Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi

Overview

General Information

Sample name:AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi
Analysis ID:1432009
MD5:3f79740f726f7d412336fafc9feba28f
SHA1:f5580579105ac3dde64bd65fd1371fa8c5313e70
SHA256:a4781c64764c1c030790269eae5f56e6a56edaac3f548db5caeb46b65acc6735
Infos:

Detection

DanaBot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Yara detected DanaBot stealer dll
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
May use the Tor software to hide its network traffic
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Registers a new ROOT certificate
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6596 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5100 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • BackupExtractor.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe" MD5: F6AC2A17BDFB64C090280DD734A77651)
      • cmd.exe (PID: 1056 cmdline: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2040 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • BackupExtractor.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe" MD5: F6AC2A17BDFB64C090280DD734A77651)
  • BackupExtractor.exe (PID: 2992 cmdline: "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe" MD5: F6AC2A17BDFB64C090280DD734A77651)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 29 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ParentImage: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe, ParentProcessId: 5328, ParentProcessName: BackupExtractor.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ProcessId: 1056, ProcessName: cmd.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ParentImage: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe, ParentProcessId: 5328, ParentProcessName: BackupExtractor.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ProcessId: 1056, ProcessName: cmd.exe
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe, ProcessId: 5328, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Image AutoEnhancer
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1056, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe", ProcessId: 2040, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ActivityTracesHelper.dllVirustotal: Detection: 8%Perma Link
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libmodel.dllVirustotal: Detection: 14%Perma Link
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BackupExtractor.exe PID: 5328, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70CCC CRYPTO_free,strlen,CRYPTO_strdup,ERR_put_error,ERR_put_error,ERR_put_error,19_2_6CC70CCC
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAACD9 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,RSA_private_decrypt,CRYPTO_free,19_2_6CCAACD9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78CD9 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,19_2_6CC78CD9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92CE7 CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC92CE7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA8C87 CRYPTO_free,CRYPTO_free,19_2_6CCA8C87
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78C88 CRYPTO_free,CRYPTO_free,19_2_6CC78C88
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70C98 CRYPTO_free,19_2_6CC70C98
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9ACA8 memcmp,CRYPTO_free,memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,memcmp,CRYPTO_free,CRYPTO_free,19_2_6CC9ACA8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64CA0 CRYPTO_zalloc,ERR_put_error,19_2_6CC64CA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC72C49 CRYPTO_clear_free,CRYPTO_clear_free,19_2_6CC72C49
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC72C67 CRYPTO_clear_free,19_2_6CC72C67
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7CC70 CRYPTO_free,BUF_MEM_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,ERR_put_error,ERR_put_error,19_2_6CC7CC70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92C74 CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,19_2_6CC92C74
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7CC11 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,19_2_6CC7CC11
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC80C13 ERR_put_error,CRYPTO_free,19_2_6CC80C13
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCACDC3 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,19_2_6CCACDC3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC98DC7 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,19_2_6CC98DC7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78DE0 BIO_snprintf,CRYPTO_malloc,ERR_put_error,19_2_6CC78DE0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB4DE0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,19_2_6CCB4DE0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA8DF9 CRYPTO_free,CRYPTO_free,19_2_6CCA8DF9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64DF0 CRYPTO_free,19_2_6CC64DF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB0DF0 CRYPTO_free,19_2_6CCB0DF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92D8C CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC92D8C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC82D90 OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,X509_free,OPENSSL_sk_new_reserve,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,memcpy,ERR_put_error,ERR_put_error,19_2_6CC82D90
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCACD90 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,19_2_6CCACD90
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92D40 CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC92D40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC88D53 CRYPTO_realloc,memcpy,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,19_2_6CC88D53
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC80D70 X509_VERIFY_PARAM_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,X509_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,19_2_6CC80D70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC98EC9 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,19_2_6CC98EC9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC84EDB CRYPTO_malloc,CRYPTO_free,ERR_put_error,19_2_6CC84EDB
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64ED0 CRYPTO_free,CRYPTO_free,19_2_6CC64ED0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB4EF0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,19_2_6CCB4EF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8AE97 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,19_2_6CC8AE97
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC94EA0 CRYPTO_free,19_2_6CC94EA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA4EA0 CRYPTO_malloc,memcpy,19_2_6CCA4EA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA0E62 CRYPTO_malloc,memcpy,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,19_2_6CCA0E62
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8AE70 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,19_2_6CC8AE70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66E36 CRYPTO_free,19_2_6CC66E36
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92E35 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_realloc,CRYPTO_free,CRYPTO_free,19_2_6CC92E35
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9EFC0 CRYPTO_malloc,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,ERR_put_error,19_2_6CC9EFC0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64FD0 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,19_2_6CC64FD0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC76FE9 CRYPTO_zalloc,CRYPTO_free,19_2_6CC76FE9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC72FF0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,19_2_6CC72FF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC90FF7 CRYPTO_strdup,19_2_6CC90FF7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC88F80 BIO_s_file,BIO_new,BIO_ctrl,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,strlen,strncmp,CRYPTO_realloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,19_2_6CC88F80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8AF81 CRYPTO_THREAD_unlock,19_2_6CC8AF81
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8AFB9 CRYPTO_THREAD_unlock,19_2_6CC8AFB9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8EFB0 CRYPTO_malloc,memcpy,19_2_6CC8EFB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC98F60 X509_get0_pubkey,EVP_PKEY_CTX_new,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes,EVP_MD_CTX_new,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,19_2_6CC98F60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6CF70 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,COMP_expand_block,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,CRYPTO_malloc,19_2_6CC6CF70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64F7C CRYPTO_free,CRYPTO_free,19_2_6CC64F7C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC76F00 CRYPTO_zalloc,CRYPTO_free,ERR_put_error,19_2_6CC76F00
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC768C4 CRYPTO_free,19_2_6CC768C4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB08E0 CRYPTO_free,CRYPTO_malloc,ERR_put_error,19_2_6CCB08E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC668A0 CRYPTO_free,19_2_6CC668A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA08A3 CRYPTO_malloc,ERR_put_error,CRYPTO_free,19_2_6CCA08A3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAA8A0 EVP_PKEY_CTX_new,EVP_PKEY_decrypt_init,X509_get0_pubkey,EVP_PKEY_derive_set_peer,ASN1_item_d2i,ASN1_TYPE_get,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free,ASN1_item_free,CRYPTO_clear_free,EVP_PKEY_new,EVP_PKEY_copy_parameters,EVP_PKEY_get0_DH,BN_bin2bn,DH_set0_key,EVP_PKEY_free,EVP_PKEY_free,EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,RSA_private_decrypt,CRYPTO_free,EVP_PKEY_new,EVP_PKEY_copy_parameters,EVP_PKEY_set1_tls_encodedpoint,EVP_PKEY_free,EVP_PKEY_free,EVP_PKEY_free,BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,EVP_PKEY_CTX_free,ASN1_item_free,CRYPTO_free,BN_free,EVP_PKEY_free,ERR_clear_error,EVP_PKEY_free,19_2_6CCAA8A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC80864 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new,OPENSSL_sk_num,X509_VERIFY_PARAM_new,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes,RAND_priv_bytes,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_put_error,RAND_priv_bytes,RAND_priv_bytes,ERR_put_error,ERR_put_error,19_2_6CC80864
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC76813 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,19_2_6CC76813
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC669C3 CRYPTO_free,19_2_6CC669C3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC729E0 CRYPTO_malloc,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_malloc,memset,OPENSSL_cleanse,CRYPTO_clear_free,19_2_6CC729E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC789EC OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,19_2_6CC789EC
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7C986 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,19_2_6CC7C986
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA89A1 CRYPTO_zalloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CCA89A1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA69B5 CRYPTO_malloc,EVP_CIPHER_CTX_new,HMAC_CTX_new,EVP_CIPHER_CTX_iv_length,EVP_EncryptUpdate,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_MD_size,RAND_bytes,time,CRYPTO_free,CRYPTO_memdup,EVP_aes_256_cbc,EVP_CIPHER_iv_length,RAND_bytes,EVP_EncryptInit_ex,EVP_sha256,HMAC_Init_ex,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_EncryptFinal,HMAC_Update,HMAC_Final,19_2_6CCA69B5
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9C976 CRYPTO_free,19_2_6CC9C976
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64900 CRYPTO_zalloc,CRYPTO_free,ERR_put_error,BUF_MEM_grow,19_2_6CC64900
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8A900 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,19_2_6CC8A900
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A917 COMP_expand_block,CRYPTO_malloc,19_2_6CC6A917
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA0911 CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CCA0911
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAAAFC CRYPTO_clear_free,19_2_6CCAAAFC
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9EA89 CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_size,BIO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_PKEY_id,EVP_DigestVerifyInit,EVP_PKEY_id,EVP_DigestVerify,EVP_PKEY_id,EVP_PKEY_id,CRYPTO_malloc,BUF_reverse,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerifyFinal,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,CRYPTO_memcmp,memcpy,memcpy,19_2_6CC9EA89
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78AA4 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,19_2_6CC78AA4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64AA9 CRYPTO_zalloc,ERR_put_error,CRYPTO_zalloc,CRYPTO_free,BUF_MEM_grow,19_2_6CC64AA9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8CA4C CRYPTO_free,CRYPTO_strdup,19_2_6CC8CA4C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70A4C CRYPTO_free,CRYPTO_memdup,19_2_6CC70A4C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9CA53 CRYPTO_free,19_2_6CC9CA53
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9CA39 time,CRYPTO_free,CRYPTO_malloc,memcpy,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,19_2_6CC9CA39
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC98BC0 strlen,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,19_2_6CC98BC0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC72BEC CRYPTO_clear_free,19_2_6CC72BEC
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC72B81 CRYPTO_malloc,memset,19_2_6CC72B81
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7CB9B CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,19_2_6CC7CB9B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC88BA0 CRYPTO_realloc,memcpy,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,19_2_6CC88BA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC94BB3 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,19_2_6CC94BB3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66B58 CRYPTO_free,BIO_clear_flags,BIO_set_flags,memcpy,BIO_snprintf,ERR_add_error_data,19_2_6CC66B58
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70B60 CONF_parse_list,CRYPTO_malloc,memcpy,CRYPTO_free,19_2_6CC70B60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92B70 CRYPTO_memdup,CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,19_2_6CC92B70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70B18 CONF_parse_list,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,ERR_put_error,19_2_6CC70B18
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78B36 CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,19_2_6CC78B36
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70B3A CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,19_2_6CC70B3A
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC624C1 CRYPTO_free,19_2_6CC624C1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9C4D0 time,CRYPTO_free,CRYPTO_malloc,memcpy,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,CRYPTO_free,19_2_6CC9C4D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC624F7 CRYPTO_free,19_2_6CC624F7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC644F0 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,BUF_MEM_grow,19_2_6CC644F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8A4F0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,CRYPTO_THREAD_unlock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,OPENSSL_LH_retrieve,19_2_6CC8A4F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66480 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC66480
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC62493 CRYPTO_free,19_2_6CC62493
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC664B3 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,19_2_6CC664B3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC704B0 CRYPTO_zalloc,19_2_6CC704B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8E4B3 OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,19_2_6CC8E4B3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8044B CRYPTO_free,CRYPTO_memdup,ERR_put_error,19_2_6CC8044B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78440 ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,CRYPTO_free,ERR_put_error,CRYPTO_free,ERR_put_error,CRYPTO_free,19_2_6CC78440
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74450 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,ERR_put_error,CRYPTO_free,19_2_6CC74450
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9E47C EVP_MD_CTX_free,CRYPTO_free,CRYPTO_strndup,19_2_6CC9E47C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74410 CRYPTO_THREAD_run_once,19_2_6CC74410
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A430 CRYPTO_free,CRYPTO_malloc,CRYPTO_malloc,19_2_6CC6A430
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C5C8 CRYPTO_free,19_2_6CC8C5C8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC745E0 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,19_2_6CC745E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7C5E0 EVP_MD_size,CRYPTO_zalloc,CRYPTO_malloc,memcpy,d2i_X509,X509_get0_pubkey,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,d2i_PUBKEY,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,EVP_PKEY_free,X509_free,OPENSSL_sk_new_null,19_2_6CC7C5E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A5F7 CRYPTO_malloc,19_2_6CC6A5F7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7C583 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,19_2_6CC7C583
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAE580 CRYPTO_free,19_2_6CCAE580
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB0550 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,19_2_6CCB0550
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A566 CRYPTO_malloc,19_2_6CC6A566
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7850C CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,19_2_6CC7850C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC70510 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,19_2_6CC70510
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7453B X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,19_2_6CC7453B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC706C0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC706C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C6E7 CRYPTO_free,19_2_6CC8C6E7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA6680 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,19_2_6CCA6680
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A690 CRYPTO_free,19_2_6CC6A690
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCB0690 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,19_2_6CCB0690
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C6A1 CRYPTO_free,19_2_6CC8C6A1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC80640 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,19_2_6CC80640
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C650 CRYPTO_free,CRYPTO_free,19_2_6CC8C650
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC80664 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,19_2_6CC80664
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7460B EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,19_2_6CC7460B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C610 CRYPTO_free,19_2_6CC8C610
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC96635 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,19_2_6CC96635
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8C78B CRYPTO_free,CRYPTO_free,CRYPTO_strdup,19_2_6CC8C78B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6C794 CRYPTO_malloc,19_2_6CC6C794
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A790 CRYPTO_free,19_2_6CC6A790
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC94751 time,EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,EVP_MD_CTX_free,EVP_PKEY_free,EVP_MD_CTX_free,EVP_PKEY_free,19_2_6CC94751
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66770 CRYPTO_free,19_2_6CC66770
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74770 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,19_2_6CC74770
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAE770 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,ERR_put_error,19_2_6CCAE770
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A700 CRYPTO_free,19_2_6CC6A700
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6670C CRYPTO_free,CRYPTO_free,19_2_6CC6670C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA071C CRYPTO_malloc,memcpy,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,19_2_6CCA071C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC900C3 CRYPTO_free,CRYPTO_memdup,strcmp,strlen,OPENSSL_cleanse,CRYPTO_memcmp,OPENSSL_cleanse,19_2_6CC900C3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6C0C8 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,COMP_expand_block,19_2_6CC6C0C8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC660F0 CRYPTO_malloc,CRYPTO_free,ERR_put_error,19_2_6CC660F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC920F3 CRYPTO_free,CRYPTO_memdup,19_2_6CC920F3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8A0A0 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,19_2_6CC8A0A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7A0AB CRYPTO_free,CRYPTO_strdup,19_2_6CC7A0AB
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAC048 CRYPTO_free,CRYPTO_memdup,19_2_6CCAC048
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74060 CRYPTO_get_ex_new_index,19_2_6CC74060
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7A007 CRYPTO_free,CRYPTO_strdup,19_2_6CC7A007
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA6018 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA6018
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A1E0 CRYPTO_free,19_2_6CC6A1E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC661F0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC661F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9C18C CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,19_2_6CC9C18C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8A144 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,19_2_6CC8A144
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6615C CRYPTO_free,19_2_6CC6615C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC92166 CRYPTO_free,CRYPTO_memdup,19_2_6CC92166
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAC11C CRYPTO_memdup,19_2_6CCAC11C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A2E0 CRYPTO_free,CRYPTO_malloc,19_2_6CC6A2E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC622F6 CRYPTO_zalloc,CRYPTO_free,19_2_6CC622F6
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC662B4 CRYPTO_free,CRYPTO_free,19_2_6CC662B4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8A25C CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,19_2_6CC8A25C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6625C CRYPTO_free,CRYPTO_free,19_2_6CC6625C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7427B i2d_X509_NAME,i2d_X509_NAME,CRYPTO_free,CRYPTO_free,memcmp,19_2_6CC7427B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66203 CRYPTO_free,CRYPTO_free,19_2_6CC66203
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6A210 CRYPTO_malloc,19_2_6CC6A210
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8E210 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,BIO_ctrl,EVP_DigestUpdate,19_2_6CC8E210
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA6229 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA6229
