Hash: C8516D71D00209AFDF109FA4DD49BEEBBB8FF18314F100065EA05B72A1D7B99948DB64
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0052A080 Relevance: 23.5, Strings: 18, Instructions: 970COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: UNIQUE$%s %T cannot reference objects in database %s$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$altertab_$conflicting ON CONFLICT clauses specified$index$index %s already exists$name='%q'$pkU$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$table %s has no column named %s$table %s may not be indexed$there is already a table named %s$virtual tables may not be indexed$hU
                                                                                                                                      • API String ID: 0-4232462188
                                                                                                                                      • Opcode ID: 8d8e348df3eb0c30f3b8e1ec99145f6a2f48bff374bc3e7a667263807fad0248
                                                                                                                                      • Instruction ID: e93dd321a033fea174b589206a083260ae5da8e2c1557436a8bfc2c3ffc6432b
                                                                                                                                      • Opcode Fuzzy Hash: 8d8e348df3eb0c30f3b8e1ec99145f6a2f48bff374bc3e7a667263807fad0248
                                                                                                                                      • Instruction Fuzzy Hash: 8D82A274A002669FDB14CF68D494BAEBFB1BF46304F188569EC05AB382D735ED41CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004DB380 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 287injectionmemorysynchronizationCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                                                                      • VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000218,00000000,00588C74,00000000,?,?), ref: 004DB667
                                                                                                                                      • WriteProcessMemory.KERNEL32(?,?,004DB750,-00000010,00000000), ref: 004DB687
                                                                                                                                      • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 004DB69A
                                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004DB6A3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
                                                                                                                                      • String ID: %s|%s$t-M
                                                                                                                                      • API String ID: 2137838514-2592370387
                                                                                                                                      • Opcode ID: 502cd35e78cc367812a42df3840befbd2d79fc952882e913ae0aa7bcc4483364
                                                                                                                                      • Instruction ID: 6aa050c662bd13d499a16f11a1e563ae193b69cbb3db5d026509a3591e8fd703
                                                                                                                                      • Opcode Fuzzy Hash: 502cd35e78cc367812a42df3840befbd2d79fc952882e913ae0aa7bcc4483364
                                                                                                                                      • Instruction Fuzzy Hash: 6AC1AD719002089FDB14CFA8DC95BAEBBB5FF48300F10815AE905BB391DB74A984DFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004EC100 Relevance: 11.0, APIs: 7, Instructions: 534fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,?,?,0040EE72,?,?,?,74DF3100,00000000), ref: 004EC2D1
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,0056AD5C,00000001,0000002E,0000002F,?,?), ref: 004EC51B
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004EC686
                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 004EC69C
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 004EC6AC
                                                                                                                                      • GetLastError.KERNEL32 ref: 004EC6B2
                                                                                                                                      • GetLastError.KERNEL32 ref: 004EC6D0
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFind$ErrorLast$CloseCopyCreateDirectoryFirstNext
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1590598969-0
                                                                                                                                      • Opcode ID: c59fc84a10852f54f29d60a547431813f4d760406089d517f69196a3d814b764
                                                                                                                                      • Instruction ID: 747cd6a67703dac2eb993d4e5b6231773c294ce311ce67402da0ef740dec2945
                                                                                                                                      • Opcode Fuzzy Hash: c59fc84a10852f54f29d60a547431813f4d760406089d517f69196a3d814b764
                                                                                                                                      • Instruction Fuzzy Hash: E622E070C00248CFDB14DF68C8847EEBBB5BF19305F14429EE859AB292D7389A85CB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044F050 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __floor_pentium4
                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                      • API String ID: 4168288129-2761157908
                                                                                                                                      • Opcode ID: da9375122c7f38aef1b98b42bf48e098612be30453a2df058743415e8865b902
                                                                                                                                      • Instruction ID: 19b2b9832e91dc5334225f28d461ebb5f9cd7fa0aaab348ffad5a30d2ce72a94
                                                                                                                                      • Opcode Fuzzy Hash: da9375122c7f38aef1b98b42bf48e098612be30453a2df058743415e8865b902
                                                                                                                                      • Instruction Fuzzy Hash: 0FD23971E086288FDB64CE28DD447EAB7B5EB45305F1401EBD80DE7241EB78AE898F45
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 005233F0 Relevance: 10.1, Strings: 7, Instructions: 1371COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: %d values for %d columns$OID$ROWID$_ROWID_$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
                                                                                                                                      • API String ID: 0-557196483
                                                                                                                                      • Opcode ID: 12b426f7bdbe98775aa7440f51adb549263eb548123024e11ef7e24f224fe659
                                                                                                                                      • Instruction ID: e16d57ff769c01e613f081803d3a99e8b2fa06a3413bbdfdeb6f383a167cc5c4
                                                                                                                                      • Opcode Fuzzy Hash: 12b426f7bdbe98775aa7440f51adb549263eb548123024e11ef7e24f224fe659
                                                                                                                                      • Instruction Fuzzy Hash: 84D269706047528FD724DF28D444B2ABBE1FF86304F15895DE88A8B392E779E945CF82
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00513320 Relevance: 7.4, Strings: 5, Instructions: 1164COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: OID$ROWID$_ROWID_$no such column: %s$rows updated
                                                                                                                                      • API String ID: 0-3385237395