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC743E1 CRYPTO_free,CRYPTO_free,memcmp,19_2_6CC743E1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA63F8 CRYPTO_free,CRYPTO_malloc,RAND_bytes,19_2_6CCA63F8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC803A9 CRYPTO_free,CRYPTO_memdup,ERR_put_error,19_2_6CC803A9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74345 i2d_X509_NAME,i2d_X509_NAME,CRYPTO_free,CRYPTO_free,memcmp,19_2_6CC74345
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC64340 CRYPTO_free,19_2_6CC64340
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC66350 CRYPTO_free,19_2_6CC66350
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7035B CRYPTO_strdup,19_2_6CC7035B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC62323 CRYPTO_zalloc,19_2_6CC62323
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC74328 CRYPTO_free,CRYPTO_free,19_2_6CC74328
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8FC84 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,19_2_6CC8FC84
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7BC94 CRYPTO_THREAD_run_once,19_2_6CC7BC94
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC83CB8 CRYPTO_free,19_2_6CC83CB8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7BC50 OPENSSL_init_crypto,CRYPTO_THREAD_run_once,ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,19_2_6CC7BC50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA5C66 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA5C66
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC89C70 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,19_2_6CC89C70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC83C24 strlen,CRYPTO_free,CRYPTO_strdup,CRYPTO_free,ERR_put_error,19_2_6CC83C24
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA9D89 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,19_2_6CCA9D89
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8FDB6 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,19_2_6CC8FDB6
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7BD57 CRYPTO_THREAD_run_once,19_2_6CC7BD57
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7BD24 CRYPTO_THREAD_run_once,19_2_6CC7BD24
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC83D35 strlen,CRYPTO_free,CRYPTO_strdup,CRYPTO_free,ERR_put_error,19_2_6CC83D35
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9FE86 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,19_2_6CC9FE86
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8FEA9 CRYPTO_free,19_2_6CC8FEA9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA5EA3 CRYPTO_free,19_2_6CCA5EA3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA5E5C EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA5E5C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC77E60 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_enc_null,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,19_2_6CC77E60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9FE20 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,19_2_6CC9FE20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC99FD1 CRYPTO_malloc,memcpy,19_2_6CC99FD1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC8FFBB CRYPTO_free,19_2_6CC8FFBB
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC93F4B CRYPTO_free,CRYPTO_free,CRYPTO_memdup,19_2_6CC93F4B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6BF40 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,COMP_expand_block,CRYPTO_malloc,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,strncmp,strncmp,strncmp,19_2_6CC6BF40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCAFF47 HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,EVP_DecryptUpdate,EVP_DecryptFinal,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,EVP_DecryptInit_ex,19_2_6CCAFF47
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA5F59 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA5F59
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC99F60 CRYPTO_malloc,memcpy,19_2_6CC99F60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9BF37 CRYPTO_free,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,19_2_6CC9BF37
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA58C5 EVP_MD_CTX_new,strlen,BN_num_bits,BN_bn2bin,EVP_PKEY_size,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,EVP_PKEY_security_bits,CRYPTO_free,EVP_PKEY_new,EVP_PKEY_assign,EVP_PKEY_get1_tls_encodedpoint,DH_free,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_pqg,DH_get0_key,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,19_2_6CCA58C5
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC658D0 CRYPTO_free,19_2_6CC658D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCA18E7 CRYPTO_free,EVP_MD_CTX_free,19_2_6CCA18E7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC938F9 CRYPTO_free,CRYPTO_memdup,19_2_6CC938F9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC918F3 CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,memcmp,19_2_6CC918F3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7D883 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,memset,ERR_put_error,19_2_6CC7D883
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC81886 ERR_put_error,CRYPTO_free,19_2_6CC81886
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9B890 OPENSSL_sk_new_null,X509_free,OPENSSL_sk_pop_free,d2i_X509,CRYPTO_free,OPENSSL_sk_push,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,CRYPTO_free,19_2_6CC9B890
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC89850 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,19_2_6CC89850
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC65860 CRYPTO_zalloc,ERR_put_error,19_2_6CC65860
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC99864 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,19_2_6CC99864
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7F820 CONF_parse_list,CONF_parse_list,CRYPTO_malloc,memcpy,CRYPTO_free,OPENSSL_LH_num_items,19_2_6CC7F820
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7B833 CRYPTO_free,19_2_6CC7B833
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC65830 CRYPTO_free,19_2_6CC65830
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6F9C0 CRYPTO_clear_free,19_2_6CC6F9C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC899F1 CRYPTO_THREAD_unlock,19_2_6CC899F1
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC89999 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,19_2_6CC89999
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA0960 ERR_clear_error,SSL_connect,SSL_version,SSL_get_error,SSL_get_current_cipher,SSL_CIPHER_get_name,SSL_get0_alpn_selected,WSAGetLastError,memset,ERR_get_error,SSL_get_verify_result,ERR_error_string_n,strncpy,memset,BIO_s_mem,BIO_new,SSL_get_peer_cert_chain,OPENSSL_sk_num,BIO_s_mem,BIO_new,BIO_ctrl,BIO_ctrl,PEM_write_bio_X509,BIO_ctrl,BIO_ctrl,OPENSSL_sk_value,X509_get_subject_name,X509_NAME_print_ex,BIO_ctrl,BIO_ctrl,X509_get_issuer_name,X509_NAME_print_ex,BIO_ctrl,BIO_ctrl,X509_get_version,BIO_printf,BIO_ctrl,BIO_ctrl,X509_get_serialNumber,BIO_puts,BIO_printf,BIO_ctrl,BIO_ctrl,X509_get0_signature,i2a_ASN1_OBJECT,BIO_ctrl,BIO_ctrl,X509_get_X509_PUBKEY,X509_PUBKEY_get0_param,i2a_ASN1_OBJECT,BIO_ctrl,BIO_ctrl,X509_get0_extensions,OPENSSL_sk_num,OPENSSL_sk_num,BIO_ctrl,BIO_free,OPENSSL_sk_num,OPENSSL_sk_value,BIO_s_mem,BIO_new,X509_EXTENSION_get_object,i2t_ASN1_OBJECT,X509V3_EXT_print,X509_EXTENSION_get_data,ASN1_STRING_print,X509_get0_notBefore,ASN1_TIME_print,BIO_ctrl,BIO_ctrl,X509_get0_notAfter,ASN1_TIME_print,BIO_ctrl,BIO_ctrl,X509_get_pubkey,EVP_PKEY_id,EVP_PKEY_get0_RSA,RSA_get0_key,BN_num_bits,BIO_printf,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,EVP_PKEY_get0_DSA,DSA_get0_pqg,DSA_get0_key,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,EVP_PKEY_get0_DH,DH_get0_pqg,DH_get0_key,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,curl_msnprintf,BN_print,BIO_ctrl,BIO_ctrl,EVP_PKEY_free,BIO_printf,memcpy,memset,WSAGetLastError,BIO_free,SSL_get_peer_certificate,X509_get_subject_name,BIO_s_mem,BIO_new,X509_NAME_print_ex,BIO_ctrl,memcpy,BIO_free,BIO_free,X509_get0_notBefore,ASN1_TIME_print,BIO_ctrl,BIO_ctrl,X509_get0_notAfter,ASN1_TIME_print,BIO_ctrl,BIO_ctrl,BIO_free,X509_get_ext_d2i,OPENSSL_sk_num,OPENSSL_sk_value,ASN1_STRING_get0_data,ASN1_STRING_length,strlen,memcmp,GENERAL_NAMES_free,X509_get_issuer_name,BIO_s_mem,BIO_new,X509_NAME_print_ex,BIO_ctrl,memcpy,BIO_free,BIO_s_file,BIO_new,X509_get_subject_name,X509_NAME_get_index_by_NID,X509_NAME_get_entry,X509_NAME_ENTRY_get_data,ASN1_STRING_type,ASN1_STRING_length,CRYPTO_malloc,ASN1_STRING_get0_data,memcpy,X509_verify_cert_error_string,curl_msnprintf,BIO_new_mem_buf,PEM_read_bio_X509,X509_check_issued,ERR_get_error,ERR_error_string_n,strncpy,X509_free,ASN1_STRING_to_UTF8,strlen,CRYPTO_free,X509_free,BIO_free,X509_free,X509_free,BIO_free,X509_free,X509_free,BIO_free,X509_free,SSL_get_verify_result,X509_verify_cert_error_string,X509_verify_cert_error_string,SSL_ctrl,d2i_OCSP_RESPONSE,OCSP_response_status,OCSP_response_status_str,OCSP_RESPONSE_free,X509_free,X509_get_X509_PUBKEY,i2d_X509_PUBKEY,X509_get_X509_PUBKEY,i2d_X509_PUBKEY,X509_free,OCSP_response_get1_basic,SSL_get_peer_cert_chain,SSL_CTX_get_cert_store,OCSP_basic_verify,SSL_get_peer_certificate,OPENSSL_sk_num,OPENSSL_sk_value,X509_23_2_6CFA0960
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA2AF0 TLS_client_method,SSL_CTX_free,SSL_CTX_new,SSL_CTX_ctrl,SSL_CTX_set_msg_callback,SSL_CTX_ctrl,ERR_peek_error,ERR_error_string_n,strncpy,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_set_options,SSL_CTX_set_next_proto_select_cb,SSL_CTX_set_alpn_protos,BIO_new_mem_buf,BIO_new_mem_buf,SSL_CTX_set_default_passwd_cb_userdata,SSL_CTX_set_default_passwd_cb,d2i_X509_bio,SSL_CTX_use_certificate,d2i_PKCS12_bio,ERR_clear_error,PEM_read_bio_X509_AUX,SSL_CTX_use_certificate,ERR_peek_error,SSL_CTX_ctrl,PEM_read_bio_X509,SSL_CTX_ctrl,X509_free,ENGINE_ctrl,ENGINE_ctrl_cmd,SSL_CTX_use_certificate,X509_free,SSL_CTX_use_certificate_file,BIO_s_file,BIO_new,BIO_ctrl,d2i_PKCS12_bio,BIO_free,PKCS12_PBE_add,PKCS12_parse,PKCS12_free,SSL_CTX_use_certificate,SSL_CTX_use_PrivateKey,SSL_CTX_check_private_key,OPENSSL_sk_num,OPENSSL_sk_pop,SSL_CTX_add_client_CA,SSL_CTX_ctrl,SSL_CTX_use_certificate_chain_file,X509_free,ERR_get_error,ERR_error_string_n,strncpy,X509_free,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,PKCS12_free,ERR_get_error,ERR_error_string_n,strncpy,PEM_read_bio_PrivateKey,BIO_free,d2i_PrivateKey_bio,SSL_CTX_use_PrivateKey,EVP_PKEY_free,X509_free,SSL_CTX_use_PrivateKey_file,SSL_new,SSL_get_certificate,X509_get_pubkey,SSL_get_privatekey,EVP_PKEY_copy_parameters,EVP_PKEY_free,SSL_get_privatekey,EVP_PKEY_id,EVP_PKEY_get1_RSA,RSA_flags,RSA_free,SSL_free,SSL_CTX_check_private_key,SSL_free,ERR_peek_last_error,ERR_clear_error,EVP_PKEY_free,X509_free,OPENSSL_sk_pop_free,UI_create_method,UI_OpenSSL,UI_method_get_opener,UI_method_set_opener,UI_OpenSSL,UI_method_get_closer,UI_method_set_closer,UI_method_set_reader,UI_method_set_writer,ENGINE_load_private_key,UI_destroy_method,SSL_CTX_use_PrivateKey,EVP_PKEY_free,EVP_PKEY_free,X509_free,OPENSSL_sk_pop_free,EVP_PKEY_free,BIO_free,BIO_free,SSL_CTX_set_cipher_list,SSL_CTX_set_ciphersuites,SSL_CTX_set_post_handshake_auth,SSL_CTX_ctrl,SSL_CTX_set_srp_username,SSL_CTX_set_srp_password,SSL_CTX_set_cipher_list,SSL_CTX_get_cert_store,CertOpenSystemStoreW,CompareFileTime,GetLastError,CertEnumCertificatesInStore,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CertGetIntendedKeyUsage,CertGetEnhancedKeyUsage,CertGetEnhancedKeyUsage,strcmp,GetLastError,d2i_X509,X509_STORE_add_cert,X509_free,CompareFileTime,CertFreeCertificateContext,CertCloseStore,SSL_CTX_load_verify_locations,SSL_CTX_get_cert_store,X509_LOOKUP_file,X509_STORE_add_lookup,X509_load_crl_file,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_set_verify,SSL_CTX_set_keylog_callback,SSL_CTX_ctrl,SSL_CTX_sess_set_new_cb,SSL_free,SSL_new,SSL_ctrl,SSL_set_connect_state,SSL_ctrl,CRYPTO_get_ex_new_index,CRYPTO_get_ex_new_index,SSL_set_ex_data,SSL_set_ex_data,SSL_set_session,SSL_set_fd,ERR_get_error,ERR_error_string_n,strncpy,BIO_f_ssl,BIO_ne23_2_6CFA2AF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA8580 memset,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,23_2_6CFA8580
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE46E0 EVP_CIPHER_CTX_key_length,EVP_aes_128_ecb,EVP_aes_256_ecb,EVP_aes_192_ecb,malloc,EVP_CIPHER_CTX_new,EVP_EncryptInit,EVP_CIPHER_CTX_set_padding,memcpy,EVP_CIPHER_CTX_set_app_data,EVP_CIPHER_CTX_free,free,23_2_6CFE46E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA8670 CertGetCertificateChain,GetLastError,CertOpenStore,GetLastError,wcslen,free,CreateFileW,GetFileSizeEx,GetLastError,GetLastError,GetLastError,CloseHandle,free,CertCreateCertificateChainEngine,ReadFile,GetLastError,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,free,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,23_2_6CFA8670
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE47B0 EVP_CIPHER_CTX_get_app_data,EVP_EncryptUpdate,23_2_6CFE47B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5A100 DES_set_odd_parity,DES_set_key,DES_ecb_encrypt,DES_set_odd_parity,DES_set_key,DES_ecb_encrypt,DES_set_odd_parity,DES_set_key,DES_ecb_encrypt,23_2_6CF5A100
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5A300 strlen,memset,DES_set_odd_parity,DES_set_key,DES_ecb_encrypt,DES_set_odd_parity,DES_set_key,DES_ecb_encrypt,23_2_6CF5A300
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF9FF70 OPENSSL_init_ssl,CRYPTO_get_ex_new_index,CRYPTO_get_ex_new_index,23_2_6CF9FF70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA5850 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,23_2_6CFA5850
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA59A0 memcpy,free,memmove,memset,CertFreeCertificateContext,WSAGetLastError,free,strchr,strtol,strchr,strlen,strncpy,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,memcmp,wcschr,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,wcsncmp,free,fseek,free,ftell,fseek,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,fread,fclose,strlen,MultiByteToWideChar,PFXImportCertStore,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,fclose,GetLastError,CertFreeCertificateContext,GetLastError,CertCloseStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertFreeCertificateContext,wcschr,wcslen,CertOpenStore,CryptStringToBinaryW,CertFindCertificateInStore,free,free,GetLastError,free,free,CertCloseStore,23_2_6CFA59A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA9020 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx,wcslen,23_2_6CFA9020
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA52A0 CRYPTO_get_ex_new_index,CRYPTO_get_ex_new_index,SSL_get_ex_data,SSL_get_ex_data,23_2_6CFA52A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: -----BEGIN PUBLIC KEY-----23_2_6CFAA600
            Source: BackupExtractor.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [edi+04h], 424D53FFh23_2_6CF8CD20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [ebx+04h], 424D53FFh23_2_6CF8CD20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [edi+04h], 424D53FFh23_2_6CF8D280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [esi+04h], 424D53FFh23_2_6CF8D280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [ebx+04h], 424D53FFh23_2_6CF8D280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [ebx+04h], 424D53FFh23_2_6CF8D280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [esi+04h], 424D53FFh23_2_6CF8D280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: mov dword ptr [ebx+04h], 424D53FFh23_2_6CF8D280
            Source: Binary string: D:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\Win32\Release\Bin\iOSRecoveryManager.pdb source: BackupExtractor.exe, 00000004.00000000.1265695109.0000000000AFE000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: D:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\Win32\Release\Bin\iOSRecoveryManager.pdbFF1 source: BackupExtractor.exe, 00000004.00000000.1265695109.0000000000AFE000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: *.exe|*.dll|*.pdb source: BackupExtractor.exe, 00000004.00000003.1297410205.0000000006EC0000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1297180624.0000000006EC0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: BackupExtractor.exe
            Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: BackupExtractor.exe
            Source: Binary string: "*.exe|*.dll|*.pdbV source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AC5540 memset,FindFirstFileW,_invalid_parameter_noinfo_noreturn,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?FindIfMatchW@Utils@@SA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W0@Z,?IsFileExist@BASUtilityFile@@SA_NPB_W@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?CompareVersion@BASUtilityString@@SAHPBD0@Z,SimpleUString::operator=,?Free@BASUtilityString@@SAXPAX@Z,?Free@BASUtilityString@@SAXPAX@Z,?Free@BASUtilityString@@SAXPAX@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,19_2_00AC5540
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AB6910 pthread_once,PathFindFileNameW,memmove,FindFirstFileW,_invalid_parameter_noinfo_noreturn,memcpy,_waccess,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?CompareVersion@BASUtilityString@@SAHPBD0@Z,?Free@BASUtilityString@@SAXPAX@Z,FindNextFileW,FindClose,?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z,_wfopen,fseek,fseek,ftell,fseek,malloc,memset,fread,??0LogMessage@google@@QAE@PBDHH@Z,?stream@LogMessage@google@@QAEAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ,??1LogMessage@google@@QAE@XZ,?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z,_waccess,SetDllDirectoryW,SetDllDirectoryW,LoadLibraryW,SetDllDirectoryW,GetProcAddress,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?Free@BASUtilityString@@SAXPAX@Z,malloc,pthread_mutex_lock,pthread_mutex_unlock,19_2_00AB6910
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD3F60 memset,wcscpy_s,wcscat_s,FindFirstFileW,StrStrIW,StrStrIW,DeleteFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,19_2_00AD3F60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push ebx23_2_6CFD6C70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push ebx23_2_6CFDCDF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ebx, dword ptr [edi+4Ch]23_2_6CFCAD80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then test eax, eax23_2_6CFB8D70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then test ebx, ebx23_2_6CFB8D70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ecx, dword ptr [edi+0Ch]23_2_6CFBEE80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp eax, 04h23_2_6CFFAE20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov eax, esi23_2_6CFECFD0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov dword ptr [esp], 00000000h23_2_6CF74FB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then test eax, eax23_2_6D000E60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push 0000000Bh23_2_6CF568C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov dword ptr [esi+58h], edx23_2_6CFC6880
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov dword ptr [edx], ecx23_2_6CFFA990
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then shr ecx, 07h23_2_6CFC0A20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then lea eax, dword ptr [esp+28h]23_2_6CF56BC0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov eax, dword ptr [ebp+0000CEA0h]23_2_6CFDCB50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov dword ptr [ebp+0000CEA0h], 00000000h23_2_6CFDCB50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push esi23_2_6CFDA4D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push ebx23_2_6CFD8480
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp eax, FFFFFFDBh23_2_6CFDE420
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then inc ebp23_2_6CFB85B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov byte ptr [ebp+00h], cl23_2_6CF86570
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ecx, dword ptr [ebx+0000CB64h]23_2_6CFD66D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push dword ptr [eax+edx*4-04h]23_2_6CF70650
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp ecx, esi23_2_6CFE67C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then test edi, edi23_2_6CFD675B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then movzx ecx, byte ptr [ebx]23_2_6CF9C030
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp byte ptr [ebp+000000AAh], 00000000h23_2_6CFC6230
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ebx, dword ptr [esi]23_2_6CF6A200
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then test esi, esi23_2_6CF563D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp byte ptr [eax], 00000020h23_2_6CF79CB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then xor ebx, ebx23_2_6CF79CB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ebx, esi23_2_6CF53D30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ebx, esi23_2_6CF53ED3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ebp, dword ptr [ebp+00h]23_2_6CF57E40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push 00000000h23_2_6CF5FFA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov edi, dword ptr [esp+00000340h]23_2_6CF87850
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then push edi23_2_6CFD74C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov eax, dword ptr [esi]23_2_6CFC3420
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then shl ebx, 08h23_2_6CF9B550
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov esi, dword ptr [ebx+edx-04h]23_2_6CFF5540
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov edx, dword ptr [ebp+esi-04h]23_2_6CFF5540
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov ecx, dword ptr [edx]23_2_6CFC3750
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi+000001B7h]23_2_6CF7B1D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then mov edi, dword ptr [esp+04h]23_2_6CF83160
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp word ptr [ecx+eax*2-22h], FFFFh23_2_6D003280
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 4x nop then cmp edi, 00000100h23_2_6D003280
            Source: global trafficTCP traffic: 192.168.2.7:49727 -> 8.8.8.8:53
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 65.38.121.69
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 146.19.254.194
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: unknownTCP traffic detected without corresponding DNS query: 192.121.22.224
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7E880 recv,recv,recv,23_2_6CF7E880
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: BackupExtractor.exeString found in binary or memory: http://.jpg
            Source: BackupExtractor.exeString found in binary or memory: http://html4/loose.dtd
            Source: BackupExtractor.exeString found in binary or memory: http://www.brynosaurus.com/cachedir/
            Source: BackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1593520884.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594197654.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1593451609.000000007E940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
            Source: BackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1591484950.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: BackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1591484950.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/hsts.html
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/hsts.html#
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: BackupExtractor.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BackupExtractor.exe PID: 5328, type: MEMORYSTR
            Registers a new ROOT certificate
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA8670 CertGetCertificateChain,GetLastError,CertOpenStore,GetLastError,wcslen,free,CreateFileW,GetFileSizeEx,GetLastError,GetLastError,GetLastError,CloseHandle,free,CertCreateCertificateChainEngine,ReadFile,GetLastError,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,free,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,23_2_6CFA8670