                                                                                                                                      • Opcode ID: c0c585efeabff36969f7bd72527d717e6c386a5e7ca283b51e524193af94d216
                                                                                                                                      • Instruction ID: 54983cf935286fed85f1d38aca188a08520a17ed0d3d8c2e75c97e0ee3f6277e
                                                                                                                                      • Opcode Fuzzy Hash: c0c585efeabff36969f7bd72527d717e6c386a5e7ca283b51e524193af94d216
                                                                                                                                      • Instruction Fuzzy Hash: B6C278706047428FE724DF18C0A4B6ABBF1FF88304F16895DE9968B352D775E985CB82
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044D3EB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,00417EFB,0044A0B9), ref: 004446D6
                                                                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,00417EFF,00000008,000000FF), ref: 00444778
                                                                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0044D4AA
                                                                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?), ref: 0044D4E1
                                                                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0044D644
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                      • String ID: utf8
                                                                                                                                      • API String ID: 607553120-905460609
                                                                                                                                      • Opcode ID: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                                                                      • Instruction ID: 2cfea991c2b2acc9964e98fc6b5fb71baa63820d9a3b6a37bb74a83d3ed0bc3b
                                                                                                                                      • Opcode Fuzzy Hash: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                                                                      • Instruction Fuzzy Hash: F771D671A00605AAFB24AB75CC86BBB73A8EF05748F14442BF905D7281EF7CE944C769
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004371F0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: df95842549be15c8087ce8587c1e81bb78068c8bde995323ffdbbd237b0ae3a7
                                                                                                                                      • Instruction ID: 7de7f519c8b512efe808fbc5ffa62cc3ef6a6e83b70a7c434dda002dc4e381e9
                                                                                                                                      • Opcode Fuzzy Hash: df95842549be15c8087ce8587c1e81bb78068c8bde995323ffdbbd237b0ae3a7
                                                                                                                                      • Instruction Fuzzy Hash: 47026FB1E042199BDF24CFA9C9806AEFBF1FF48324F24826AD955E7341D735A901CB94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004E2080 Relevance: 4.7, APIs: 3, Instructions: 219COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004E20A0
                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000015), ref: 004E20AC
                                                                                                                                      • GetVolumeInformationA.KERNEL32(?,?,00000105,?,?,?,?,00000105), ref: 004E215F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Present$DebuggerFeatureInformationProcessorVolume
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3535182753-0
                                                                                                                                      • Opcode ID: 623aa9994b68ff213dbe910c545f283b358e46525878ba29fffe8422486bf1ad
                                                                                                                                      • Instruction ID: afbfdc60606ab1e9c61f519775a33832b97aa9882633c04701562a7ea04b081c
                                                                                                                                      • Opcode Fuzzy Hash: 623aa9994b68ff213dbe910c545f283b358e46525878ba29fffe8422486bf1ad
                                                                                                                                      • Instruction Fuzzy Hash: C0B103B8D0424CEBCB25CFA5DA81AEDBBB5BF19304F2441DAD885AB341EB315A44DF44
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004332F4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00417EFF), ref: 004333EC
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00417EFF), ref: 004333F6
                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(00417BD5,?,?,?,?,?,00417EFF), ref: 00433403
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                      • Opcode ID: 9f1139638b3df056369de36d10a25bd443a0870b0bf33701996310552448855e
                                                                                                                                      • Instruction ID: 827401fa7b85709c6d67aee7b5506a22afc2dd98f9d62e6690368e1bc4fb37e0
                                                                                                                                      • Opcode Fuzzy Hash: 9f1139638b3df056369de36d10a25bd443a0870b0bf33701996310552448855e
                                                                                                                                      • Instruction Fuzzy Hash: 5731C2749012289BCB21DF69D9897CDBBB8BF18314F5051EAE41CA7250EB749F858F48
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00541180 Relevance: 4.5, Strings: 3, Instructions: 710COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: %s-mj%08X$pkU$hU
                                                                                                                                      • API String ID: 0-341565662
                                                                                                                                      • Opcode ID: 621282d0f7e86b59c73d889168a479367e4e4b45a0f6af4de372c4ca78fdb6c3
                                                                                                                                      • Instruction ID: 5ca5c39a8de68291b6d3e4cc79652f43b2b7ddcad8b7fc2209c3f4d9f5c1e8c2
                                                                                                                                      • Opcode Fuzzy Hash: 621282d0f7e86b59c73d889168a479367e4e4b45a0f6af4de372c4ca78fdb6c3
                                                                                                                                      • Instruction Fuzzy Hash: 1E427E74A006069FDB14CFA9D884BEEBBF1FF58308F188069D81AA7311D775A985CB58
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00553170 Relevance: 3.5, APIs: 2, Instructions: 465COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553513
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553571
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 885266447-0
                                                                                                                                      • Opcode ID: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                                                                      • Instruction ID: 3fbf31a8c3cdee1091fcfc22b4047fc9f3449861c1a85ea422063c13361c5e55
                                                                                                                                      • Opcode Fuzzy Hash: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                                                                      • Instruction Fuzzy Hash: 7802F571E006598BCF19CF6DD8A42BDFFB1BF85351F1982ABE859AB281DB704A44C740
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004D3280 Relevance: 3.4, Strings: 2, Instructions: 927COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 004D33A7
                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 004D3E29
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded
                                                                                                                                      • API String ID: 0-1609673914
                                                                                                                                      • Opcode ID: 15fddcd78b82633c546b501252666b69c8ae382b07e44ee9f8b04fb236ec00c1
                                                                                                                                      • Instruction ID: 33a632d0a306c15a1de1fb4794a992465f2ff5513e11846780c43e6219a31879
                                                                                                                                      • Opcode Fuzzy Hash: 15fddcd78b82633c546b501252666b69c8ae382b07e44ee9f8b04fb236ec00c1
                                                                                                                                      • Instruction Fuzzy Hash: BCB201B4D042589BCB25DFA8D991BECBBB1BF48314F14819AE84977341DB342E84CF69
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004FA050 Relevance: 3.2, APIs: 2, Instructions: 220networkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 004FA262
                                                                                                                                      • InternetCloseHandle.WININET(?), ref: 004FA271
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseHandleInternet
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1081599783-0
                                                                                                                                      • Opcode ID: fd654fbc9e612cb654ed9e4d8faceb9001d45f40f054eec1f6580af07df3ed4c
                                                                                                                                      • Instruction ID: f9047d7434dced4cf20933e84560d58d69618fbb45727c1a51f3fb53e9aaca21
                                                                                                                                      • Opcode Fuzzy Hash: fd654fbc9e612cb654ed9e4d8faceb9001d45f40f054eec1f6580af07df3ed4c
                                                                                                                                      • Instruction Fuzzy Hash: 1B814DB5E042099BDF18CF99DD81ABEBBB5FF88310F14812AE905B7340DB359911CBA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043C1FB Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0043C210
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043C22F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1518329722-0
                                                                                                                                      • Opcode ID: 954a7c4d5890fab9a4c96a24ff15e7c185c2cda78a089061de3c48e681f8a955
                                                                                                                                      • Instruction ID: ec6cd9ee3c427c05d13ca8e13f4ecd96f164f970f8f353a80a24a946ea283c5e
                                                                                                                                      • Opcode Fuzzy Hash: 954a7c4d5890fab9a4c96a24ff15e7c185c2cda78a089061de3c48e681f8a955
                                                                                                                                      • Instruction Fuzzy Hash: 9CF0F4B1E00214BB8724CFADC88499FBEEAEAC9370B35429AF809E3340E574DD01C794
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00448314 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044830F,?,?,00000008,?,?,0045277F,00000000), ref: 00448541
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionRaise
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3997070919-0
                                                                                                                                      • Opcode ID: a522b569da1b4251fc9465fad5f5be812267484b24e4dcd58fb934ad629dd70c
                                                                                                                                      • Instruction ID: 77f85e0033942a6f02aeb2ce0c4b177648a4ad42039305f86338891f230134e9
                                                                                                                                      • Opcode Fuzzy Hash: a522b569da1b4251fc9465fad5f5be812267484b24e4dcd58fb934ad629dd70c
                                                                                                                                      • Instruction Fuzzy Hash: 15B14B31610609DFE715CF28C48AB697BE0FF45364F25865DE899CF2A1CB39E982CB44
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0054E340 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __allrem
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2933888876-0
                                                                                                                                      • Opcode ID: a9d30a74fc4e9ed61f6c396232b0d774953ff2e67443f99245b097325991053d
                                                                                                                                      • Instruction ID: 6a3e6f16453dbbf5a8bbe516ce83afefbcf635a20edd48ca6a6075a7bef4e538
                                                                                                                                      • Opcode Fuzzy Hash: a9d30a74fc4e9ed61f6c396232b0d774953ff2e67443f99245b097325991053d
                                                                                                                                      • Instruction Fuzzy Hash: A9619D31610744CFCB19CF6DC880A5AFBF1BF95304B048AAEE886DB752C630E955CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00547260 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: d
                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                      • Opcode ID: 4a3f3b486a1d720154e68768baa6182dcaba36147a24c6d9c66db439763e9426
                                                                                                                                      • Instruction ID: 3fb9d88d0b5f755fd0e6344615324f693740c7374d349f51c13debef489c49ab
                                                                                                                                      • Opcode Fuzzy Hash: 4a3f3b486a1d720154e68768baa6182dcaba36147a24c6d9c66db439763e9426
                                                                                                                                      • Instruction Fuzzy Hash: A9B181706087468FD714CF29C4905AABFE1BFD9308F1885ADE8958F342D775E906CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00552230 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: pkU
                                                                                                                                      • API String ID: 0-918070869
                                                                                                                                      • Opcode ID: 3c47866646e7ad2c2809d177c87e6350d37e97b3c62a267fc2a681407d841881
                                                                                                                                      • Instruction ID: cf1624fd1a6dc0b57627c03be5c97227f8004610d698b89aec3193db8da64621
                                                                                                                                      • Opcode Fuzzy Hash: 3c47866646e7ad2c2809d177c87e6350d37e97b3c62a267fc2a681407d841881
                                                                                                                                      • Instruction Fuzzy Hash: FFA157B4A016169FDB14CF69C49066AFBE1FF8A315F28C66ADC18DB311E731E915CB80
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004FB0A0 Relevance: .8, Instructions: 763COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                                                                      • Instruction ID: f66ee135833696fdc7097fc137d742b9d11648fb3e57faaf4428e0af157d3001