            System Summary

            barindex
            PE file has a writeable .text section
            Source: iconv.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c320a.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{58F90A35-6245-4CD8-953C-458660066C65}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3566.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c320c.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4c320c.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\4c320c.msiJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD22D019_2_00AD22D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF05E019_2_00AF05E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD26D019_2_00AD26D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD474019_2_00AD4740
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AB691019_2_00AB6910
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00ACB94019_2_00ACB940
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD0BB019_2_00AD0BB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AC7FF019_2_00AC7FF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6248D2D419_2_6248D2D4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_624868CC19_2_624868CC
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E81A7C19_2_62E81A7C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E83A1C19_2_62E83A1C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E8B0B019_2_62E8B0B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E8F7E019_2_62E8F7E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E8179419_2_62E81794
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E87F2419_2_62E87F24
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E934C419_2_62E934C4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E86D4C19_2_62E86D4C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E89D5119_2_62E89D51
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78CD919_2_6CC78CD9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC88F8019_2_6CC88F80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9EA8919_2_6CC9EA89
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78AA419_2_6CC78AA4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC78B3619_2_6CC78B36
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7844019_2_6CC78440
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC7850C19_2_6CC7850C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6E53319_2_6CC6E533
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCBA70019_2_6CCBA700
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6E15819_2_6CC6E158
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6E3C019_2_6CC6E3C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6BDE919_2_6CC6BDE9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6BDB019_2_6CC6BDB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC9B89019_2_6CC9B890
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CC6D99019_2_6CC6D990
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF8C5023_2_6CFF8C50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF6ED8023_2_6CF6ED80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D002C9023_2_6D002C90
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFC0E7023_2_6CFC0E70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFFAE2023_2_6CFFAE20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D000E6023_2_6D000E60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFBEF9023_2_6CFBEF90
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF84F7023_2_6CF84F70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFFEF7023_2_6CFFEF70
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF6F0023_2_6CFF6F00
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7E88023_2_6CF7E880
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00E9F023_2_6D00E9F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFB080023_2_6CFB0800
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFD09F023_2_6CFD09F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA096023_2_6CFA0960
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFEE95023_2_6CFEE950
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA2AF023_2_6CFA2AF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00AB4023_2_6D00AB40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF52AB023_2_6CF52AB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF56BC023_2_6CF56BC0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFB0BAD23_2_6CFB0BAD
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF2B3023_2_6CFF2B30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7CB1023_2_6CF7CB10
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFEC5B023_2_6CFEC5B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF257023_2_6CFF2570
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA867023_2_6CFA8670
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D0107B023_2_6D0107B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF867C023_2_6CF867C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF8879023_2_6CF88790
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFFE78023_2_6CFFE780
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00268023_2_6D002680
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF609023_2_6CFF6090
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00017023_2_6D000170
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE808023_2_6CFE8080
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF9C03023_2_6CF9C030
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF6018023_2_6CF60180
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00209023_2_6D002090
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF215023_2_6CFF2150
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFC213023_2_6CFC2130
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5A10023_2_6CF5A100
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF63D023_2_6CFF63D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7A3A023_2_6CF7A3A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D0022D023_2_6D0022D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5A30023_2_6CF5A300
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFFFC5023_2_6CFFFC50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF83DB023_2_6CF83DB0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFCBD5023_2_6CFCBD50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFEDD5023_2_6CFEDD50
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF53D3023_2_6CF53D30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF7E3023_2_6CFF7E30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00BE0023_2_6D00BE00
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFB3F4023_2_6CFB3F40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE7F4023_2_6CFE7F40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFB9F2023_2_6CFB9F20
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF818F023_2_6CF818F0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF6B85023_2_6CF6B850
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF8785023_2_6CF87850
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7782023_2_6CF77820
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFCF9D423_2_6CFCF9D4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA59A023_2_6CFA59A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF999023_2_6CFF9990
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFCD97023_2_6CFCD970
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5D93023_2_6CF5D930
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE7AE023_2_6CFE7AE0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D005B8023_2_6D005B80
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE9A3023_2_6CFE9A30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFBFB3023_2_6CFBFB30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF594B023_2_6CF594B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE744023_2_6CFE7440
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7741023_2_6CF77410
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF6558B23_2_6CF6558B
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFD757023_2_6CFD7570
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF9B55023_2_6CF9B550
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFF962023_2_6CFF9620
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7F74F23_2_6CF7F74F
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFEF0C023_2_6CFEF0C0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFE70B023_2_6CFE70B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF5F00023_2_6CF5F000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D00501023_2_6D005010
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF7B1D023_2_6CF7B1D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF972E023_2_6CF972E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFFB24023_2_6CFFB240
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF713B023_2_6CF713B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF993B023_2_6CF993B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF933A023_2_6CF933A0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF92300 appears 45 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF92650 appears 35 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF82520 appears 51 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 00AB7DA0 appears 41 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6D011A48 appears 79 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6D0119E0 appears 38 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CFD3530 appears 183 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF7C800 appears 47 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF87E10 appears 496 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF96C90 appears 31 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6D011A00 appears 51 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 00AB6560 appears 41 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF7C680 appears 58 times
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: String function: 6CF87C70 appears 433 times
            Source: libHelper.dll.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: libView.dll.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: zlib1.dll.2.drStatic PE information: Number of sections : 11 > 10
            Source: libcrypto-1_1.dll.2.drStatic PE information: Number of sections : 11 > 10
            Source: libssl-1_1.dll.2.drStatic PE information: Number of sections : 11 > 10
            Source: pthreadGC2.dll.2.drStatic PE information: Number of sections : 21 > 10
            Source: libxml2-2.dll.2.drStatic PE information: Number of sections : 19 > 10
            Source: libcurl.dll.2.drStatic PE information: Number of sections : 11 > 10
            Source: classification engineClassification label: mal96.phis.bank.troj.spyw.evad.winMSI@11/116@0/4
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF92BE0 GetLastError,_errno,curl_msnprintf,curl_msnprintf,FormatMessageW,wcstombs,strchr,curl_msnprintf,_errno,_errno,GetLastError,SetLastError,23_2_6CF92BE0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA2AF0 TLS_client_method,SSL_CTX_free,SSL_CTX_new,SSL_CTX_ctrl,SSL_CTX_set_msg_callback,SSL_CTX_ctrl,ERR_peek_error,ERR_error_string_n,strncpy,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_ctrl,SSL_CTX_set_options,SSL_CTX_set_next_proto_select_cb,SSL_CTX_set_alpn_protos,BIO_new_mem_buf,BIO_new_mem_buf,SSL_CTX_set_default_passwd_cb_userdata,SSL_CTX_set_default_passwd_cb,d2i_X509_bio,SSL_CTX_use_certificate,d2i_PKCS12_bio,ERR_clear_error,PEM_read_bio_X509_AUX,SSL_CTX_use_certificate,ERR_peek_error,SSL_CTX_ctrl,PEM_read_bio_X509,SSL_CTX_ctrl,X509_free,ENGINE_ctrl,ENGINE_ctrl_cmd,SSL_CTX_use_certificate,X509_free,SSL_CTX_use_certificate_file,BIO_s_file,BIO_new,BIO_ctrl,d2i_PKCS12_bio,BIO_free,PKCS12_PBE_add,PKCS12_parse,PKCS12_free,SSL_CTX_use_certificate,SSL_CTX_use_PrivateKey,SSL_CTX_check_private_key,OPENSSL_sk_num,OPENSSL_sk_pop,SSL_CTX_add_client_CA,SSL_CTX_ctrl,SSL_CTX_use_certificate_chain_file,X509_free,ERR_get_error,ERR_error_string_n,strncpy,X509_free,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,ERR_get_error,ERR_error_string_n,strncpy,PKCS12_free,ERR_get_error,ERR_error_string_n,strncpy,PEM_read_bio_PrivateKey,BIO_free,d2i_PrivateKey_bio,SSL_CTX_use_PrivateKey,EVP_PKEY_free,X509_free,SSL_CTX_use_PrivateKey_file,SSL_new,SSL_get_certificate,X509_get_pubkey,SSL_get_privatekey,EVP_PKEY_copy_parameters,EVP_PKEY_free,SSL_get_privatekey,EVP_PKEY_id,EVP_PKEY_get1_RSA,RSA_flags,RSA_free,SSL_free,SSL_CTX_check_private_key,SSL_free,ERR_peek_last_error,ERR_clear_error,EVP_PKEY_free,X509_free,OPENSSL_sk_pop_free,UI_create_method,UI_OpenSSL,UI_method_get_opener,UI_method_set_opener,UI_OpenSSL,UI_method_get_closer,UI_method_set_closer,UI_method_set_reader,UI_method_set_writer,ENGINE_load_private_key,UI_destroy_method,SSL_CTX_use_PrivateKey,EVP_PKEY_free,EVP_PKEY_free,X509_free,OPENSSL_sk_pop_free,EVP_PKEY_free,BIO_free,BIO_free,SSL_CTX_set_cipher_list,SSL_CTX_set_ciphersuites,SSL_CTX_set_post_handshake_auth,SSL_CTX_ctrl,SSL_CTX_set_srp_username,SSL_CTX_set_srp_password,SSL_CTX_set_cipher_list,SSL_CTX_get_cert_store,CertOpenSystemStoreW,CompareFileTime,GetLastError,CertEnumCertificatesInStore,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CertGetIntendedKeyUsage,CertGetEnhancedKeyUsage,CertGetEnhancedKeyUsage,strcmp,GetLastError,d2i_X509,X509_STORE_add_cert,X509_free,CompareFileTime,CertFreeCertificateContext,CertCloseStore,SSL_CTX_load_verify_locations,SSL_CTX_get_cert_store,X509_LOOKUP_file,X509_STORE_add_lookup,X509_load_crl_file,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_get_cert_store,X509_STORE_set_flags,SSL_CTX_set_verify,SSL_CTX_set_keylog_callback,SSL_CTX_ctrl,SSL_CTX_sess_set_new_cb,SSL_free,SSL_new,SSL_ctrl,SSL_set_connect_state,SSL_ctrl,CRYPTO_get_ex_new_index,CRYPTO_get_ex_new_index,SSL_set_ex_data,SSL_set_ex_data,SSL_set_session,SSL_set_fd,ERR_get_error,ERR_error_string_n,strncpy,BIO_f_ssl,BIO_ne23_2_6CFA2AF0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00ACA120 CreateToolhelp32Snapshot,memset,tolower,Process32FirstW,OpenProcess,EnumProcessModules,memset,GetModuleFileNameExW,CloseHandle,tolower,Process32NextW,CloseHandle,OpenProcess,TerminateProcess,WaitForSingleObject,_invalid_parameter_noinfo_noreturn,19_2_00ACA120
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00ACB870 CoCreateInstance,19_2_00ACB870
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD34A0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,19_2_00AD34A0
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML35A4.tmpJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeMutant created: \Sessions\1\BaseNamedObjects\Global_Coolmuster iPhone Backup Extractor_3.5.11
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeMutant created: \Sessions\1\BaseNamedObjects\62107868
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF6F5C6E2DAFBE1548.TMPJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: %Y%m%d19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: %Y%m%d%H%M%S19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: .dmp19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: %Y%m%d19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: %Y%m%d%H%M%S19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCommand line argument: .dmp19_2_00ADB000
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
            Source: BackupExtractor.exeString found in binary or memory: set-addPolicy
            Source: BackupExtractor.exeString found in binary or memory: id-cmc-addExtensions
            Source: BackupExtractor.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
            Source: BackupExtractor.exeString found in binary or memory: Unable to complete request for channel-process-startup
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libbasic.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pthreadgc2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: zlib1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: librg.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libi18n.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libglog.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: groceryc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libmodel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libview.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libxml2-2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libupdate.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libexpat.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcrypto-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libssl-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libhelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: activitytraceshelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: iconv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: atlthunk.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wshunix.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libbasic.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pthreadgc2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: librg.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libi18n.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libglog.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: groceryc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libview.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libxml2-2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libupdate.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libhelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: zlib1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pthreadgc2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libmodel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libexpat.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: zlib1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcrypto-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libssl-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libbasic.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pthreadgc2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: librg.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libi18n.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libglog.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: zlib1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: pthreadgc2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: groceryc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libview.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libxml2-2.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libupdate.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libhelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msvcp140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libmodel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libexpat.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcurl.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: zlib1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libcrypto-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: libssl-1_1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: quserex.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msiStatic file information: File size 17424384 > 1048576
            Source: Binary string: D:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\Win32\Release\Bin\iOSRecoveryManager.pdb source: BackupExtractor.exe, 00000004.00000000.1265695109.0000000000AFE000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: D:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\Win32\Release\Bin\iOSRecoveryManager.pdbFF1 source: BackupExtractor.exe, 00000004.00000000.1265695109.0000000000AFE000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: *.exe|*.dll|*.pdb source: BackupExtractor.exe, 00000004.00000003.1297410205.0000000006EC0000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1297180624.0000000006EC0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: BackupExtractor.exe
            Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: BackupExtractor.exe
            Source: Binary string: "*.exe|*.dll|*.pdbV source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp
            Source: ucrtbase.dll.2.drStatic PE information: 0x82DE8CA7 [Sat Jul 30 07:17:59 2039 UTC]
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD26D0 LoadLibraryW,GetProcAddress,FreeLibrary,memset,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreatePopupMenu,GetClientRect,SendMessageW,SendMessageW,GetMenuItemCount,memset,memset,GetMenuItemInfoW,memset,SendMessageW,lstrlenW,LoadStringW,AppendMenuW,GetMenuItemCount,DestroyMenu,MessageBeep,19_2_00AD26D0
            Source: groceryc.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x5ffa5
            Source: libUpdate.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x12584
            Source: libView.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x429c3
            Source: libHelper.dll.2.drStatic PE information: real checksum: 0x0 should be: 0xa502
            Source: iconv.dll.2.drStatic PE information: real checksum: 0xe26d3 should be: 0xea6d3
            Source: libglog.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x31892
            Source: libBasic.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x477e7
            Source: libI18n.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x8c9e
            Source: libRG.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x14e23
            Source: ActivityTracesHelper.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x4c56eb
            Source: zlib1.dll.2.drStatic PE information: section name: /4
            Source: libcrypto-1_1.dll.2.drStatic PE information: section name: /4
            Source: libcurl.dll.2.drStatic PE information: section name: .eh_fram
            Source: libssl-1_1.dll.2.drStatic PE information: section name: /4
            Source: libxml2-2.dll.2.drStatic PE information: section name: /4
            Source: libxml2-2.dll.2.drStatic PE information: section name: /14
            Source: libxml2-2.dll.2.drStatic PE information: section name: /29
            Source: libxml2-2.dll.2.drStatic PE information: section name: /45
            Source: libxml2-2.dll.2.drStatic PE information: section name: /57
            Source: libxml2-2.dll.2.drStatic PE information: section name: /71
            Source: libxml2-2.dll.2.drStatic PE information: section name: /83
            Source: libxml2-2.dll.2.drStatic PE information: section name: /96
            Source: libxml2-2.dll.2.drStatic PE information: section name: /107
            Source: libxml2-2.dll.2.drStatic PE information: section name: /118
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /4
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /14
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /29
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /45
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /61
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /73
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /87
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /99
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /112
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /123
            Source: pthreadGC2.dll.2.drStatic PE information: section name: /134
            Source: msvcp140.dll.2.drStatic PE information: section name: .didat
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFACD6 push ecx; ret 19_2_00AFACE9
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF3E30 push ecx; mov dword ptr [esp], 3F800000h19_2_00AF40CB
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF3E30 push ecx; mov dword ptr [esp], 3F800000h19_2_00AF4114
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF3E30 push ecx; mov dword ptr [esp], 3F800000h19_2_00AF418F
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_624844D0 push eax; mov dword ptr [esp], edi19_2_624846EF
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_624A1294 push edx; ret 19_2_624A12C7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6248B03C push esi; mov dword ptr [esp], edi19_2_6248B23D
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6248B03C push eax; mov dword ptr [esp], ebp19_2_6248B39C
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_624910BB push 41100E0Ah; ret 19_2_624910D8
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6248B674 push eax; mov dword ptr [esp], ebp19_2_6248BA2A
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62488ACC push eax; mov dword ptr [esp], ebp19_2_62488C03
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6248BB1C push ebx; mov dword ptr [esp], ebp19_2_6248BC42
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62481828 push eax; mov dword ptr [esp], 00000000h19_2_624819E3
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62484FD8 push edx; mov dword ptr [esp], esi19_2_62484FF7
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62487DB0 push eax; mov dword ptr [esp], edi19_2_62487E0D
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E962DE push cs; iretd 19_2_62E962B2
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E961DC push cs; iretd 19_2_62E962B2
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E9648E push ebx; ret 19_2_62E9648F
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_62E935D4 push eax; ret 19_2_62E93604
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_6CCC4ED8 pushad ; retf 19_2_6CCC4F12
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D004FB0 push dword ptr [eax+04h]; ret 23_2_6D004FDF
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA0780 push eax; mov dword ptr [esp], 00000000h23_2_6CFA0785
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA0710 push eax; mov dword ptr [esp], 00000000h23_2_6CFA0715
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D001C80 push eax; mov dword ptr [esp], edx23_2_6D001C85
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CFA5850 push eax; mov dword ptr [esp], 00000000h23_2_6CFA5852
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D096E05 push ecx; ret 23_2_6D096E18
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libssl-1_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libBasic.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ucrtbase.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libUpdate.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\pthreadGC2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libI18n.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\iconv.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libHelper.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libglog.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\vcruntime140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcrypto-1_1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ActivityTracesHelper.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\groceryc.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libmodel.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libView.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libRG.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libxml2-2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libexpat.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\zlib1.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcurl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Image AutoEnhancerJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Image AutoEnhancerJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            May use the Tor software to hide its network traffic
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWindow / User API: threadDelayed 593Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWindow / User API: threadDelayed 664Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWindow / User API: threadDelayed 4001Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWindow / User API: threadDelayed 3405Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7547Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1381Jump to behavior
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_2.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\vccorlib140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeAPI coverage: 0.4 %
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeAPI coverage: 0.0 %
            Source: C:\Windows\System32\msiexec.exe TID: 6552Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 8060Thread sleep time: -8002000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 8068Thread sleep time: -75075s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 8064Thread sleep time: -6810000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 8064Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 7976Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep count: 7547 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1532Thread sleep count: 1381 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AC5540 memset,FindFirstFileW,_invalid_parameter_noinfo_noreturn,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?FindIfMatchW@Utils@@SA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W0@Z,?IsFileExist@BASUtilityFile@@SA_NPB_W@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?CompareVersion@BASUtilityString@@SAHPBD0@Z,SimpleUString::operator=,?Free@BASUtilityString@@SAXPAX@Z,?Free@BASUtilityString@@SAXPAX@Z,?Free@BASUtilityString@@SAXPAX@Z,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,19_2_00AC5540
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AB6910 pthread_once,PathFindFileNameW,memmove,FindFirstFileW,_invalid_parameter_noinfo_noreturn,memcpy,_waccess,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?CompareVersion@BASUtilityString@@SAHPBD0@Z,?Free@BASUtilityString@@SAXPAX@Z,FindNextFileW,FindClose,?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z,_wfopen,fseek,fseek,ftell,fseek,malloc,memset,fread,??0LogMessage@google@@QAE@PBDHH@Z,?stream@LogMessage@google@@QAEAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ,??1LogMessage@google@@QAE@XZ,?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z,_waccess,SetDllDirectoryW,SetDllDirectoryW,LoadLibraryW,SetDllDirectoryW,GetProcAddress,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?Free@BASUtilityString@@SAXPAX@Z,malloc,pthread_mutex_lock,pthread_mutex_unlock,19_2_00AB6910
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD3F60 memset,wcscpy_s,wcscat_s,FindFirstFileW,StrStrIW,StrStrIW,DeleteFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,19_2_00AD3F60
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeThread delayed: delay time: 75075Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: BackupExtractor.exe, 00000004.00000003.1269021638.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1296068006.0000000000F45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFAA40 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00AFAA40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD26D0 LoadLibraryW,GetProcAddress,FreeLibrary,memset,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreatePopupMenu,GetClientRect,SendMessageW,SendMessageW,GetMenuItemCount,memset,memset,GetMenuItemInfoW,memset,SendMessageW,lstrlenW,LoadStringW,AppendMenuW,GetMenuItemCount,DestroyMenu,MessageBeep,19_2_00AD26D0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF86FB mov esi, dword ptr fs:[00000030h]19_2_00AF86FB
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AF85E5 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,memset,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,19_2_00AF85E5
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFA406 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00AFA406
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFAA40 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00AFAA40
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFABD6 SetUnhandledExceptionFilter,19_2_00AFABD6

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AC51B0 GetVersionExA,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,19_2_00AC51B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"Jump to behavior
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFA782 cpuid 19_2_00AFA782
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AFA919 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,19_2_00AFA919
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6D0053E0 GetTimeZoneInformation,GetSystemTimeAsFileTime,23_2_6D0053E0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 19_2_00AD0090 malloc,malloc,malloc,??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ,??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z,??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ,GetVersionExW,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@G@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@G@Z,_invalid_parameter_noinfo_noreturn,?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z,?AddJsonDictStringValue@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD2@Z,?AddJsonDictStringValue@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD2@Z,?AddJsonDictStringValue@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD2@Z,?AddJsonDictStringValue@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD2@Z,?AddJsonDictStringValue@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD2@Z,GlobalMemoryStatusEx,?AddJsonDictUInt64Value@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD_K@Z,?AddJsonDictUInt64Value@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD_K@Z,?AddJsonDictUInt64Value@AssJsonUtil@@SAXAAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@AAV?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@3@PBD_K@Z,?ToString@AssJsonUtil@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$GenericValue@U?$UTF8@D@rapidjson@@V?$MemoryPoolAllocator@VCrtAllocator@rapidjson@@@2@@rapidjson@@@Z,?Free@BASUtilityString@@SAXPAX@Z,??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ,??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ,_invalid_parameter_noinfo_noreturn,19_2_00AD0090
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BackupExtractor.exe PID: 5328, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *electrum*
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <%appdata%\ElectronCash\wallets
            Source: BackupExtractor.exe, 00000004.00000003.1296558041.0000000002ED0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <%appdata%\Exodus\exodus.wallet9
            Source: BackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *Exodus*
            Source: BackupExtractor.exe, 00000004.00000003.1295439567.0000000002EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets=Y
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferencesJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeFile opened: C:\Users\user\AppData\Roaming\Miranda\Jump to behavior
            Source: Yara matchFile source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BackupExtractor.exe PID: 5328, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: BackupExtractor.exe PID: 5328, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF628B0 strlen,strchr,getsockname,WSAGetLastError,WSAGetLastError,strchr,strcpy,strncpy,strchr,strtoul,strchr,strtoul,memcpy,htons,bind,WSAGetLastError,getsockname,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_easy_strerror,curl_msnprintf,curl_easy_strerror,23_2_6CF628B0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF54A30 setsockopt,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,htons,strchr,htons,htons,atoi,bind,htons,bind,getsockname,WSAGetLastError,connect,WSAGetLastError,WSAGetLastError,23_2_6CF54A30
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF78490 ldap_simple_bind_sW,free,free,ldap_bind_sW,ldap_bind_sW,23_2_6CF78490
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF8FDA0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,strlen,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,23_2_6CF8FDA0
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF77820 free,strchr,strchr,strchr,free,strchr,strchr,ldap_set_optionW,ldap_initW,ldap_err2stringA,ldap_msgfree,ldap_unbind_s,free,ldap_sslinitW,ldap_set_optionW,ldap_set_optionW,ldap_set_optionW,ldap_err2stringA,ldap_search_sW,ldap_err2stringA,ldap_first_entry,ldap_get_dnW,strlen,free,ldap_memfreeW,ldap_first_attributeW,strlen,ldap_get_values_lenW,strcmp,ldap_value_free_len,free,ldap_memfreeW,ldap_next_attributeW,ber_free,ldap_next_entry,ldap_get_dnW,ldap_value_free_len,free,ldap_memfreeW,ber_free,ldap_value_free_len,free,free,ldap_memfreeW,free,ldap_memfreeW,23_2_6CF77820
            Source: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exeCode function: 23_2_6CF956A0 bind,WSAGetLastError,23_2_6CF956A0

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		1
            Exploitation of Remote Services            		11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            Credentials in Registry            		11
            Peripheral Device Discovery            		Remote Desktop Protocol2
            Data from Local System            		22
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts3
            Command and Scripting Interpreter            		Logon Script (Windows)12
            Process Injection            		3
            Obfuscated Files or Information            		1
            Credentials In Files            		3
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Multi-hop Proxy            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		11
            Install Root Certificate            		NTDS65
            System Information Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets251
            Security Software Discovery            		SSHKeylogging1
            Proxy            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials151
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Masquerading            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow2
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432009 Sample: AdvancedReclaiMeFreeRAIDRec... Startdate: 26/04/2024 Architecture: WINDOWS Score: 96 43 Multi AV Scanner detection for dropped file 2->43 45 Yara detected DanaBot stealer dll 2->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->47 49 4 other signatures 2->49 8 msiexec.exe 106 66 2->8         started        11 msiexec.exe 3 2->11         started        13 BackupExtractor.exe 2->13         started        15 BackupExtractor.exe 2->15         started        process3 file4 29 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 8->31 dropped 33 C:\Users\user\...\msvcp140_codecvt_ids.dll, PE32 8->33 dropped 35 25 other files (5 malicious) 8->35 dropped 17 BackupExtractor.exe 10 98 8->17         started        process5 dnsIp6 37 192.121.22.224, 443, 49713, 49716 TTMDE Sweden 17->37 39 65.38.121.69, 443, 49714, 49720 SRS-6-Z-7381US United States 17->39 41 2 other IPs or domains 17->41 51 Tries to steal Instant Messenger accounts or passwords 17->51 53 Found many strings related to Crypto-Wallets (likely being stolen) 17->53 55 May use the Tor software to hide its network traffic 17->55 57 2 other signatures 17->57 21 cmd.exe 1 17->21         started        signatures7 process8 signatures9 59 Adds a directory exclusion to Windows Defender 21->59 24 powershell.exe 23 21->24         started        27 conhost.exe 21->27         started        process10 signatures11 61 Loading BitLocker PowerShell Module 24->61

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ActivityTracesHelper.dll8%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\groceryc.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\iconv.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libBasic.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libBasic.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libHelper.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libHelper.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libI18n.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libI18n.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libRG.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libRG.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libUpdate.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libUpdate.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libView.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libView.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcrypto-1_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcrypto-1_1.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcurl.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcurl.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libexpat.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libexpat.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libglog.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libglog.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libmodel.dll14%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libssl-1_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libssl-1_1.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libxml2-2.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libxml2-2.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140.dll0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://curl.se/docs/alt-svc.html#0%Avira URL Cloudsafe
            https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
            http://html4/loose.dtd0%Avira URL Cloudsafe
            https://curl.se/docs/hsts.html#0%Avira URL Cloudsafe
            https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
            https://curl.se/docs/http-cookies.html#0%Avira URL Cloudsafe
            http://www.brynosaurus.com/cachedir/0%Avira URL Cloudsafe
            https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
            https://curl.se/docs/http-cookies.html0%VirustotalBrowse
            http://www.brynosaurus.com/cachedir/0%VirustotalBrowse
            http://.css0%Avira URL Cloudsafe
            https://curl.se/docs/alt-svc.html#0%VirustotalBrowse
            https://curl.se/docs/http-cookies.html#0%VirustotalBrowse
            https://curl.se/docs/hsts.html#0%VirustotalBrowse
            http://.jpg0%Avira URL Cloudsafe
            https://curl.se/docs/alt-svc.html0%VirustotalBrowse
            https://curl.se/docs/hsts.html0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlBackupExtractor.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://html4/loose.dtdBackupExtractor.exefalse
            • Avira URL Cloud: safe
            		low
            https://curl.se/docs/alt-svc.html#BackupExtractor.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.openssl.org/support/faq.htmlRANDBackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1591484950.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://curl.se/docs/http-cookies.htmlBackupExtractor.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.openssl.org/VBackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1593520884.000000007EA60000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594197654.000000007F9B0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1593451609.000000007E940000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/hsts.html#BackupExtractor.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.brynosaurus.com/cachedir/BackupExtractor.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.html#BackupExtractor.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/alt-svc.htmlBackupExtractor.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://.cssBackupExtractor.exe, 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://.jpgBackupExtractor.exefalse
                • Avira URL Cloud: safe
                		low
                http://www.openssl.org/support/faq.htmlBackupExtractor.exe, 00000004.00000003.1592953238.000000007E5C0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1594280396.000000007FA70000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1591484950.000000007EBB0000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592097219.000000007E860000.00000004.00001000.00020000.00000000.sdmp, BackupExtractor.exe, 00000004.00000003.1592322911.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  65.38.121.69
                  		unknownUnited States
                  		7381SRS-6-Z-7381USfalse
                  8.8.8.8
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  146.19.254.194
                  		unknownFrance
                  		7726FITC-ASUSfalse
                  192.121.22.224
                  		unknownSweden
                  		47447TTMDEfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1432009
                  Start date and time:2024-04-26 09:02:39 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 29s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:25
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi
                  Detection:MAL
                  Classification:mal96.phis.bank.troj.spyw.evad.winMSI@11/116@0/4
                  EGA Information:
                  • Successful, ratio: 66.7%
                  HCA Information:
                  • Successful, ratio: 92%
                  • Number of executed functions: 7
                  • Number of non-executed functions: 366
                  Cookbook Comments:
                  • Found application associated with file extension: .msi

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 72.21.81.240
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, time.windows.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 2040 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:03:31API Interceptor1x Sleep call for process: msiexec.exe modified
                  10:25:18API Interceptor1543417x Sleep call for process: BackupExtractor.exe modified
                  10:26:06Task SchedulerRun new task: Image AutoEnhancer Suite path: C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                  10:26:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Image AutoEnhancer C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                  10:26:07API Interceptor8x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SRS-6-Z-7381US5RiFmXTOMp.elfGet hashmaliciousMiraiBrowse
                  • 69.48.210.4
                  jdsfl.x86.elfGet hashmaliciousMiraiBrowse
                  • 173.252.176.83
                  siGMVX2KKD.elfGet hashmaliciousMiraiBrowse
                  • 67.217.246.232
                  file.zipGet hashmaliciousUnknownBrowse
                  • 216.245.184.154
                  http://www5.dmpcalibermail.com/caliberamp/main/index.php?action=t&tag=https%3A%2F%2Fwww.newrezcorrespondent.com%2F%3Futm_source%3Damp%26amp%3Butm_medium%3Demail%26amp%3Butm_campaign%3Dheader_logo%26amp%3Butm_content%3D%5Bemail%3Acampaign_name%5D&id=2970982&contact_uuid=607faabe-0fa9-4b6c-aa85-af116b0a0d16&dest=https://hajradyeing.com%2F%5F%63%63%63%2Fq5LqZBTIawkLdAIGigpV3n1o5fE7vg/bHVjYS50YXNzb3R0aUBiZWFudGVjaC5pdA==Get hashmaliciousHTMLPhisherBrowse
                  • 216.205.154.87
                  Rechnung.jarGet hashmaliciousUnknownBrowse
                  • 65.38.120.211
                  Rechnung.jarGet hashmaliciousUnknownBrowse
                  • 65.38.120.211
                  https://spacardportal.works.com/garGet hashmaliciousHtmlDropperBrowse
                  • 171.162.93.24
                  cups-utils-helperGet hashmaliciousUnknownBrowse
                  • 66.179.251.201
                  91SCOC68kw.elfGet hashmaliciousMiraiBrowse
                  • 67.202.219.250
                  FITC-ASUSn0CEgmtnuf.elfGet hashmaliciousMiraiBrowse
                  • 155.161.179.45
                  wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                  • 199.82.245.121
                  16rBksY5gH.elfGet hashmaliciousMiraiBrowse
                  • 155.161.155.91
                  sYlwfFFwFb.elfGet hashmaliciousMiraiBrowse
                  • 155.161.132.179
                  74pdei4s1x.elfGet hashmaliciousMiraiBrowse
                  • 170.86.43.35
                  la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                  • 155.161.179.36
                  Del3SHndZJ.elfGet hashmaliciousMiraiBrowse
                  • 146.19.118.245
                  7m7X62tiZr.elfGet hashmaliciousMiraiBrowse
                  • 146.19.118.211
                  https://withgrayce.com/beyond-back-up-care-what-family-care-looks-like-for-todays-employees-part-1/Get hashmaliciousUnknownBrowse
                  • 146.19.254.43
                  GMFGrDr6gM.elfGet hashmaliciousUnknownBrowse
                  • 165.150.213.173
                  TTMDExjyn487lg15.dllGet hashmaliciousBumbleBeeBrowse
                  • 149.154.159.243
                  care.ps1Get hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-93919391.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-14051405.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-29202920.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-97799779.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-13091309.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-233233.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-18061806.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184
                  DE-26342634.jsGet hashmaliciousNetSupport RATBrowse
                  • 192.121.22.184

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dllhttp://www.sim-con.com/downloads/Varimos/CQC.Setup.V9.5.20.0.VarimosVirtual.exeGet hashmaliciousUnknownBrowse
                    clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousUnknownBrowse
                      clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousUnknownBrowse
                        clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousUnknownBrowse
                          clipgrab-3.9.7-dotinstaller.exeGet hashmaliciousUnknownBrowse
                            installer_Win8_Win11_x64_3b8199dbc13e6.exeGet hashmaliciousUnknownBrowse
                              invoice order-876451877#..xlsbGet hashmaliciousSTRRATBrowse
                                invoice order-9951487307#..xlsbGet hashmaliciousSTRRATBrowse
                                  purchase order-419617892#..xlsbGet hashmaliciousSTRRATBrowse

                                    Created / dropped Files

                                    C:\Config.Msi\4c320b.rbs

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):14901
                                    Entropy (8bit):5.770561333356329
                                    Encrypted:false
                                    SSDEEP:96:z6RLR+CsqWjDpcB2LUufxWju8UTSe+DRGWUS6CsThqTLWUS6C6j4yMMThqhHZjfy:zO4Cs5iqXYeOgSpI+lSpCsh9Eqpu
                                    MD5:0C106F855C9756DF8F7AE93BB41D9E0F
                                    SHA1:FC5DE1375954A193504FCD01D94AD2009882EB1E
                                    SHA-256:2FFB48078955B2712031532EB61A514C0DADD85D4AE30A615777D26B094C0858
                                    SHA-512:EF2E95E72220A26FE3A30CDE7196BA1771A5349B7AF8288E45E82737C0E3BA0EA0EB285A693ABA8518E4A009DB4BCE4409434F1D4EFD410842C995EFC33233CF
                                    Malicious:false
                                    Reputation:low
                                    Preview:...@IXOS.@.....@qH.X.@.....@.....@.....@.....@.....@......&.{58F90A35-6245-4CD8-953C-458660066C65}).Advanced ReclaiMe Free RAID Recovery Free-.AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi.@.....@.....@.....@........&.{BAAEC4FF-367D-45A2-B266-709F9930739C}.....@.....@.....@.....@.......@.....@.....@.......@....).Advanced ReclaiMe Free RAID Recovery Free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{150D1CBB-1754-5987-B9F0-B528A11F8EDC}&.{58F90A35-6245-4CD8-953C-458660066C65}.@......&.{11966A59-B074-5E00-805B-0C14A83BA461}&.{58F90A35-6245-4CD8-953C-458660066C65}.@......&.{BC511FDF-06BF-5FC4-9BD6-27831F2CE5C7}&.{58F90A35-6245-4CD8-953C-458660066C65}.@......&.{D8529953-B566-5C2F-BC8D-14244885059E}&.{58F90A35-6245-4CD8-953C-458660066C65}.@......&.{53829B97-B4A9-50A4-B28F-9F16F65EB91B}&.{58F90A35-6245-4CD8-953C-458660066C65}.@......&.{6E30262B-886F-52C1-BE7A-002C4DF3A624}&.{58F90A35-6245-

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):69993
                                    Entropy (8bit):7.99584879649948
                                    Encrypted:true
                                    SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                    MD5:29F65BA8E88C063813CC50A4EA544E93
                                    SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                    SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                    SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):330
                                    Entropy (8bit):3.1475546137593846
                                    Encrypted:false
                                    SSDEEP:6:kKBxllDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:NlMkPlE99SNxAhUeVLVt
                                    MD5:3BEC7CE428E98589E96E5C365680ABF6
                                    SHA1:48BC25F24A14413D02DF8782FA00811254F65F20
                                    SHA-256:3EEAF803C9E037345A064A8864DBA1D97081CF678D41DFF90D509915F02CDC4D
                                    SHA-512:027F8CC3FCF0EE2D02420C1AB5F0AFC0368CB4B2E87ED48CC26C61E95324367F0B8D05B26322AB65D108A1A4BB7ED153A99AAC7261ADE2D2304293BE693F57D3
                                    Malicious:false
                                    Reputation:low
                                    Preview:p...... ...............(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1168
                                    Entropy (8bit):5.3566472797741405
                                    Encrypted:false
                                    SSDEEP:24:3GmWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9t7J0gt/NKqHr6t:vWSU4y4RQmFoUeUmfmZ9tK8NPHM
                                    MD5:F7BCAD379FE3F7DAEBDDA903AABBF6AA
                                    SHA1:7DF1310ADAF2BB13B3A4E757110D296DDFBD031F
                                    SHA-256:201E698AEB3E9BF00303BC57243875F55F1EE33FCDB17A5DE20E0F52C7100652
                                    SHA-512:92D1AA97F812BF73951F7235F6092599549E7D11C3BDCDF278636FE2FA8AC42A8EFAE45493B0290C815FCAD1D3D088B2A332B47EE19470FF059443A2D42D03FB
                                    Malicious:false
                                    Reputation:low
                                    Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ActivityTracesHelper.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):4942848
                                    Entropy (8bit):6.761466301260418
                                    Encrypted:false
                                    SSDEEP:49152:/hsJTVDanltE2u8385RjmfsbsxPe2RBOrolnpMNuajYCBr4DMhwTXfabcBemj4C2:6V2nlttlnSNhIib9LnccCYV
                                    MD5:AB7A593E5C4AD118B415A4B88476F4AD
                                    SHA1:0413E1C112CC4BC75E74AFD94C5FC54ACD4576D0
                                    SHA-256:C477E3E72443848F961545B17FA918EBD44148418A2FD2A1C846C561A55CE603
                                    SHA-512:6B5ABCCA5F1E32F5B37B2EF91D4AC18ABC511C445DF1918F472C6470C60B63CF9BEA317F1A11995F97A07C9548368FD8FCB1970E95535A31FDC2040E8F1E2596
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 8%, Browse
                                    Reputation:low
                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......Y.....fG..fG..fGV.eF/.fGV.cF.fGV.bF5.fG...G..fG..bF..fG..eF..fG..cFA.fGp.bF..fGp.cF..fG..cF..fGV.gF..fG..gG..fG..oF..fG..fF..fG...G..fG..dF..fGRich..fG................PE..L...vJ.f...........!...'.*9..>......;........@9...............................K...........@..........................EA.`...@FA.d.....F.H.....................H.H.....>.8.....................>.......>.@............@9..............................text...Z)9......*9................. ..`.rdata..h....@9.......9.............@..@.data........`A..t...BA.............@....rsrc...H.....F.......E.............@..@.reloc..H.....H......pH.............@..B................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):569744
                                    Entropy (8bit):6.50452279639395
                                    Encrypted:false
                                    SSDEEP:12288:Y1EK87CjR9EjnHwNqFPRwg9vFNAJq7aMEaZBmdZ+zb35BT:2E64QQ9dLZBm+zb35BT
                                    MD5:F6AC2A17BDFB64C090280DD734A77651
                                    SHA1:D056199C29D246F3F50CD9444C8E7CF90E96733D
                                    SHA-256:644CD0E267C2655BBCD5E530DE1E55694B94CE97CE2AE13A328FAA2EBED374F0
                                    SHA-512:408EBF35BF4F190BB54E663BA58FCA33CB372F80CFD586D8FEE379C5A4E085FBBF09F809EF7340AFBD76FF65E1D8C635424E5A3F14F77722F2F29BA45BE47CBC
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K.G...)J..)J..)J...J..)J.X.J..)J].-K..)J].*K..)J].(K..)J].,K*.)Jj.-K..)J..(K..)Jj.(K..)J..(K..)J..(J|.)J..,K..)J...J..)J...J..)J..+K..)JRich..)J........PE..L....p.f............................h.............@.................................&.....@.................................\........@...................)...p...J..`O..T...................XP.......O..@...............T............................text............................... ..`.rdata... ......."..................@..@.data...,'......."..................@....rsrc........@...0..................@..@.reloc...J...p...L...<..............@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\Plugin.db