                                                                                                                                      • Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                                                                      • Instruction Fuzzy Hash: 653274B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F7290 Relevance: .7, Instructions: 709COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_get_full_path_name@12
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 319883303-0
                                                                                                                                      • Opcode ID: be8bbe3333b6d57c4f46257efe2734d2df09f0409c9ab000548af82b6a882924
                                                                                                                                      • Instruction ID: c11c03a4ba85e1a93428e849fa2557597bc0e8ae3287c831331b45fae00d0dd8
                                                                                                                                      • Opcode Fuzzy Hash: be8bbe3333b6d57c4f46257efe2734d2df09f0409c9ab000548af82b6a882924
                                                                                                                                      • Instruction Fuzzy Hash: 51627071D04218CBCF24DF64C9846FEB7B1BF58308F25419AD949AB241EB38AE85CF95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00510140 Relevance: .7, Instructions: 660COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e3decf17f88fb5ac76b29777a26226d46cd3689a36327aa0461450516a9efa79
                                                                                                                                      • Instruction ID: 7734e3287553b3d74106f6f7eb9ccba05eed1c215cdc5eb9b880f13b62f88aab
                                                                                                                                      • Opcode Fuzzy Hash: e3decf17f88fb5ac76b29777a26226d46cd3689a36327aa0461450516a9efa79
                                                                                                                                      • Instruction Fuzzy Hash: 65428D75A043418FE714CF28C480B5ABBE1BFC8314F149A6DE9999B395D7B1E8C5CB82
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00506210 Relevance: .4, Instructions: 436COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ef81d08433bf8d8d61e6c1161020cb8fffbde7e1d3568ab1fbacf3de246997fd
                                                                                                                                      • Instruction ID: ba967dd3ff9d9106477157ee49b7d729a4060b443a8a457c01192f13d4eca8ea
                                                                                                                                      • Opcode Fuzzy Hash: ef81d08433bf8d8d61e6c1161020cb8fffbde7e1d3568ab1fbacf3de246997fd
                                                                                                                                      • Instruction Fuzzy Hash: DA02B3326106968FC724CF29C88107BBBF1EF89311769886ED9D6DB781C634F612CB60
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0042A040 Relevance: .4, Instructions: 394COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fbfdc33d2fdc3bee5cddbea4ce36b5624ba5c86133e9e197b308071150bd34ce
                                                                                                                                      • Instruction ID: e176e8c39fa0001ffa0331148fc1a1e597aad8ea40cb8f55bb963474ee5d0d66
                                                                                                                                      • Opcode Fuzzy Hash: fbfdc33d2fdc3bee5cddbea4ce36b5624ba5c86133e9e197b308071150bd34ce
                                                                                                                                      • Instruction Fuzzy Hash: BEE1F372F1022A8FCB05CFA8D8816ADFBF1AF88324F5941AAD815B7340D774A955CB94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004FC0A0 Relevance: .2, Instructions: 189COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                                                                      • Instruction ID: 38e074bbf3e805e58539ca8d739cae2271b6a1961dda6b795eee354daaa2981f
                                                                                                                                      • Opcode Fuzzy Hash: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                                                                      • Instruction Fuzzy Hash: 2361DA316201A84FE748DF5EFCC0476B361E3AE301789461AEA81CB395C675F56AE7E0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004351B8 Relevance: .2, Instructions: 156COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                                                                                                                      • Instruction ID: 96e57ead98d41e04fe68f30f62ea81bdeba23ce11bdd67b69aec938acc7c3f29
                                                                                                                                      • Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                                                                                                                                      • Instruction Fuzzy Hash: 8F516072D00119AFDF04CF99C841AEFBBB6FF88304F598499E915AB301D7789A41DB94
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 005040A0 Relevance: .1, Instructions: 89COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                                                                      • Instruction ID: 7211d50b4de8a7ebd746b1f7ef274bdd41a532539b5b6ed0c87081a493a79e19
                                                                                                                                      • Opcode Fuzzy Hash: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                                                                      • Instruction Fuzzy Hash: 19312972B80708AEDB209E69CC40BCDBF96EF45211F04C559FD9C9B750C271E259C7A0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00452273 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00451BDF), ref: 0045228C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DecodePointer
                                                                                                                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                      • API String ID: 3527080286-3064271455
                                                                                                                                      • Opcode ID: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                                                                      • Instruction ID: bc8b7c0c72404b0f1092b03344519f1b29bd64598f75d1cbe0b332ea915a13b4
                                                                                                                                      • Opcode Fuzzy Hash: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                                                                      • Instruction Fuzzy Hash: 40513B70A0050ADBCF148F69DA481AE7FB4FB46306F144147EC81A7266C7FC8A6EDB59
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00551130 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                                                                      • GetVersionExA.KERNEL32(?), ref: 00551173
                                                                                                                                      • DeleteFileW.KERNEL32(00000000), ref: 00551192
                                                                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00551199
                                                                                                                                      • GetLastError.KERNEL32 ref: 005511A6
                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 005511BC
                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 005511C5
                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 005511CC
                                                                                                                                      • GetLastError.KERNEL32 ref: 005511D9
                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 005511EF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$AttributesDeleteErrorLastSleepVersion
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1421123951-0
                                                                                                                                      • Opcode ID: a32e8ebdc0ee50ea10910d3abb4bcf5407c24b4234d9610179a2b3841acf5433
                                                                                                                                      • Instruction ID: 2cf516fa490645c339834e1360d609708cb136430ee32b1ceb257c2769835cc0
                                                                                                                                      • Opcode Fuzzy Hash: a32e8ebdc0ee50ea10910d3abb4bcf5407c24b4234d9610179a2b3841acf5433
                                                                                                                                      • Instruction Fuzzy Hash: 5F21F635900E149BCB20AB78AC9C2AD7EB4FB6A336F100197EE1AD3280DA704849D751
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004220F3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 379COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422A7B
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422A94
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array$number overflow parsing '
                                                                                                                                      • API String ID: 4194217158-1444002993
                                                                                                                                      • Opcode ID: e64a46b01eb755b3409b002ddb586fc40505f2fec82a29546d02b01d75528791
                                                                                                                                      • Instruction ID: b9be30596a158e5ed89902264b7fe79a610ddcfe29da18a95ce0fa7f3111436e
                                                                                                                                      • Opcode Fuzzy Hash: e64a46b01eb755b3409b002ddb586fc40505f2fec82a29546d02b01d75528791
                                                                                                                                      • Instruction Fuzzy Hash: 5EF11070D002599FCB14CFA0D984BEEFBB4BF15304F54829EE44977242DB78AA89CB65
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00432056 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___TypeMatch.LIBVCRUNTIME ref: 00432283
                                                                                                                                      • _UnwindNestedFrames.LIBCMT ref: 004323D5
                                                                                                                                      • CallUnexpected.LIBVCRUNTIME ref: 004323F0
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwind
                                                                                                                                      • String ID: L;V$csm$csm$csm
                                                                                                                                      • API String ID: 3456342781-3339109018
                                                                                                                                      • Opcode ID: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                                                                      • Instruction ID: 1a3b2e3aada59ff5ba11aad393d6dbbfac41e5171332123353ed96db4a75ae81
                                                                                                                                      • Opcode Fuzzy Hash: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                                                                      • Instruction Fuzzy Hash: 81B19971800219EFCF18DFA5CA819AFBBB5FF08314F14605BE9106B252D7B8DA51CB99
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004FA2D0 Relevance: 12.2, APIs: 8, Instructions: 165networkCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 004FA320
                                                                                                                                      • GetLastError.KERNEL32 ref: 004FA415
                                                                                                                                      • InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 004FA440
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InternetOption$ErrorLastQuery
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3980908186-0
                                                                                                                                      • Opcode ID: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                                                                      • Instruction ID: f01b2b404452f55ee339e3d54677c8633c7154c7c4ff77dbfa4ec76481364019
                                                                                                                                      • Opcode Fuzzy Hash: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                                                                      • Instruction Fuzzy Hash: B7515EB5D40318ABEB20CF94DC85BFEBBB4EB48711F10411AEE14B7380D7B46A059BA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004463F6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _strrchr
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3213747228-0
                                                                                                                                      • Opcode ID: 60d2c484e512d77ccd1e1b5e9e2f0544a37519f154a529b1ce1fcd72a47a8763
                                                                                                                                      • Instruction ID: 2b99461290635fdf7c51841e77c4c0c2a1f842bf94a4ab4c5a5740794f6651be
                                                                                                                                      • Opcode Fuzzy Hash: 60d2c484e512d77ccd1e1b5e9e2f0544a37519f154a529b1ce1fcd72a47a8763
                                                                                                                                      • Instruction Fuzzy Hash: F7B16A72900255AFFB118F24CC81BAF7BA5EF17354F16415BE804AB382D67CD901CBAA
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0041A2A0 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2CA
                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2EC
                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A30C
                                                                                                                                      • __Getcoll.LIBCPMT ref: 0041A3AF
                                                                                                                                      • std::_Facet_Register.LIBCPMT ref: 0041A413
                                                                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A42B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1184649410-0
                                                                                                                                      • Opcode ID: bc8a44ca9ebd298cb82613ebc5c8b83f9d4ddd7e469ca24846ff3e2ce5bd3c98
                                                                                                                                      • Instruction ID: 4dfe593e994f1a936f3b51d0b47bc881a4e76fe992b8c8e0f1a10b66f2d188dc
                                                                                                                                      • Opcode Fuzzy Hash: bc8a44ca9ebd298cb82613ebc5c8b83f9d4ddd7e469ca24846ff3e2ce5bd3c98
                                                                                                                                      • Instruction Fuzzy Hash: C751F0B0901218DFCB11DF59E9857EEBBB0EF04314F14411EE806AB381D738AE85CB96
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00422227 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array
                                                                                                                                      • API String ID: 4194217158-2848110696