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):5865990
                                    Entropy (8bit):7.999458253065571
                                    Encrypted:true
                                    SSDEEP:98304:IERTZamx+z8Z9CHnczul8+B47A19GnlM6hHFwnhW78JlEn5UJyHjhGhItJNk+U7m:IOIiBodb9cC6hH+nhsyJyDhGS1/
                                    MD5:FC7B29623F25FF4FF0B7CB6AA50D20ED
                                    SHA1:5A97A24E074BCC4238BDD0FBC92754FFC2A4986A
                                    SHA-256:7D689EF87F3BF7345BEEA2C61D927607FA6EDB01A79967A87016ECC3B0BBD7CA
                                    SHA-512:E7DCDF16C3811676C93272D265C6FCFBFF2645F7E4060B7E2C9DEA54F171EAA1855148BD543E4A36F5E39270BFBA6813B65B83CCCB611767E816FD715FE53AD6
                                    Malicious:false
                                    Preview:.s8....<+.s.^-^w...................................1012546698.?=<>1! #p@JCC[[wgHA@.52PRUTVVYX._]\^VA@Cwuwwt~x}NMLOOqps.ptwwqx{zKNNNVXUZ`dgfhhkj.ion.............q.......................\..........................".......................!................................................................9=89;=..>2546698.?=<>6! #KKPBTGIG$-,//QPS.PTWWQX[ZnhofxqztJDGFHHKJ.IONpxsru........l.~aacbe.bfiocjmlSn..............k..................................................................g................W......................e.r.0.K.l.h.r.q.d.w.Y.t.h.}.h...10&254.0989.=<?.!P#P%K'A)Z+K-A/JQ1S&U5WsY.[/]/_1A.C'E0G.I<K+M?O%qhsrutwvy.~z}|.~a`zbed.fih.omlnd..............................................9.............................................l.........................#}t!%z#n`r.ooljode;{`3u.........4033.476.@.[...|@.G....@..M.......c`fg`f8.n.mk..tw]BED_FIH.OMLNlqps&9&..>...0=8.;+/.+!_._.!3.YZ..................................................................D...........

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\Renders\Memo.db

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):5866207
                                    Entropy (8bit):7.999458303983217
                                    Encrypted:true
                                    SSDEEP:98304:YERTZamx+z8Z9CHnczul8+B47A19GnlM6hHFwnhW78JlEn5UJyHjhGhItJNk+U7C:YOIiBodb9cC6hH+nhsyJyDhGS1F
                                    MD5:CC9F9A2795E90B97F4B64E85B27E5CDD
                                    SHA1:36E3939AEA6C6F794B530489B693BC819D2CDCFB
                                    SHA-256:1E78DA7E07F7B0BC37958683C76F2FB36F404A8F2A3098FEDB19183798E27915
                                    SHA-512:7CD487D45C48F0911614BE34A223306EFF75CF1A95473177317FCB1C632EF60219075AF91B2D00D0E01868853FBF606682F4D749B4DC55DAF099EF2A4C6663F4
                                    Malicious:false
                                    Preview:%c..O.&ik.......}R{R................................1012546698.?=<>1! #p@JCC[[wgHA@.52PRUTVVYX._]\^VA@Cwuwwt~x}NMLOOqps.ptwwqx{zKNNNVXUZ`dgfhhkj.ion.............q.......................\..........................".......................!................................................................9=89;=..>2546698.?=<>6! #KKPBTGIG$-,//QPS.PTWWQX[ZnhofxqztJDGFHHKJ.IONpxsru........l.~aacbe.bfiocjmlSn..............k..................................................................g................W......................e.r.0.K.l.h.r.q.d.w.Y.t.h.}.h...10&254.0989.=<?.!P#P%K'A)Z+K-A/JQ1S&U5WsY.[/]/_1A.C'E0G.I<K+M?O%qhsrutwvy.~z}|.~a`zbed.fih.omlnd..............................................9.............................................l.........................#}t!%z#n`r.ooljode;{`3u.........4033.476.@.[...|@.G....@..M.......c`fg`f8.n.mk..tw]BED_FIH.OMLNlqps&9&..>...0=8.;+/.+!_._.!3.YZ..................................................................D...........

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\Videos\Plan.wav

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
                                    Category:dropped
                                    Size (bytes):3075244
                                    Entropy (8bit):7.914874142633495
                                    Encrypted:false
                                    SSDEEP:49152:0Of95IGs3D0OinKPaqbW2KtL4tUXBSJeqa7uVi5Iiu0Yai2bLePW7pURAGQeSy:0OKT0OEzw+L4tUXgeqVBieaJC2XeSy
                                    MD5:E316D31729D0C862B6748BC76DDCF84D
                                    SHA1:C7F5BEC042B8CFF94C884BDF71E4C7F0C0C69FB4
                                    SHA-256:F8957C3AB3D9A5609961D38FB22C3DEBF7E4993E23392057175AA3B08FF34FE4
                                    SHA-512:F882174CC3A1660FAB084F8AB3F67954623221F740D3A3D848C3325732C23DD2B941E8BC3F9EAD02A0E76D5448BD6F9895F5A977816AE1020A22B2AEF9DCB6CA
                                    Malicious:false
                                    Preview:RIFF....WAVEfmt ........D....X........fact.....u..data......:.&.......B.P.^...T.....,.......L.......2...2.D...n...........*.......>.....p.l.n........"N.T....$."......(..(./.#..d.. .4.A4A.-x.0 .6.N.P46J!. $'.4.=.?.@H8.#..... .).'.%.#......@...........0..<................T.N.~.p...v..b...D....x....X......D.t...j.v.@.l.....h.....D.p.j..;.h....|l\P.D.L.W~T>GV/..0..p..|...j.h......F.QhE.+..v.~...:.0......<.b.R......X...*....F.........8....~.n.....h...z.(.L........F.h.v.T.(.............x..............b... ...p.........|.....b".).*@(x.....h.....d....".%f....*X*."H.....&../.;.>x<.0.(2(./.A.QX[.T.C.D$T&Z.Z.R.F.A.KpR<R.O.<z........".#.#:". ......... ...r.......|.Z.....p.........~...........F.X.~.p.r....". j.....<.........H0.8.F$D.,L........$.4.H.V.[.U.J.J.T._.qDy.|.."}.n.k.t.~....\|.ovg.h.w..........................................N{.q.q.@.../....h....... .v...........|.....:...........B..B..\.(.Z.l....@...t..z...>....6.J...T.p......4..".....x...b........>.....

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\concrt140.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):250336
                                    Entropy (8bit):6.67586623508473
                                    Encrypted:false
                                    SSDEEP:6144:aLh9nrxRw13UyU2G8g1QYYZTDt3n2x+Bdv5zsSiBsTYrPlUEYD/QzkRWAFcOv12H:cInTDtXF15zsSiyZ/0OkzT
                                    MD5:35628D71CF20D4F8AAFB0ABA8DF14B70
                                    SHA1:F48307AA9C2E300C38BD06C1780AC663C67045E2
                                    SHA-256:B2C8A0FBCD4C2EB9BC1AAB03F8FDB2D72D78573A54F3E83D44C95246C4F2D168
                                    SHA-512:F69C6DAE3FF3328C83ED6A03B31DA7207F845AE463A9B20B47535EA5EF31041CE544A47F0CE339C016A02BC16320046A4BC0D82F1DDABAA6008FADFDBE5F4AB7
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Joe Sandbox View:
                                    • Filename: , Detection: malicious, Browse
                                    • Filename: clipgrab-3.9.7-dotinstaller.exe, Detection: malicious, Browse
                                    • Filename: clipgrab-3.9.7-dotinstaller.exe, Detection: malicious, Browse
                                    • Filename: clipgrab-3.9.7-dotinstaller.exe, Detection: malicious, Browse
                                    • Filename: clipgrab-3.9.7-dotinstaller.exe, Detection: malicious, Browse
                                    • Filename: installer_Win8_Win11_x64_3b8199dbc13e6.exe, Detection: malicious, Browse
                                    • Filename: invoice order-876451877#..xlsb, Detection: malicious, Browse
                                    • Filename: invoice order-9951487307#..xlsb, Detection: malicious, Browse
                                    • Filename: purchase order-419617892#..xlsb, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uc.&1..u1..u1..u...u3..u8ziu;..ucj.t4..u1..u...ucj.t:..ucj.t6..ucj.t`..ucj.t0..ucj.u0..ucj.t0..uRich1..u................PE..L...|.0].........."!.........v...............0......................................\X....@A........................`....K..(b...........................A......P,.. <..8...........................X<..@............`..$............................text............................... ..`.data........0...,..................@....idata.......`.......J..............@..@.rsrc................\..............@..@.reloc..P,...........b..............@..B................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\groceryc.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):377344
                                    Entropy (8bit):6.622510888645371
                                    Encrypted:false
                                    SSDEEP:6144:x9xgkX5l8K7Y9VrK5a+OeO+OeN7VBBhhBBV0r04pg5RLrnlwcXsZTsOVY2r3RrEj:BzJlzY9VrKA+OeO+OeNhBBhhBBV0r0Td
                                    MD5:B4805C571E31D07FDF2426AAD0DA7EE7
                                    SHA1:C54F34EA22A9055DEB03A07DEBC8301EE48F4461
                                    SHA-256:E5650A987B75F59668DC0655E647D23D1CD90D54069292AE09C212E9D5CD9977
                                    SHA-512:CEB11441C535B709403AB2C772A94811295436FD2F8FFE16C7244D4EDEA2B0BD8088CA93C2120A6519F2F8DC4EFA1F059EC2D5B82D7086F8AED330C47852DEF1
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..*...*...*.......*..+...*../...*......*..)...*...+...*...+.3.*.9.#...*.9.*...*.9....*.....*.9.(...*.Rich..*.................PE..L.....8d...........!.....J...................`............................... ............@.........................0D.......E..T.......H........................F..0...p...................@...........@............`...............................text....I.......J.................. ..`.rdata..b....`.......N..............@..@.data...|R...`...2...B..............@....rsrc...H............t..............@..@.reloc...F.......H...z..............@..B................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\iconv.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):900200
                                    Entropy (8bit):7.341358651525585
                                    Encrypted:false
                                    SSDEEP:24576:3f2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYD:vuscKu6GaXUT4IBAUZLYD
                                    MD5:19FACE3E9A186C87976915F7E78A6938
                                    SHA1:08B381A990293C502261D66C1CFB7FE1C087975D
                                    SHA-256:9DFCA250AB33B0AE7D341D0AFD53932C6502603736A1DA40EF7C9A8B6EACBFD4
                                    SHA-512:8B088B6C9FE3DEF0DD1D2ED5F498378986B13213B960C34C5D3EB795BB3D72094C94C1AD204E7954D38CF1C10BFBE9D984061582CF938277411166E2A56FCF3B
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... . . .(... ..(. ..(... . . ..(... .,... .,... .m+... .,... .Rich. .................PE..L...0.YD...........!.................................................................&..............................0K.......I..<....`..................h,...p..........................................................P............................text............................... ....rdata..1|..........................@..@.data...X....P.......P..............@....rsrc........`.......`..............@..@.reloc..F....p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libBasic.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):247296
                                    Entropy (8bit):6.643799234126277
                                    Encrypted:false
                                    SSDEEP:6144:DSnzYzTHnI3Rdo1LmMlph3YsrGZJFN57Bv23h6:DSnzYzTHn0/el3tGZJFN57Bk
                                    MD5:782DF5B28CDA00F8D7770E1CBAD2B564
                                    SHA1:657902CBE2E2E58C043B9F93859A86E18AD3C232
                                    SHA-256:195A91E6B7689B92A0A4FDD85D5CA7E18DE9295603EAFE13AD0F34576DD431B1
                                    SHA-512:D10AC1D81BEAD02D6494DD04F699E51D2965BAB8F47DBC20D844CEB5B3AD911B382CA641814D36E78468DE2851D14D0025D2C1FAB73EF67C86FC38EB91D9D7A8
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........0Q.CQ?.CQ?.CQ?.J)..SQ?.&7;.BQ?.....BQ?..9;.IQ?..9<.KQ?..9:.XQ?..9>.GQ?.&7>.WQ?.X..FQ?.CQ>..P?..86._Q?..8?.BQ?..8..BQ?.CQ..BQ?..8=.BQ?.RichCQ?.........................PE..L....t.e...........!.........$............................................................@..........................+...P..T|................................... ..0...p...................@...........@............................................text.............................. ..`.rdata..H...........................@..@.data...............................@....rsrc...............................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libHelper.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):33792
                                    Entropy (8bit):6.201414988222606
                                    Encrypted:false
                                    SSDEEP:768:zaeHnbQgWUjJrYYV+q2D30BXzZExCv47k5mV:hH0gllYWk30BX9Ecvh5mV
                                    MD5:101CD326EC426A1FC0FD973FF4229235
                                    SHA1:3E3FDE428AADC6268AABCF6CBDE69690E6A25281
                                    SHA-256:2447390D57A286E3E2FBA8CB7FF307AAB2998F453EF65FBFBE235A4EB83F7211
                                    SHA-512:6602D2D4EC868DD9F3892F36A36A8D3DF7DF13C9E0E0AB7CA0CD239CE004F9738EDEFEE83CCD9831E6636D9452515053343AC4A2010094430AB89AE83EC1BA81
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Yk.K.............r~.....Ob........*.....Ob......Ob......Ob......xl.......c...............c.......c.......c........z......c......Rich............................PE..L....n.f...........!.....D...@.......F.......`............................................@..........................r.......z.......................................f..p....................g......pf..@............`...............................text...KC.......D.................. ..`.rdata...+...`...,...H..............@..@.data...h............t..............@....rsrc................x..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libI18n.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):25600
                                    Entropy (8bit):6.131271371333226
                                    Encrypted:false
                                    SSDEEP:384:VaMPU1GymFFngDmQ7aGFFOsYpSaw2K6q7Crq/Fc9kYpSmgqX7xVJJuYm3EbcEccS:eswO59/XzJU/3EbcEccfPu5/ybO5
                                    MD5:602AEEC43305021DCEA0103BFD6167AE
                                    SHA1:1EEF22E0C1A076CF88FBE875974D0DD4D40E4D19
                                    SHA-256:33E177DB21F3F21B7D8CBE0D87E92042F3E45F892491046A26FBA1E989E2C38E
                                    SHA-512:921E2B8BE67B8180F0C77FB186D03C02ED3F5C3AA492618A399DE3F72113161D131D081D0A34DD9AE8DC1B1218601154BF4281E5511679683389F151399A6165
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,7|.hV..hV..hV..a...lV...0..jV..:>..mV..hV..FV..:>..xV..:>..bV..:>..iV...?..nV...?..iV...?.iV...?..iV..RichhV..................PE..L.....7d...........!.....B...".......E.......`............................................@..........................m..P....o..x...............................\...@c..p............................c..@............`...............................text....A.......B.................. ..`.rdata.......`.......F..............@..@.data...|............Z..............@....rsrc................\..............@..@.reloc..\............`..............@..B........................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libRG.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):56320
                                    Entropy (8bit):6.28107185030795
                                    Encrypted:false
                                    SSDEEP:768:0g6WGrXFKjLkpcYnwFof0T8DoJxizXb43ijB2RzNSkZXtsLyrFxjmlR1:0g68LkpcYaG0Jxizk3ig+k12ypxjmD
                                    MD5:90C5A4208AA1AC6DAFB6189159CD7E10
                                    SHA1:7DF05CAA1DBBFA7D8F65ABEAA2D5B3A49AC66032
                                    SHA-256:17927AE7A1E834DD150C5C26E21F68DFA6404A813DFE1A1C33D0DAD446BA3489
                                    SHA-512:E0FBA99AC770A15338A6F06C94F99CE948CC9406444799BBA7EED2514F122F0062DC330C2E67BD41F0235D526FCA232974C9D19B40C9C1C5E0ED01E82494BDBE
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............Ot.Ot.Ot.7..Ot....Ot..'p.Ot..'w.Ot..'q.Ot..'u.Ot..)u.Ot.Ou..Ot.8&}.Ot.8&t.Ot.8&..Ot.O..Ot.8&v.Ot.Rich.Ot.........................PE..L.....Ad...........!.........>............................................................@.............................|...,...........(..............................p...........................`...@............................................text............................... ..`.rdata...%.......&..................@..@.data...4...........................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libUpdate.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):6.359986452847881
                                    Encrypted:false
                                    SSDEEP:1536:RL/ftxkxHcPrB/cEtQV0bTydy8sZq6FwErl5nZFyfQe3egh1rec8f:RL/fEqPrBZQV0bmw8JejZFZe3egh1reV
                                    MD5:8254B2B4065959E64ACA2C91C2FCCEA7
                                    SHA1:483591ED9E282C6C6726D0DA557FA783ED9A798C
                                    SHA-256:BE195001A8B43DDA8F6193623133E51D378E08094E5AB8F29174A35299EB4E57
                                    SHA-512:4C1777D500CC7198E155142A9322E26A4DC7B392E21948F94A2AAF64BEB1B02D3643B7AAEF3F6AF1BB33D324CD571FD06C3FBC672ABB577CAD3FD0F10FBEE529
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........>4.._Z.._Z.._Z..'..._Z..7[.._Z.}...._Z..7_.._Z..7^.._Z..7Y.._Z..9[.._Z......_Z..)..._Z.._[.._Z.H6S.._Z.H6Z.._Z.H6..._Z.._..._Z.H6X.._Z.Rich._Z.........................PE..L.....fe...........!.........Z..............................................0............@.........................0...........@.......@.................... ..@... ...p...............................@............................................text.............................. ..`.rdata...9.......:..................@..@.data...............................@....rsrc...@...........................@..@.reloc..@.... ......................@..B................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libView.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):212992
                                    Entropy (8bit):6.508008813067681
                                    Encrypted:false
                                    SSDEEP:6144:FWAnT6rKyWXUM7ZSQiSPeGd+wBveMH83:YxKyrMTPe9wBvez
                                    MD5:2D4230B6ED8F8929E75C6AF40D337B66
                                    SHA1:9319E96B2117B10A87C3A1418EE5B546AE823894
                                    SHA-256:2F9AE8E3CC528A0A2A76B66A47360C7A18EA4E455DB3D2914B55A81FA1119907
                                    SHA-512:CC9E3A053B9028D0374CB8B0988837211124DBCB9A5869CF545799AB4509A8B0B5D69C6A23429F4EF6A803BF0B3C64D3AEDD9B1264334DEB1B00934BE7F73FE0
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..........;..............................................n............n......n......n.W......?....n......Rich...................PE..L...Yn.f...........!.....N...........@.......`............................................@.........................P....;.. ...@....@.......................P... ..Pq..p............................q..@............`...............................text...$L.......N.................. ..`.rdata.......`.......R..............@..@.data...D#..........................@....rsrc........@......................@..@.reloc... ...P..."..................@..B................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcrypto-1_1.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                    Category:dropped
                                    Size (bytes):2420360
                                    Entropy (8bit):6.6336371574975415
                                    Encrypted:false
                                    SSDEEP:49152:D+MGxeMqH0XTQD+QmyuIaX/eayh18cwSizEK1ly6ajezGp4B9QESo0jUsDs/TpyY:7GYDgQaQm3IaX/eayh18cNizEK1lyFjw
                                    MD5:F2AA84D12FCC64349F96DF7EF5F6D063
                                    SHA1:EDDF2F6D54CB86B4251BE168080F5E4ACD4ACC0A
                                    SHA-256:1A4EF4224D094E512CF7A21EB7ADE8A36C0028AEBBDF292F34EA6FE752793CD0
                                    SHA-512:E6ACE721D6D570DB247774D0D78E1F8226A1977A7E1F3CE892E58DCA6556EA7324C42507DE9D3BA8E7E55CA22D7329F2F91E93B4C735FD0C63FB80B319AB26E8
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}._..$........#...#......$..B........... ....@k..........................%.......%...@... ......................P".Y....P$.......$...............$.x.....$.L...........................L.!.....................(S$..............................text...............................`..`.data........ ....... ..............@.`..rdata..4....0.......0..............@.`@/4............!.......!.............@.0@.bss.....A....".......................`..edata..Y....P".......!.............@.0@.idata.......P$.......#.............@.0..CRT....,....p$.......#.............@.0..tls..........$.......#.............@.0..rsrc.........$.......$.............@.0..reloc..L.....$.......$.............@.0B........................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libcurl.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                    Category:dropped
                                    Size (bytes):1152120
                                    Entropy (8bit):6.718131954608567
                                    Encrypted:false
                                    SSDEEP:24576:tTZKRJUbe2HjVjy9ZYSpFRrhifOgCtH30nPpbFTBT44A900TE:tKUbibtYTmE
                                    MD5:5E4D6CE410E2C156C293162CEF078FCA
                                    SHA1:19E8F2046683A71CDAF907120CE4C95F5339FAF3
                                    SHA-256:6E158F098213773EE2AB91C1F02AB39FBE2896947C9DFCF762AEE10662A8BCD8
                                    SHA-512:076824CC390A7EDE124F6ACBBF407ED7CAED0CF15E5B827F0B622FC93B851EAAA3F8A1D6F2F701CCB2078B7B8A28D2383DE7B71DE6F560B628049394DFC29EA9
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...........#...#.....l...............0....Dk.................................]....@... .........................-.......\A......................x.......`z..................................................T...x............................text...H........................... .P`.data...|....0......................@.0..rdata.......P.......0..............@.`@.eh_framx...........................@.0@.bss..................................`..edata..-...........................@.0@.idata..\A.......B..................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...............................@.0..reloc..`z.......|..................@.0B........................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libexpat.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):130560
                                    Entropy (8bit):6.525744169865501
                                    Encrypted:false
                                    SSDEEP:1536:szm4GEVEQHTi806bFkC9rE2HfJUUqJacGjO2VOcOcCIhZ1nd4skksS:t4GEmR4kC9rRfah32VXOrIxnd4skksS
                                    MD5:8B650E64CA112A000F95EB16D698E151
                                    SHA1:7B6533950068EEB9AA96EBAB55E524C48732B70C
                                    SHA-256:CD4F37C1C978F6C7B38AE44B25F0C1DBE40F1B6CF626A08947D5808D7E34A086
                                    SHA-512:E3D9C1C0E21631697FA7BCA5A76467647863430283D855A860A16F87EE9273A1BC37B9A6E5FA16E1A9ED47058738603BA12DC7276278799D1B657AA504597701
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%P..K...K...K.......K.......K.......K...J...K.......K.......K.......K.Rich..K.........................PE..L...x.ZS...........!.........t.......X.......................................@............@.........................P.......<...(............................ ...................................... ...@............................................text.............................. ..`.rdata...K.......L..................@..@.data...............................@....rsrc...............................@..@.reloc..B.... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libglog.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):139776
                                    Entropy (8bit):4.254172171888564
                                    Encrypted:false
                                    SSDEEP:1536:MYwQ57c+V9B0+Fx8qC0iULvxogeztsYLwyD5UUN6:DPc+Vj8q7ajGYLwyD76
                                    MD5:DCDA1583D25968DA25B1D1BF91169680
                                    SHA1:10681C51922CFD06A088C6A6C75CD186F9C8D9D1
                                    SHA-256:84A73BC173A30B2D174A66637BD075BD2C01E48E4FD97ED032DCAFB2C8C0DEA3
                                    SHA-512:3DF130F1A7A82F8401F7E7EC9D56B65F453ECD4CC525FE4AA196E090356951FC00FDCF9A99E776B2CDE2B3CA9276AF7DB270BB2DB4FF1B6CF3F63B648F7DCA76
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BU]..U]..U]..\% .G]..0;..W]....t.T]...5..F]...5.._]...5..V]...5..P]..U]...]...4..P]...4..T]...4L.T]...4..T]..RichU]..................PE..L.....8d...........!.........r......3........................................p............@.............................T"...........@.......................P..P...0...p...............................@............................................text............................... ..`.rdata...W.......X..................@..@.data........0......................@....rsrc........@......................@..@.reloc..P....P......................@..B................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libmodel.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):2855328
                                    Entropy (8bit):6.8619034359888325
                                    Encrypted:false
                                    SSDEEP:49152:x0eC9R44GndD0e+PQyZAoD1Rh+CZi+WZGNE6Cyw7Eyy3R:xjWRXMoD0CMZNy3R
                                    MD5:E0197021A4FEF0C88BB257360CEF6317
                                    SHA1:A37076336F11A9D4DC7903F2420437B5CED5B536
                                    SHA-256:96511792AF66C0524E4871C8BF36B2FC01D4AC41A8C6A039551B300431943BA6
                                    SHA-512:2C5A384586F13D7667A884E43D735857A2AF88FBF20485346595F0A18D94CA05A2A1D35E18448607F54AE3412426F850CDA4331EC1045DF21EB846C58D98A7F5
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 14%, Browse
                                    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........%..wK..wK..wK..H..wK..O..wK......wK...O..wK...H..wK...N..wK..N..wK.&.O..wK..N..wK..O.>wK.&.N..wK..J..wK..wJ.kwK.&.B..wK.&.K..wK.&....wK.&.I..wK.Rich.wK.................PE..L...~J.f...........!...'.6..........v4.......P................................+.......+...@..........................l#.D.....#.d.....#..............B+..O....*....0G#.8....................G#.....pF#.@............P...............................text...|4.......6.................. ..`.rdata...F...P...H...:..............@..@.data....F....#..(....#.............@....rsrc.........#.......#.............@..@.reloc.......*.......*.............@..B........................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libssl-1_1.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                    Category:dropped
                                    Size (bytes):514184
                                    Entropy (8bit):6.176352008861642
                                    Encrypted:false
                                    SSDEEP:12288:tC/fhNxnzrGlXFOc3xlHPs9hAxRg79eK3yeHqJVKlD9ou1UYaZB:tC/fhNxnzrGlXFOc3/HqhAxRgZeKieHK
                                    MD5:55694C901F906B6234A0B89A27F0F508
                                    SHA1:5BA83E0BAC11F952C05B85EF731B8AA3C2B1CC2F
                                    SHA-256:A384DEB5F6C8517852B0FA4832A373C37881855FAF1FFCE5B7B49EA866371393
                                    SHA-512:BF37592206FCEBB6A2BDEC9B57377456B0DFD56678C51C3D6F81F06F103546966A3F569390522A48917BD461DFA3404D3CCE870D0DB9E98A89C98D4C9653A276
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}._...........#...#...........................j.........................@......(.....@... ......................@..3@......L>......................x........?...................................................................................text...............................`.P`.data...D,..........................@.`..rdata..............................@.`@/4........... ......................@.0@.bss....p....0........................`..edata..3@...@...B..................@.0@.idata..L>.......@...B..............@.0..CRT....,...........................@.0..tls................................@.0..rsrc...............................@.0..reloc...?.......@..................@.0B........................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\libxml2-2.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):3663565
                                    Entropy (8bit):6.344864033991189
                                    Encrypted:false
                                    SSDEEP:98304:5TzXFjljaTzvYxVZyrZ424cozjjc7g1zncaDAAy:5TzXnjaQfZu
                                    MD5:72B58BE0B56AA0F7BBFDFDDD2554B06F
                                    SHA1:C4519063EE6CBBB8FEB6C846949B1C5C81DA26BA
                                    SHA-256:F52724AE696B5C9E2586FD41047E6AC56541EFDFC157A33BA20AD5826234BF53
                                    SHA-512:640B747EBE5EFA39EC05558A75B418BF1C60DE9F503698B2E8A68AFB5BFB2DC890943D13BFA3CD6366C7F9D7E293C9AA9B783C00E313AA27F6E15065937628C1
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M.l5........!...8.&...................@.....p.........................@6.......8....... .........................V.......T....................................................................................................................text...X%.......&..................`.P`.data...`....@.......,..............@.`..rdata..`z...P...|...8..............@.`@/4..................................@.0@.bss....|.............................@..edata..V...........................@.0@.idata..T............z..............@.0..CRT................................@.0..tls.... ...........................@.0..reloc..............................@.0B/14.....`.............................@B/29....................................B/45.....[..............................B/57.......... &.......%................B/71......(....&..*....&................B/83......@....(..B...0(.