                                                                                                                                      • Opcode ID: 7dd7339a464972968c223f23dd340353b2c505788786f322ae0db6fbe7a5e979
                                                                                                                                      • Instruction ID: d024f3a104c0dc07aacb27d102b690a5239fee27944077c2c049d25c7474f40d
                                                                                                                                      • Opcode Fuzzy Hash: 7dd7339a464972968c223f23dd340353b2c505788786f322ae0db6fbe7a5e979
                                                                                                                                      • Instruction Fuzzy Hash: CA81AB70D04299EFCB24CF64C990BEEFBB0BF15304F54809AD44967342D778AA88DBA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0042235B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array
                                                                                                                                      • API String ID: 4194217158-2848110696
                                                                                                                                      • Opcode ID: bba8431f8b77e45d762f42b11501790ba793eab0415894d780c2da835d4d8dea
                                                                                                                                      • Instruction ID: 45989d7a15e601232ec8ccab9c1f66b91965c1dcd8dee12bc5f4bcdefb9ababa
                                                                                                                                      • Opcode Fuzzy Hash: bba8431f8b77e45d762f42b11501790ba793eab0415894d780c2da835d4d8dea
                                                                                                                                      • Instruction Fuzzy Hash: DF71AB70D04259EFCB14CFA0D980ADEFBB4BF55300F54829AD8456B352DBB8AA84CF90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00422032 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array
                                                                                                                                      • API String ID: 4194217158-2848110696
                                                                                                                                      • Opcode ID: 3d6bbb5eeb9172bfa257f394eb500065afff9989a7f434fa6634e6c51bf1637d
                                                                                                                                      • Instruction ID: 609c5a3700c6786cab836529116566ed5d02bc52a958d6c1bc70f00cba6690f6
                                                                                                                                      • Opcode Fuzzy Hash: 3d6bbb5eeb9172bfa257f394eb500065afff9989a7f434fa6634e6c51bf1637d
                                                                                                                                      • Instruction Fuzzy Hash: 7961B370E00259EFCB14DFA4D990BEEBBB4FF15304F50416ED406A7241EB78AA89CB55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00407270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004073FD
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_copy
                                                                                                                                      • String ID: 0f@$0f@$ror
                                                                                                                                      • API String ID: 2659868963-919343903
                                                                                                                                      • Opcode ID: 112028d32abe800debf56b8705820299684bad471da3b80bad008eb432948aad
                                                                                                                                      • Instruction ID: bd30e4dd5d428fa32f229aa3174ea2d6325f7a69c46b693e369223945965a2aa
                                                                                                                                      • Opcode Fuzzy Hash: 112028d32abe800debf56b8705820299684bad471da3b80bad008eb432948aad
                                                                                                                                      • Instruction Fuzzy Hash: 31511170C042449BDB18CFA4DC847ADBBB0BF49304F10832EE8556B382E7B8A984DB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00407080 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004071FE
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_copy
                                                                                                                                      • String ID: 0f@$0f@$ange
                                                                                                                                      • API String ID: 2659868963-373280750
                                                                                                                                      • Opcode ID: ffe6436ea23728eaf55144815bccbff6b30d1088563154c710925e0334a587d5
                                                                                                                                      • Instruction ID: 288f119f4ccb4c7cf0b8972ea0ca9e4329cc491e57a4aee3b53e0c7375ef9e73
                                                                                                                                      • Opcode Fuzzy Hash: ffe6436ea23728eaf55144815bccbff6b30d1088563154c710925e0334a587d5
                                                                                                                                      • Instruction Fuzzy Hash: 3E51F371D002449BDB18CFA8DC847ADBBB0FF85304F24836EE4157B391E7B8A9848B55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00422211 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array
                                                                                                                                      • API String ID: 4194217158-2848110696
                                                                                                                                      • Opcode ID: f591f61a8bc9937c86b3b8cfa7c27d91391b3c026308f04ef0385eca8551722c
                                                                                                                                      • Instruction ID: 2285c33957b6ee627a456b70cb7f63cd7f6884c01e9440285345d1a276e1a14b
                                                                                                                                      • Opcode Fuzzy Hash: f591f61a8bc9937c86b3b8cfa7c27d91391b3c026308f04ef0385eca8551722c
                                                                                                                                      • Instruction Fuzzy Hash: B841D470D0425CEADB14DFA0D954BEEBBB4FF15304F50419AD801A7242DBB86A88DB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00422345 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B51
                                                                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422B6A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_destroy
                                                                                                                                      • String ID: $array
                                                                                                                                      • API String ID: 4194217158-2848110696
                                                                                                                                      • Opcode ID: cc20cc9b5357f5ede4b5d0c9139b99d4590d407fc1dcee02b8a87b0eff6239a2
                                                                                                                                      • Instruction ID: ad7a444c4cd574cfba9072b1c6d0c7cb7517e8d82aaae36da20541665898fc96
                                                                                                                                      • Opcode Fuzzy Hash: cc20cc9b5357f5ede4b5d0c9139b99d4590d407fc1dcee02b8a87b0eff6239a2
                                                                                                                                      • Instruction Fuzzy Hash: BC41D470D0425CEADB14DFA0D954BEEBBB4FF15304F50419AD801A7242DBB86A88DB95
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00414160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041417F
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141A6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_copy
                                                                                                                                      • String ID: 0f@$0f@
                                                                                                                                      • API String ID: 2659868963-4245790314
                                                                                                                                      • Opcode ID: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                                                                      • Instruction ID: a7d6c344e60e7f18edcee1d7e68ac694af1bcf80748ebca3b88f48a52b3fdaf1
                                                                                                                                      • Opcode Fuzzy Hash: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                                                                      • Instruction Fuzzy Hash: 53F0FFB6910B16AB8751DFA6D440882FBFCFE55310750872BA51597A00F7B4F5588BA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00414230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041424F
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414276
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_copy
                                                                                                                                      • String ID: 0f@$0f@
                                                                                                                                      • API String ID: 2659868963-4245790314
                                                                                                                                      • Opcode ID: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                                                                      • Instruction ID: c81a8536ff326cbba859ccac6298cb5db3856efc80ffb62d725151cad3de68e9
                                                                                                                                      • Opcode Fuzzy Hash: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                                                                      • Instruction Fuzzy Hash: D8F0FFB6910B16AB8751DF65D440882FBFCFE55324350872BA5159BA00F7B4F6588BA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0043E299 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                                                                      • Instruction ID: 2126f9bf5856ab37efc9431dc69293eb0664d4eadafdfeefbb5e8820937b8c22
                                                                                                                                      • Opcode Fuzzy Hash: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                                                                      • Instruction Fuzzy Hash: 0D41D572A00204AFD7259F3ACC42B6BBBA9EB8C714F10552FF951DB3C1D2B9A9408784
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044A27A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                                                                      • GetLastError.KERNEL32 ref: 0044A2DE
                                                                                                                                      • __dosmaperr.LIBCMT ref: 0044A2E5
                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 0044A31F
                                                                                                                                      • __dosmaperr.LIBCMT ref: 0044A326
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1913693674-0
                                                                                                                                      • Opcode ID: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                                                                      • Instruction ID: e808a53d57fca8bd1b61f112aec170daf55b4bc7c6cded0a037d44453b824fae
                                                                                                                                      • Opcode Fuzzy Hash: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                                                                      • Instruction Fuzzy Hash: E8210A31644205AFEB20AF62CC8096B77A8FF44368700841FFD19C3340EB79EC619B96
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0044B21E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044B226
                                                                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B25E
                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B27E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 158306478-0
                                                                                                                                      • Opcode ID: b5ad36f02a6e1778b055e7e4852a0352916c0be62e54d86e8360cf9b77266669
                                                                                                                                      • Instruction ID: e8caac45197e5b900f97a91f35687491d1a7555c8db139f57b1f8df2d9843390
                                                                                                                                      • Opcode Fuzzy Hash: b5ad36f02a6e1778b055e7e4852a0352916c0be62e54d86e8360cf9b77266669
                                                                                                                                      • Instruction Fuzzy Hash: 9311A1B56099157F7A1127769C8EC7F696CFE95398710006AF905D2101EFACCD0192B9
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00490040 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00490044
                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0049004C
                                                                                                                                      • SetEvent.KERNEL32 ref: 00490069
                                                                                                                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 00490077
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Current$EventObjectProcessSingleThreadWait
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 977356572-0
                                                                                                                                      • Opcode ID: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                                                                      • Instruction ID: 68696a4330ff011d049e89e8b4814e5f18df6cd1e962ac77584aedc126b31ea8
                                                                                                                                      • Opcode Fuzzy Hash: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                                                                      • Instruction Fuzzy Hash: CCE0467104A615EFCB049F68EC0C865BFA5FB297717408222FC09977B0DB708888EF80
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00406140 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_get_full_path_name@12.LIBCPMT ref: 004061F2
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_get_full_path_name@12
                                                                                                                                      • String ID: absolute$h<W
                                                                                                                                      • API String ID: 319883303-1227054036
                                                                                                                                      • Opcode ID: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                                                                      • Instruction ID: a39a9e8cd5e7c649dec9d62c81c2f08022a5113abdb27f993b439c29f203247c