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):450024
                                    Entropy (8bit):6.673992339875127
                                    Encrypted:false
                                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_1.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):29160
                                    Entropy (8bit):6.865752122056947
                                    Encrypted:false
                                    SSDEEP:384:ksmpXUJuJv+VWcn53WeZwyRgAQpBj0HRN750QHRN7u7ll6JpIm4:aUUJvSRhqW5082
                                    MD5:BAEB5294985628E64660CBC1EB8A5C92
                                    SHA1:A69E5CC6A51FE90309664A0BF4D05A70956041FD
                                    SHA-256:6527B9B5A1B7D08B537375DADA65BC79F6B6A9BCECA55BC28F44EADA20E4CE8D
                                    SHA-512:B234B03DBE25ED4265C9F08E9EFBB9D94A1077142BC6780162F6B1DF547C9DFC37A7342F70E8EC55C7C3B97F73CE819E979BD13F3B43C311DF4555150D53DE29
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........4XA......=.........................................Q..........Rich...........PE..L.....0].........."!.........................0...............................p......`.....@A.........................)..J....@..x....P...............0...A...`..p...p...8...............................@............@...............................text...*........................... ..`.data...H....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..p....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_2.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):173544
                                    Entropy (8bit):6.8651765192315075
                                    Encrypted:false
                                    SSDEEP:3072:FMZBzhr8dqXk7Bto76vriyFiE966jcdZ5EyYyG:WZBziFto76pFiE96skDNG
                                    MD5:B31CACCCD4D40BBAD92B7248D30FD7EA
                                    SHA1:5ABB563D6B5839456D061EB567508D852BA8FF7D
                                    SHA-256:71B8F5875BD4D29417433FA695FC4500284225A0A7C894D5C5E60FC20C56E3BF
                                    SHA-512:1E7DECF8903F67DCF755AB6EA20DB2F7C15CEFFE840B742E7C5C642C13DA5EE9DE38CE657BF456A0B6B46CE3EA2A88CD1AFD9AE3EA57078A0CEB254B1EEC8335
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..X...X...X.?t....X......X..\...X..[...X...Y...X..Y...X..]...X..X...X......X..Z...X.Rich..X.................PE..L.....0].........."!.....(...<...............@............................................@A.........................0..@....Q.......`...............d...A...p..(....\..8............................\..@............P...............................text...@&.......(.................. ..`.data... ....@.......,..............@....idata.......P.......4..............@..@.rsrc........`.......B..............@..@.reloc..(....p.......F..............@..B................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_atomic_wait.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):52104
                                    Entropy (8bit):5.1488364199396335
                                    Encrypted:false
                                    SSDEEP:384:ZWlTFwTSloNYcSNXR5cHDIABta/FWFvug0yiT3UN9imfI/NVW0jdT40Fzenw3GDx:GVT9kNWNLTXwwWDpQJs10cM8dAgT7
                                    MD5:FFB8C73E6E3769D5D8715E694707C792
                                    SHA1:F7D63FA41C34D7B75CD70D72E317DB148F3D50CA
                                    SHA-256:1DD7D3417FFFC321A67AAE2CA7E89A7D75203F8A3586CD829C56766F313F7931
                                    SHA-512:61E83F71A388FD1176665225CC84C32FAC40663376629ADBE9B47CD9E69DDADC43FEC021B07062585AF80811E8F3E0479314B2277E6CB8617645FD304FAE88AB
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Uz.;).;).;)*.:(.;)...).;)..?(.;)..8(.;).:)..;)..:(.;)..>(.;)..;(.;)...).;)..9(.;)Rich.;)........PE..L...J|.a.........."!.....H..........PC.......`............................... ......,@....@A.........................Q..D...............0................#......x.......8...........................0...@............................................text....F.......H.................. ..`.data........`...B...L..............@....idata..............................@..@.rsrc...0...........................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\msvcp140_codecvt_ids.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):18816
                                    Entropy (8bit):6.421430337596372
                                    Encrypted:false
                                    SSDEEP:384:5DSdV3lIjIjP2dhWiOEWs/KLHRN7kxjlGsgl/Z:5c32jmdmAT7/Z
                                    MD5:EF6C5EEB8B36D941E6991E6981CDB88A
                                    SHA1:E21989951B745B290F143DD63F94BD4399A74284
                                    SHA-256:3859B4A5A5C0A30CEE15C188F678E09D040541C221999D926955B49E8779E675
                                    SHA-512:12CB0C4E4DE73600E262B6B6D0448FB050BD4B673D86265B4033B253EA3864DDA4F004F6344AAE5BED7A15D5717531F7B18374E47FF4258E027EE7B896F6F406
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Mt.T.............e.......mv.............[`......[`......[`......[`......[`......[`......[`......Rich....................PE..L...J|.a.........."!................P........0...............................p.......)....@A.........................!../...l@..P....P..0............&...#...`..H...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..H....`.......$..............@..B................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\pthreadGC2.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):119888
                                    Entropy (8bit):5.695966568112649
                                    Encrypted:false
                                    SSDEEP:1536:8S+qy+D0wdemoU13StS8WVChdiH/pViXJN7fJ/Vs0TReDPD:R+5c0nmJyS8W+iH/p+JNDXs0TRef
                                    MD5:72C1FF7F3C7474850B11FC962EE1620C
                                    SHA1:B94F73A1CE848D18B38274C96E863DF0636F48A7
                                    SHA-256:3B159DA9DAD9AFD4BD28B5B1A53DC502A2487068055ED8C30136A76CD6924890
                                    SHA-512:1ED4B3C34DD0033EC2AA05BDACAA45041D9CD5880FDB5530CA033308AB349C09D4811BB276BBDF51A3040B7A337F9A5D33796924550962A56058203799C5BD53
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......O.f..K......!................X.............Hb.........................P......m......... ......................@..U....P.......... .......................P............................p......................$Q...............................text...............................`.0`.data...0...........................@.0..rdata..h...........................@.0@/4...... ".......$..................@.0@.bss.........0........................@..edata..U....@......................@.0@.idata.......P......................@.0..CRT.........`......................@.0..tls.... ....p......................@.0..rsrc... ...........................@.0..reloc..P...........................@.0B/14.................................@..B/29.................................@..B/45.................."..............@..B/61.....E........ ...&..............@..B/73..................F..