                                                                                                                                      • Opcode Fuzzy Hash: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                                                                      • Instruction Fuzzy Hash: C651AEB0E00315ABDB14DF58C9047AABBF4FF48314F10466EE815A7380D775A950CBE5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004323FB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • EncodePointer.KERNEL32(00000000,?), ref: 00432420
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EncodePointer
                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                      • API String ID: 2118026453-2084237596
                                                                                                                                      • Opcode ID: f67c2448fbd4d3d6a98c50ef117b853eaea3722c114d8127ada5358994747d23
                                                                                                                                      • Instruction ID: 22add53dc89d87d2e38264a8044db98528aac9f98faf4db0de58bac51eca42d4
                                                                                                                                      • Opcode Fuzzy Hash: f67c2448fbd4d3d6a98c50ef117b853eaea3722c114d8127ada5358994747d23
                                                                                                                                      • Instruction Fuzzy Hash: 18418931900209AFCF16DF98CE81AEEBBB5FF4C304F14909AF91467261E379AA50DB54
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 005570D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _strftime
                                                                                                                                      • String ID: iU$hU
                                                                                                                                      • API String ID: 1867682108-3535440888
                                                                                                                                      • Opcode ID: 3e82ce7eaf0a750d56ac549a5c47be44fbc430a93a38f56f5105eb84a44044b0
                                                                                                                                      • Instruction ID: 889a8faaaf0a668cfe27d6da16c65c2248ffb3b5e24f2afd4498098204cdabd8
                                                                                                                                      • Opcode Fuzzy Hash: 3e82ce7eaf0a750d56ac549a5c47be44fbc430a93a38f56f5105eb84a44044b0
                                                                                                                                      • Instruction Fuzzy Hash: A431F4B15046099BD700DF29FC55A567BE8BF8834AF040526FC09E7262E721D95DCBE2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004F2340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004F2360
                                                                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F238D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EncodersGdipImage$Size
                                                                                                                                      • String ID: image/png
                                                                                                                                      • API String ID: 864223233-2966254431
                                                                                                                                      • Opcode ID: dc3d2ab8f5b7a29725d35e20f3f09ec94da215eab8252b15de56753eb006a252
                                                                                                                                      • Instruction ID: 99d255883ba5ce217efe5dd06ccd874c50b7054dcb2a8d5064865148aeb1c457
                                                                                                                                      • Opcode Fuzzy Hash: dc3d2ab8f5b7a29725d35e20f3f09ec94da215eab8252b15de56753eb006a252
                                                                                                                                      • Instruction Fuzzy Hash: E7213BB2E0011CABDB109BB4DD816BEB7A8EF25314F1001B6ED08E7311E7799A44C655
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00404120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00404141
                                                                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404190
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                      • String ID: bad locale name
                                                                                                                                      • API String ID: 3988782225-1405518554
                                                                                                                                      • Opcode ID: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                                                                      • Instruction ID: 95f085b47d10799f27f930042da3a8dc43f911f11589ebef340e3e8cf28b8f7c
                                                                                                                                      • Opcode Fuzzy Hash: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                                                                      • Instruction Fuzzy Hash: 19118B70504B90AED320CF69D805B1BBBE4EF19714F008A5EE48A87B81D7B9A508CBD6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00552100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,0055200A), ref: 0055211A
                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000, U,00000000,00000000,0055200A), ref: 0055214A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                      • String ID: U
                                                                                                                                      • API String ID: 626452242-2085870877
                                                                                                                                      • Opcode ID: 9dcc1b4a9b11b4808d0db67178ecd5f9a1652e19ab6f5dbea0e26157730d80d0
                                                                                                                                      • Instruction ID: 0b132648f7774e7442f2f0b6957801b08d55499a66d80b09d0b1d43035632599
                                                                                                                                      • Opcode Fuzzy Hash: 9dcc1b4a9b11b4808d0db67178ecd5f9a1652e19ab6f5dbea0e26157730d80d0
                                                                                                                                      • Instruction Fuzzy Hash: 38F09632B8522436E63066AA5C0BF577A5CDB47F71F20036AFF18AA1D0D9E1681092DA
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 004141D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141EF
                                                                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414216
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2007216495.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2007216495.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_exception_copy
                                                                                                                                      • String ID: 0f@
                                                                                                                                      • API String ID: 2659868963-2656153907
                                                                                                                                      • Opcode ID: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                                                                      • Instruction ID: 79755fa87b84676f4e4474023142464d524d45420b01c2d18704369f933ac59c
                                                                                                                                      • Opcode Fuzzy Hash: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                                                                      • Instruction Fuzzy Hash: 1CF012B6910B16AB8751DF65D440882F7FCFE55310350872BA51597A00F7B4F5588BA0
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%