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ucrtbase.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):1170904
                                    Entropy (8bit):6.805826320677691
                                    Encrypted:false
                                    SSDEEP:24576:+WiAihjcDBXUw9y079gzyVFExlfz+pq12S5qyrmcvIZPoy4spcFOo:NiAihjmXfgzyVFEWc2SEyApcco
                                    MD5:126FB99E7037B6A56A14D701FD27178B
                                    SHA1:0969F27C4A0D8270C34EDB342510DE4F388752CD
                                    SHA-256:10F8F24AA678DB8E38E6917748C52BBCD219161B9A07286D6F8093AB1D0318FA
                                    SHA-512:D787A9530BCE036D405988770621B6F15162347A892506CE637839AC83AC6C23001DC5B2292AFD652E0804BD327A7536D5F1B92412697C3BE335A03133D5FE17
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..\...\...\......\...]...\.......\...\...\..._...\...Y...\...R...\...X...\.......\...^...\.Rich..\.........................PE..L.................!................0................................................b....@A................................t".......@...................!...P......P...T...........................p...@............ ..p............................text...P........................... ..`.data...<...........................@....idata....... ......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\vccorlib140.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):270312
                                    Entropy (8bit):6.5939977682940984
                                    Encrypted:false
                                    SSDEEP:6144:UGRqOVlbqCDAqsfeP67SKJpxL0Me83g/2WAOgJ:UG0E48APlOWkAOgJ
                                    MD5:43BD447470FC404AAED0BC75A4FF1F5F
                                    SHA1:D057365C0C01CF81A1F30FEF5D470985CFB45D20
                                    SHA-256:70863045102274C9BF78BAA4D2774B334F92329567A3DD6C246E7876F6B851A3
                                    SHA-512:AF52EDB860541E4EA9824767F152197B42020CA62D85D4AE698CCEF23337D7410F7319C9EC220992A7849B2D6F58265E5A8B3F34C7EA26F849A565845E24701E
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6...XJ..XJ..XJ...J..XJ..YK..XJ..]K..XJ..\K..XJ..[K..XJ@}.J..XJ..YJ..XJ..QK..XJ..XK..XJ...J..XJ..ZK..XJRich..XJ................PE..L.....0].........."!................p........ ............................... .......y....@A........................`....=..............................A.......T..0J..8...........................hJ..@............................................text...{........................... ..`.data....p... ...n..................@....idata..T............t..............@..@.rsrc...............................@..@.reloc...T.......V..................@..B........................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\vcruntime140.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):80880
                                    Entropy (8bit):6.920480786566406
                                    Encrypted:false
                                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                    MD5:A37EE36B536409056A86F50E67777DD7
                                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\zlib1.dll

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                    Category:dropped
                                    Size (bytes):103950
                                    Entropy (8bit):6.616616906023165
                                    Encrypted:false
                                    SSDEEP:1536:jD8j24eGiv4dU/KW7H4lg6qcFiQ5Y9w8VAwQnToIfCIO5IOYWUZ2Qo49k:jGTEv4dqYg+epSXTBfgTYWUco9k
                                    MD5:13CD5AB2DA5A98F5F76AA6F987187461
                                    SHA1:DD2D54668258B989CC500C132D9A686BABE67FA5
                                    SHA-256:3310CA85F0CB26E07BB3D8E1168C49E572A7C50762FA8140768663A5DF9823E9
                                    SHA-512:C1C0C11B9804E6D25C8B1C74A09BFD3133255FE47AB9515CDE124EC73231205B11D0536A66FCCC9379DD84A33BB589CC78F867EF423FF30067363FDEE7D605CA
                                    Malicious:true
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.M...........#...8.(...................@.....b......................... ................ .................................0....................................................................................................................text...8&.......(..................`.P`.data...\....@.......,..............@.0..rdata...K...P...L..................@.`@/4......t............z..............@.0@.bss..................................@..edata...............|..............@.0@.idata..0...........................@.0..CRT................................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B........................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Aeeqeayhuhpyr

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Aefqsrpyphpud

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Artdtudiueptp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Doeiyeudsesf

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Doiiqeoyhiuu

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Dssoudhfrqfe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Dssoudhfrqfe-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Eaoettiaawqfaro

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Eaoowssy

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Eepeeoaw

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Efwfaqqq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Epahsoup

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fdreht

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ferepq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fetsqh

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Fsuotd

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Htufwph

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Idafdrpasdi

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ioftfpppefy

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ipfpeoitpay

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Itysuyushiq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Iuespohtose

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Oddqspsputwp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Oeuweeteyhpp

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ofyyutieeqhs

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ofyyutieeqhs-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Owaeedapdrhy

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Owrepqosrwuq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Perhepso

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Piouuyiqowo

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Piwqqeeeyaf

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qhyeraedroyyyt

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qowroeesfyoyre

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qqewptfsehtudy

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qraquyostiuews

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qraquyostiuews-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Qwewfifwqueesh

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Raafyiaastoyq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Rauusweeoeqar

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Rduuodeqso

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Rduuodeqso-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Rudoehrsup

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):196608
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:EF2E0D18474B2151EF5876B1E89C2F1D
                                    SHA1:AEF9802FCF76C67D695BC77322BAE5400D3BBE82
                                    SHA-256:3381DE4CA9F3A477F25989DFC8B744E7916046B7AA369F61A9A2F7DC0963EC9E
                                    SHA-512:E81185705A3BD73645BF2B190BBF3AEE060C1C72F98FA39665F254A755B0A5723CE8296422874EB50C7B5E8D6BCD90175B0BA28061221039172A3F50E8902CC8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Satetseaaoods

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Sieirefowet

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Spftre

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Tquoifhieitawo

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Trsquwsdretrdu

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Wftdsr

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Wpefhtaetdehqhy

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:DAA100DF6E6711906B61C9AB5AA16032
                                    SHA1:963FF6C2D517D188014D2EF3682C4797888E6D26
                                    SHA-256:CC61635DA46B2C9974335EA37E0B5FD660A5C8A42A89B271FA7EC2AC4B8B26F6
                                    SHA-512:548FAEE346D6C5700BB37D3D44B593E3C343CA7DC6B564F6D3DC7BD5463FBB925765D9C6EA3065BF19F3CCF7B2E1CB5C34C908057C60B62BE866D2566C0B9393
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Wtsrweoehtqydaq

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Wwayepwofduqu

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Wyudphfye

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Yawqyuaqr

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Yawqyuaqr-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ydtusdaft

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:E6FF930C3FB6DE61F664581C1A85F60C
                                    SHA1:F447CB15945D8630CC88ED3B7BEE049B6F5E4C7D
                                    SHA-256:CAA961E702D561D3245D06BF54FB5FE35BF75037032D764EC11FCB5AC1D41C1C
                                    SHA-512:60CA902E544D9535BC0F596EE8D262CAA73C885750875623DE20B42FAD52189C0CF41225312FC50DDB0C4D52580094A79F69CC8C674DC3200A42A935190DFFF8
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Yrrssudta

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):51200
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF235F22DF3E004EDE21041978C24F2E
                                    SHA1:7188972F71AEE4C62669330FF7776E48094B4D9D
                                    SHA-256:16FA66A7DC98D93F2A4C5D20BAF5177F59C4C37FC62FACE65690C11C15FE6FF9
                                    SHA-512:E76D7CBBAA2B3110D38425F7B579C6F94C29A162D3B4A3B9A4FEACEDE7CEC5EA5E30E455F9417A2C230390C78AB2FBC54C7B98C8F8F68955FE071C37C59D4046
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Yrsistyhe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:0A9156C4E3C48EF827980639C4D1E263
                                    SHA1:9F13A523321C66208E90D45F87FA0CD9B370E111
                                    SHA-256:3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
                                    SHA-512:8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Yrsistyhe-shm

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.017262956703125623
                                    Encrypted:false
                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                    Malicious:false
                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\Ytotaeupt

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:AB893875D697A3145AF5EED5309BEE26
                                    SHA1:C90116149196CBF74FFB453ECB3B12945372EBFA
                                    SHA-256:02B1C2234680617802901A77EAE606AD02E4DDB4282CCBC60061EAC5B2D90BBA
                                    SHA-512:6B65C0A1956CE18DF2D271205F53274D2905C803D059A0801BF8331CCAA28A1D4842D3585DD9C2B01502A4BE6664BDE2E965B15FCFEC981E85EED37C595CD6BC
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gqlqhaz.0jj.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5zjc2el.05m.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5vyqyhw.chs.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozgpe0sh.uam.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Windows\Installer\4c320a.msi

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Advanced ReclaiMe Free RAID Recovery Free, Author: www.reclaime.com, Keywords: Installer, Comments: This installer database contains the logic and data required to install Advanced ReclaiMe Free RAID Recovery Free., Template: Intel;1033, Revision Number: {BAAEC4FF-367D-45A2-B266-709F9930739C}, Create Time/Date: Fri Apr 12 15:52:02 2024, Last Saved Time/Date: Fri Apr 12 15:52:02 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                    Category:dropped
                                    Size (bytes):17424384
                                    Entropy (8bit):7.993097906598035
                                    Encrypted:true
                                    SSDEEP:393216:HieBjGelarehMcNTuo/VUgz4yorqOualKVC06r+ySRjwZXCSkOjmO:HieNFarehM6uOagzPomO7F+9RsVp5
                                    MD5:3F79740F726F7D412336FAFC9FEBA28F
                                    SHA1:F5580579105AC3DDE64BD65FD1371FA8C5313E70
                                    SHA-256:A4781C64764C1C030790269EAE5F56E6A56EDAAC3F548DB5CAEB46B65ACC6735
                                    SHA-512:F503DB92033390B3DE0B6D58BF050249AD75A40B03DDDA4B9E9D0AB21100E2E827CFC5C5A01DF748C99FBFA4FA9031FAB4BE26E78E360806BF6D0053511E3490
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Installer\4c320c.msi

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Advanced ReclaiMe Free RAID Recovery Free, Author: www.reclaime.com, Keywords: Installer, Comments: This installer database contains the logic and data required to install Advanced ReclaiMe Free RAID Recovery Free., Template: Intel;1033, Revision Number: {BAAEC4FF-367D-45A2-B266-709F9930739C}, Create Time/Date: Fri Apr 12 15:52:02 2024, Last Saved Time/Date: Fri Apr 12 15:52:02 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                    Category:dropped
                                    Size (bytes):17424384
                                    Entropy (8bit):7.993097906598035
                                    Encrypted:true
                                    SSDEEP:393216:HieBjGelarehMcNTuo/VUgz4yorqOualKVC06r+ySRjwZXCSkOjmO:HieNFarehM6uOagzPomO7F+9RsVp5
                                    MD5:3F79740F726F7D412336FAFC9FEBA28F
                                    SHA1:F5580579105AC3DDE64BD65FD1371FA8C5313E70
                                    SHA-256:A4781C64764C1C030790269EAE5F56E6A56EDAAC3F548DB5CAEB46B65ACC6735
                                    SHA-512:F503DB92033390B3DE0B6D58BF050249AD75A40B03DDDA4B9E9D0AB21100E2E827CFC5C5A01DF748C99FBFA4FA9031FAB4BE26E78E360806BF6D0053511E3490
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Installer\MSI3566.tmp

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12004
                                    Entropy (8bit):5.688008219543684
                                    Encrypted:false
                                    SSDEEP:192:u6Sm80sxnbXLF5C9WB+C21jB9jtjKVsEDevXNseRUhiWg1n:ur90sxHFs90+51jPtOVzDe1tUQWg1n
                                    MD5:8B431788C0D42B62FE211B8C951E2346
                                    SHA1:916C9D982C0497913A1E8B0CE248B425A3216183
                                    SHA-256:59EDE83DCED54CBFA9600024B9DE4DB6C737FC33446BB3CA38891161A8F92180
                                    SHA-512:B57929DBA7099FAB3DF133E42DB98CFA8C10BC52A47B56F768AA103B57D6976E1C3DB0F35C686FB6A1C0F60FE5C4BCC4D47DE1D688D85728ECA8DB397938747E
                                    Malicious:false
                                    Preview:...@IXOS.@.....@qH.X.@.....@.....@.....@.....@.....@......&.{58F90A35-6245-4CD8-953C-458660066C65}).Advanced ReclaiMe Free RAID Recovery Free-.AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi.@.....@.....@.....@........&.{BAAEC4FF-367D-45A2-B266-709F9930739C}.....@.....@.....@.....@.......@.....@.....@.......@....).Advanced ReclaiMe Free RAID Recovery Free......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{150D1CBB-1754-5987-B9F0-B528A11F8EDC}l.C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\ActivityTracesHelper.dll.@.......@.....@.....@......&.{11966A59-B074-5E00-805B-0C14A83BA461}g.C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe.@.......@.....@.....@......&.{BC511FDF-06BF-5FC4-9BD6-27831F2CE5C7}a.C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free R

                                    C:\Windows\Installer\SourceHash{58F90A35-6245-4CD8-953C-458660066C65}

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):1.1884702296202736
                                    Encrypted:false
                                    SSDEEP:12:JSbX72FjgsXAlfLIlHmRpCBh+7777777777777777777777777ZDHFlcV1Lpyi8r:JRUIYZ7MbyFiF
                                    MD5:1E71BF244704B53F22BA5D203A74D98A
                                    SHA1:EE2515424464F80730DA22EED2C5408120A3AE90
                                    SHA-256:D59A819889FEC7C77F2A56AEF7CE0170C92595B3CFC34C03BDD5FEF1AF0AEF38
                                    SHA-512:269CAE8B3E2B0805B3225256901B51D4A5DDAF7AC892317C542E1CF213959D817C357C4DC34147371DC6D9006D68D7B6F5E9B38383C0451284821422A38408C2
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):1.5476253024493831
                                    Encrypted:false
                                    SSDEEP:48:b8PhLuRc06WX4SnT5JT8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:ChL1CnTr8aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:BC76298BD170237C11BF9244DB6BC0EE
                                    SHA1:53E24BDC333DF20CAE4DCF9F9892B2CF29C3D6FC
                                    SHA-256:042B400F14A7CD0F7BBED7688BF70FED1BFEFB5AFC2224A5B61373C736986AB5
                                    SHA-512:EB3C81A81395544DD471F1378F453C56A6AD3ED24A9C69D8433BF7B8FC05F69A896899AB595CC8B2436A8524622B2459E693BCA76673AC98ABC6834E938CD92F
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):360001
                                    Entropy (8bit):5.362956092472398
                                    Encrypted:false
                                    SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauF:zTtbmkExhMJCIpEE
                                    MD5:2A1C6E64CDEBD672C200EAFCB2D9038E
                                    SHA1:F92596E5AA0A608CE90F59EF4C4DC8A95B8C62AF
                                    SHA-256:C9B667E24208EDA04B5A4F866FDE072370BF631FF6F559BB5D0AE2B5F8DFB41E
                                    SHA-512:EFA025FC45F51142288205BAE54DA60F1D1FF47ABF111E33C45EDBE6BC0D9BB3DDEDAB3885E566E7F65724476985E8F4FDCAF1A2754BACF1C6784CCF5B881E42
                                    Malicious:false
                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                    C:\Windows\Temp\~DF0ACC04FED81BC5A5.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):1.5476253024493831
                                    Encrypted:false
                                    SSDEEP:48:b8PhLuRc06WX4SnT5JT8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:ChL1CnTr8aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:BC76298BD170237C11BF9244DB6BC0EE
                                    SHA1:53E24BDC333DF20CAE4DCF9F9892B2CF29C3D6FC
                                    SHA-256:042B400F14A7CD0F7BBED7688BF70FED1BFEFB5AFC2224A5B61373C736986AB5
                                    SHA-512:EB3C81A81395544DD471F1378F453C56A6AD3ED24A9C69D8433BF7B8FC05F69A896899AB595CC8B2436A8524622B2459E693BCA76673AC98ABC6834E938CD92F
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF54EAD2A2DE8C7E31.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF5B6536B42CF01FEB.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):0.08309538704011005
                                    Encrypted:false
                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOlM8Drwyuqa1LZAYIiVky6lrX:2F0i8n0itFzDHFlcV1LpyrX
                                    MD5:458EFCB3698423D85C4FDDF8240BEB3B
                                    SHA1:8A9B8FCF144188B6B150D29FB1FB3FD1639E513F
                                    SHA-256:4A08185B92AE4308207E8C6A9B2B100B2FA562108CD96F4F9A688172CE2B923B
                                    SHA-512:CE1DE560EAB16ADE05CB5DB78B9CB33640E494A080145864EE2987043D4966870516E6D6042BDCAB4D3ADF462F706AA06F6AFF9B9987C0140A75128CA9ABF964
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF6F5C6E2DAFBE1548.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):69632
                                    Entropy (8bit):0.13720934977595622
                                    Encrypted:false
                                    SSDEEP:48:sGaq0y7zELMcGvaq0y7TSLMcGvaq0y7TS5MkrZoE8aac8W:sGaqL/xVaqLfRVaqLfTjE8aa
                                    MD5:8755BD1C93142A106F602B85A6D337BD
                                    SHA1:C98390CEEE1AD81BE30EBA2FF061EE2E7F94070E
                                    SHA-256:BF0D64E88B8001D7D5CDAFDF2D21039A90F795DEEFF95F7C3233E9B8C9E66E1C
                                    SHA-512:0A3E96C78647B84DC30360E12AEB42D292D7D258732992F4252FF2D2908A89792F1E3C6B96CFC254D82F9E9EF74A8334903B7CD9E361D2753A0625C7E82CDE00
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF7A88A451899D604D.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):1.2406059150792452
                                    Encrypted:false
                                    SSDEEP:48:qETuRM+xFX4BT5ET8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:3TciT88aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:8D42990FA630C61FCE1216C53ACEA179
                                    SHA1:D19767BAF87E532FF6F08CE06603EB57E7395C10
                                    SHA-256:33E38486CB176D8654D0608C2E892CC9AB558749987D296A228207723A2034B4
                                    SHA-512:21099B650D792A771F358CDD233F4EF070E0361732CFE60D3232029D136C5943F0CA879BFBCF571E28530B662C0BCA7470602C47E5B1261D7E3045E531A9CFE4
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF7CE3EAA7D2D8B3BD.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):20480
                                    Entropy (8bit):1.5476253024493831
                                    Encrypted:false
                                    SSDEEP:48:b8PhLuRc06WX4SnT5JT8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:ChL1CnTr8aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:BC76298BD170237C11BF9244DB6BC0EE
                                    SHA1:53E24BDC333DF20CAE4DCF9F9892B2CF29C3D6FC
                                    SHA-256:042B400F14A7CD0F7BBED7688BF70FED1BFEFB5AFC2224A5B61373C736986AB5
                                    SHA-512:EB3C81A81395544DD471F1378F453C56A6AD3ED24A9C69D8433BF7B8FC05F69A896899AB595CC8B2436A8524622B2459E693BCA76673AC98ABC6834E938CD92F
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DF80563B4A6048EC18.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):1.2406059150792452
                                    Encrypted:false
                                    SSDEEP:48:qETuRM+xFX4BT5ET8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:3TciT88aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:8D42990FA630C61FCE1216C53ACEA179
                                    SHA1:D19767BAF87E532FF6F08CE06603EB57E7395C10
                                    SHA-256:33E38486CB176D8654D0608C2E892CC9AB558749987D296A228207723A2034B4
                                    SHA-512:21099B650D792A771F358CDD233F4EF070E0361732CFE60D3232029D136C5943F0CA879BFBCF571E28530B662C0BCA7470602C47E5B1261D7E3045E531A9CFE4
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DFC2D416FF6D026E92.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DFC4865D13A6116123.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DFD5DE597F9BA87F56.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DFDECDA8E549DFF1D6.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):32768
                                    Entropy (8bit):1.2406059150792452
                                    Encrypted:false
                                    SSDEEP:48:qETuRM+xFX4BT5ET8aac8VePMcGvaq0y7TS5MkrlMcGvaq0y7TSIzWaq0y7b:3TciT88aa1vVaqLfT5VaqLfnWaqLH
                                    MD5:8D42990FA630C61FCE1216C53ACEA179
                                    SHA1:D19767BAF87E532FF6F08CE06603EB57E7395C10
                                    SHA-256:33E38486CB176D8654D0608C2E892CC9AB558749987D296A228207723A2034B4
                                    SHA-512:21099B650D792A771F358CDD233F4EF070E0361732CFE60D3232029D136C5943F0CA879BFBCF571E28530B662C0BCA7470602C47E5B1261D7E3045E531A9CFE4
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Windows\Temp\~DFE710D7F65E72009B.TMP

                                    Download File
                                    Process:C:\Windows\System32\msiexec.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Advanced ReclaiMe Free RAID Recovery Free, Author: www.reclaime.com, Keywords: Installer, Comments: This installer database contains the logic and data required to install Advanced ReclaiMe Free RAID Recovery Free., Template: Intel;1033, Revision Number: {BAAEC4FF-367D-45A2-B266-709F9930739C}, Create Time/Date: Fri Apr 12 15:52:02 2024, Last Saved Time/Date: Fri Apr 12 15:52:02 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                    Entropy (8bit):7.993097906598035
                                    TrID:
                                    • Microsoft Windows Installer (60509/1) 88.31%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                    File name:AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi
                                    File size:17'424'384 bytes
                                    MD5:3f79740f726f7d412336fafc9feba28f
                                    SHA1:f5580579105ac3dde64bd65fd1371fa8c5313e70
                                    SHA256:a4781c64764c1c030790269eae5f56e6a56edaac3f548db5caeb46b65acc6735
                                    SHA512:f503db92033390b3de0b6d58bf050249ad75a40b03ddda4b9e9d0ab21100e2e827cfc5c5a01df748c99fbfa4fa9031fab4be26e78e360806bf6d0053511e3490
                                    SSDEEP:393216:HieBjGelarehMcNTuo/VUgz4yorqOualKVC06r+ySRjwZXCSkOjmO:HieNFarehM6uOagzPomO7F+9RsVp5
                                    TLSH:C4073323F5D4EA16DC37A432D5F2D1AC86927D5301175F085AAC36203CBBAD0A7E686F
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:2d2e3797b32b2b99

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 26, 2024 09:04:10.316385031 CEST49713443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.316430092 CEST44349713192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.316520929 CEST49713443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.378053904 CEST49713443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.378081083 CEST44349713192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.378120899 CEST44349713192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.378150940 CEST49713443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.378173113 CEST44349713192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.382035971 CEST49714443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:10.382076025 CEST4434971465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:10.382283926 CEST49714443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:10.431812048 CEST49714443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:10.431838989 CEST4434971465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:10.431863070 CEST4434971465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:10.432049036 CEST49714443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:10.432066917 CEST4434971465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:10.435584068 CEST49715443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:10.435609102 CEST44349715146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:10.435678005 CEST49715443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:10.496822119 CEST49715443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:10.496830940 CEST44349715146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:10.496849060 CEST49715443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:10.496854067 CEST44349715146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:10.496870995 CEST44349715146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:10.500477076 CEST49716443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.500494957 CEST44349716192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.500561953 CEST49716443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.548826933 CEST49716443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.548852921 CEST44349716192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.548901081 CEST44349716192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:10.548918009 CEST49716443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:10.548928976 CEST44349716192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.018894911 CEST49719443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.018939972 CEST44349719192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.019074917 CEST49719443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.069453955 CEST49719443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.069485903 CEST44349719192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.069529057 CEST44349719192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.073031902 CEST49720443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.073069096 CEST4434972065.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.073163033 CEST49720443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.160192013 CEST49720443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.160209894 CEST4434972065.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.160264969 CEST49720443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.160281897 CEST4434972065.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.163515091 CEST49721443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.163547993 CEST44349721146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.163642883 CEST49721443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.245997906 CEST49721443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.246032000 CEST44349721146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.246119976 CEST49721443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.246133089 CEST44349721146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.246169090 CEST44349721146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.250231028 CEST49722443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.250282049 CEST44349722192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.250396013 CEST49722443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.295877934 CEST49722443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.295907021 CEST44349722192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.295974016 CEST49722443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.295977116 CEST44349722192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.295989037 CEST44349722192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.301161051 CEST49723443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.301187038 CEST44349723192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.301316977 CEST49723443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.353579998 CEST49723443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.353600025 CEST44349723192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.353627920 CEST44349723192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.353677034 CEST49723443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.353696108 CEST44349723192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.357867002 CEST49724443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.357978106 CEST4434972465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.358105898 CEST49724443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.426934004 CEST49724443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.426971912 CEST4434972465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.427023888 CEST4434972465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.427072048 CEST49724443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:04:40.427093983 CEST4434972465.38.121.69192.168.2.7
                                    Apr 26, 2024 09:04:40.431762934 CEST49725443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.431787014 CEST44349725146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.431865931 CEST49725443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.495630980 CEST49725443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.495645046 CEST44349725146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.495683908 CEST49725443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:04:40.495692015 CEST44349725146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.495716095 CEST44349725146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:04:40.498975039 CEST49726443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.498994112 CEST44349726192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.499087095 CEST49726443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.566040993 CEST49726443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.566054106 CEST44349726192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.566111088 CEST49726443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:04:40.566122055 CEST44349726192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:40.566133976 CEST44349726192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:04:41.783399105 CEST4972753192.168.2.78.8.8.8
                                    Apr 26, 2024 09:04:41.939963102 CEST53497278.8.8.8192.168.2.7
                                    Apr 26, 2024 09:04:41.940076113 CEST4972753192.168.2.78.8.8.8
                                    Apr 26, 2024 09:04:44.097091913 CEST53497278.8.8.8192.168.2.7
                                    Apr 26, 2024 09:04:44.097218990 CEST4972753192.168.2.78.8.8.8
                                    Apr 26, 2024 09:05:01.082154036 CEST49728443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.082237959 CEST44349728192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.082473040 CEST49728443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.123785973 CEST49728443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.123812914 CEST44349728192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.123864889 CEST49728443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.123898983 CEST44349728192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.124005079 CEST44349728192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.124933004 CEST49728443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.124947071 CEST44349728192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.128736973 CEST49729443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:01.128760099 CEST4434972965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:01.128822088 CEST49729443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:01.184581995 CEST49729443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:01.184602976 CEST4434972965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:01.184640884 CEST49729443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:01.184645891 CEST4434972965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:01.184669018 CEST4434972965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:01.192536116 CEST49730443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:01.192568064 CEST44349730146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:01.192675114 CEST49730443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:01.296227932 CEST49730443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:01.296247959 CEST44349730146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:01.296307087 CEST49730443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:01.296349049 CEST44349730146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:01.300993919 CEST49731443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.301055908 CEST44349731192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.301316977 CEST49731443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.365688086 CEST49731443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.365714073 CEST44349731192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.365761995 CEST44349731192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:01.365797043 CEST49731443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:01.365812063 CEST44349731192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.472027063 CEST49732443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.472076893 CEST44349732192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.472142935 CEST49732443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.543452978 CEST49732443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.543478012 CEST44349732192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.543534994 CEST49732443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.543545961 CEST44349732192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.543551922 CEST44349732192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.547741890 CEST49733443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.547765970 CEST4434973365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.547816038 CEST49733443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.607120037 CEST49733443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.607140064 CEST4434973365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.607155085 CEST49733443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.607160091 CEST4434973365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.607206106 CEST4434973365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.611394882 CEST49734443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.611438036 CEST44349734146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.611510038 CEST49734443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.658799887 CEST49734443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.658818960 CEST44349734146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.658884048 CEST49734443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.658909082 CEST44349734146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.662262917 CEST49735443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.662296057 CEST44349735192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.662386894 CEST49735443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.707201004 CEST49735443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.707216978 CEST44349735192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.707226992 CEST49735443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.707231998 CEST44349735192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.707257986 CEST44349735192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.710558891 CEST49736443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.710608959 CEST44349736192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.710692883 CEST49736443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.776463985 CEST49736443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.776513100 CEST44349736192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.776571035 CEST49736443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.776572943 CEST44349736192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.776583910 CEST44349736192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.779817104 CEST49737443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.779835939 CEST4434973765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.779910088 CEST49737443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.832178116 CEST49737443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.832200050 CEST4434973765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.832238913 CEST4434973765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.832268953 CEST49737443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:08.832279921 CEST4434973765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:08.838711977 CEST49738443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.838742971 CEST44349738146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.838812113 CEST49738443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.888176918 CEST49738443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.888196945 CEST44349738146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.888230085 CEST44349738146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.888267040 CEST49738443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:08.888278961 CEST44349738146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:08.891402960 CEST49739443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.891453981 CEST44349739192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.891532898 CEST49739443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.955899000 CEST49739443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.955924988 CEST44349739192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.955950975 CEST44349739192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:08.955982924 CEST49739443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:08.955995083 CEST44349739192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:13.965213060 CEST49740443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:13.965262890 CEST44349740192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:13.965322971 CEST49740443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.008622885 CEST49740443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.008651018 CEST44349740192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.008718967 CEST44349740192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.008815050 CEST49740443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.008831978 CEST44349740192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.012202024 CEST49741443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:14.012217045 CEST4434974165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:14.012275934 CEST49741443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:14.067482948 CEST49741443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:14.067502022 CEST4434974165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:14.067635059 CEST4434974165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:14.067662954 CEST49741443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:14.067675114 CEST4434974165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:14.070945024 CEST49742443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:14.070987940 CEST44349742146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:14.071060896 CEST49742443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:14.113692045 CEST49742443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:14.113720894 CEST44349742146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:14.113737106 CEST49742443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:14.113744020 CEST44349742146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:14.113790989 CEST44349742146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:14.116569996 CEST49743443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.116626024 CEST44349743192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.116707087 CEST49743443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.158838034 CEST49743443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.158838034 CEST49743443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:14.158869982 CEST44349743192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.158881903 CEST44349743192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:14.159004927 CEST44349743192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.176907063 CEST49744443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.176938057 CEST44349744192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.177040100 CEST49744443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.225056887 CEST49744443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.225084066 CEST44349744192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.225143909 CEST49744443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.225147963 CEST44349744192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.225229025 CEST44349744192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.228554964 CEST49745443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.228575945 CEST4434974565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.228636026 CEST49745443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.271220922 CEST49745443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.271250963 CEST4434974565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.271311045 CEST4434974565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.271315098 CEST49745443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.271330118 CEST4434974565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.274804115 CEST49746443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.274897099 CEST44349746146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.274982929 CEST49746443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.322098970 CEST49746443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.322134972 CEST44349746146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.322196007 CEST49746443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.322202921 CEST44349746146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.322243929 CEST44349746146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.325109005 CEST49747443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.325181961 CEST44349747192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.325261116 CEST49747443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.375924110 CEST49747443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.375986099 CEST44349747192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.376051903 CEST44349747192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.376080036 CEST49747443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.376122952 CEST44349747192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.379493952 CEST49748443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.379576921 CEST44349748192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.379663944 CEST49748443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.417514086 CEST49748443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.417567015 CEST44349748192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.417602062 CEST49748443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.417618036 CEST44349748192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.417650938 CEST44349748192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.421077967 CEST49749443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.421113968 CEST4434974965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.421180010 CEST49749443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.465504885 CEST49749443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.465526104 CEST4434974965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.465580940 CEST49749443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:16.465584993 CEST4434974965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.465607882 CEST4434974965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:16.468806982 CEST49750443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.468839884 CEST44349750146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.468909979 CEST49750443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.514410973 CEST49750443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.514424086 CEST44349750146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.514492989 CEST44349750146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.514501095 CEST49750443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:16.514513969 CEST44349750146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:16.517442942 CEST49751443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.517469883 CEST44349751192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.517525911 CEST49751443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.579838991 CEST49751443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.579849958 CEST44349751192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.579935074 CEST49751443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:16.579937935 CEST44349751192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:16.579943895 CEST44349751192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.613245010 CEST49752443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.613280058 CEST44349752192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.613342047 CEST49752443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.677433968 CEST49752443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.677457094 CEST44349752192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.677495956 CEST49752443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.677500963 CEST44349752192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.677608967 CEST44349752192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.682077885 CEST49753443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:18.682105064 CEST4434975365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:18.683948994 CEST49753443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:18.721416950 CEST49753443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:18.721434116 CEST4434975365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:18.721501112 CEST49753443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:18.721506119 CEST4434975365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:18.721534967 CEST4434975365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:18.722484112 CEST49753443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:18.722495079 CEST4434975365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:18.724658012 CEST49754443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:18.724726915 CEST44349754146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:18.724795103 CEST49754443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:18.777124882 CEST49754443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:18.777163982 CEST44349754146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:18.777245998 CEST49754443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:18.777262926 CEST44349754146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:18.777297020 CEST44349754146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:18.778316021 CEST49754443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:18.778340101 CEST44349754146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:18.780766964 CEST49755443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.780801058 CEST44349755192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.781089067 CEST49755443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.845710039 CEST49755443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.845731974 CEST44349755192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.845766068 CEST49755443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:18.845772982 CEST44349755192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:18.845833063 CEST44349755192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:20.887939930 CEST49756443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:20.888027906 CEST44349756192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:20.888147116 CEST49756443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:20.932940960 CEST49756443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:20.932967901 CEST44349756192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:20.933036089 CEST44349756192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:20.933048010 CEST49756443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:20.933063984 CEST44349756192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:20.936408043 CEST49757443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:20.936427116 CEST4434975765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:20.936511040 CEST49757443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:20.985110044 CEST49757443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:20.985124111 CEST4434975765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:20.985172033 CEST4434975765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:20.992496967 CEST49758443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:20.992537022 CEST44349758146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:20.994263887 CEST49758443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.076423883 CEST49758443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.076464891 CEST44349758146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.076529980 CEST49758443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.076535940 CEST44349758146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.076549053 CEST44349758146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.091778994 CEST49759443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.091885090 CEST44349759192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.091969013 CEST49759443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.187896967 CEST49759443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.187918901 CEST44349759192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.187973022 CEST49759443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.187978029 CEST44349759192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.188127995 CEST44349759192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.213610888 CEST49760443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.213675022 CEST44349760192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.213746071 CEST49760443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.274198055 CEST49760443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.274269104 CEST44349760192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.274353027 CEST49760443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.274389982 CEST44349760192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.274379969 CEST44349760192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.280636072 CEST49761443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:21.280714989 CEST4434976165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:21.280781984 CEST49761443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:21.353322983 CEST49761443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:21.353363037 CEST4434976165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:21.353410006 CEST49761443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:21.353416920 CEST4434976165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:21.353482962 CEST4434976165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:21.360413074 CEST49762443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.360452890 CEST44349762146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.360507011 CEST49762443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.423916101 CEST49762443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.423944950 CEST44349762146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.423990011 CEST49762443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:21.423995972 CEST44349762146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.424021959 CEST44349762146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:21.435066938 CEST49763443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.435113907 CEST44349763192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.435349941 CEST49763443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.527158976 CEST49763443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.527190924 CEST44349763192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.527240992 CEST49763443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:21.527247906 CEST44349763192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:21.527276993 CEST44349763192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.574090958 CEST49764443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.574142933 CEST44349764192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.574212074 CEST49764443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.617837906 CEST49764443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.617837906 CEST49764443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.617855072 CEST44349764192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.617866039 CEST44349764192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.617937088 CEST44349764192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.621829987 CEST49765443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:23.621849060 CEST4434976565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:23.622880936 CEST49765443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:23.687263966 CEST49765443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:23.687290907 CEST4434976565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:23.687341928 CEST49765443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:23.687350035 CEST4434976565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:23.687386036 CEST4434976565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:23.691952944 CEST49766443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:23.692044020 CEST44349766146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:23.692249060 CEST49766443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:23.737111092 CEST49766443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:23.737153053 CEST44349766146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:23.737216949 CEST44349766146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:23.737260103 CEST49766443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:23.737279892 CEST44349766146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:23.741672993 CEST49767443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.741708040 CEST44349767192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.741813898 CEST49767443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.789515018 CEST49767443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.789542913 CEST44349767192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.789650917 CEST49767443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:23.789660931 CEST44349767192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:23.789670944 CEST44349767192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:25.815455914 CEST49768443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:25.815512896 CEST44349768192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:25.820018053 CEST49768443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:25.875936031 CEST49768443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:25.875968933 CEST44349768192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:25.876041889 CEST44349768192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:25.879827023 CEST49769443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:25.879856110 CEST4434976965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:25.880009890 CEST49769443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:25.930155039 CEST49769443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:25.930179119 CEST4434976965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:25.930241108 CEST4434976965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:25.930275917 CEST49769443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:25.930290937 CEST4434976965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:25.933511019 CEST49770443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:25.933548927 CEST44349770146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:25.933990955 CEST49770443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:25.983645916 CEST49770443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:25.983671904 CEST44349770146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:25.983738899 CEST44349770146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:25.983745098 CEST49770443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:25.983767033 CEST44349770146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:25.987122059 CEST49771443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:25.987176895 CEST44349771192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:25.987255096 CEST49771443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.044975042 CEST49771443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.045043945 CEST44349771192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.045156956 CEST44349771192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.050117016 CEST49772443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.050134897 CEST44349772192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.050642967 CEST49772443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.098063946 CEST49772443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.098063946 CEST49772443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:26.098083973 CEST44349772192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.098094940 CEST44349772192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.098135948 CEST44349772192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:26.101923943 CEST49773443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:26.101944923 CEST4434977365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:26.111183882 CEST49773443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:27.198189020 CEST49773443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:27.198219061 CEST4434977365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:27.198268890 CEST49773443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:27.198307991 CEST4434977365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:27.198422909 CEST4434977365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:27.202708960 CEST49774443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:27.202778101 CEST44349774146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:27.202874899 CEST49774443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:27.254071951 CEST49774443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:27.254102945 CEST44349774146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:27.254156113 CEST49774443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:27.254163027 CEST44349774146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:27.254195929 CEST44349774146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:27.259610891 CEST49775443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:27.259645939 CEST44349775192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:27.259690046 CEST49775443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:27.317908049 CEST49775443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:27.317919970 CEST44349775192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:27.317954063 CEST44349775192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:27.317956924 CEST49775443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:27.317974091 CEST44349775192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.346851110 CEST49776443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.346888065 CEST44349776192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.346962929 CEST49776443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.388823032 CEST49776443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.388835907 CEST44349776192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.388896942 CEST49776443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.388906956 CEST44349776192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.388910055 CEST44349776192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.393125057 CEST49777443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:29.393140078 CEST4434977765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:29.393237114 CEST49777443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:29.473872900 CEST49777443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:29.473886967 CEST4434977765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:29.473962069 CEST4434977765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:29.478146076 CEST49778443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:29.478226900 CEST44349778146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:29.478322029 CEST49778443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:29.519325972 CEST49778443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:29.519411087 CEST44349778146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:29.519460917 CEST44349778146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:29.519510984 CEST49778443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:29.519561052 CEST44349778146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:29.522725105 CEST49779443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.522762060 CEST44349779192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.522824049 CEST49779443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.575191975 CEST49779443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.575226068 CEST44349779192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.575253963 CEST44349779192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:29.575306892 CEST49779443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:29.575323105 CEST44349779192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.602055073 CEST49780443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.602142096 CEST44349780192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.602276087 CEST49780443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.644294024 CEST49780443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.644364119 CEST44349780192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.644411087 CEST49780443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.644411087 CEST44349780192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.644439936 CEST44349780192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.648633003 CEST49781443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.648669004 CEST4434978165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.648787022 CEST49781443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.685884953 CEST49781443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.685885906 CEST49781443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.685942888 CEST4434978165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.685972929 CEST4434978165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.685990095 CEST4434978165.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.689337015 CEST49782443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.689366102 CEST44349782146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.689740896 CEST49782443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.724280119 CEST49782443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.724298954 CEST44349782146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.724356890 CEST44349782146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.727927923 CEST49783443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.727974892 CEST44349783192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.728135109 CEST49783443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.787252903 CEST49783443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.787252903 CEST49783443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.787285089 CEST44349783192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.787295103 CEST44349783192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.787348986 CEST44349783192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.790977001 CEST49784443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.791032076 CEST44349784192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.791093111 CEST49784443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.859659910 CEST49784443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.859694004 CEST44349784192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.859767914 CEST44349784192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.865993977 CEST49785443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.866055012 CEST4434978565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.866455078 CEST49785443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.919966936 CEST49785443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:31.919996023 CEST4434978565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.920044899 CEST4434978565.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:31.922501087 CEST49786443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.922534943 CEST44349786146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.922843933 CEST49786443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.966531992 CEST49786443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.966562033 CEST44349786146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.966644049 CEST44349786146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.966660976 CEST49786443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:31.966676950 CEST44349786146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:31.970990896 CEST49787443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:31.971029997 CEST44349787192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:31.971349955 CEST49787443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:32.064856052 CEST49787443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:32.064933062 CEST44349787192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:32.064992905 CEST44349787192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.099996090 CEST49788443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.100044966 CEST44349788192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.100599051 CEST49788443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.156701088 CEST49788443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.156743050 CEST44349788192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.156805038 CEST44349788192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.160509109 CEST49789443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:34.160556078 CEST4434978965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:34.160736084 CEST49789443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:34.202914953 CEST49789443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:34.202945948 CEST4434978965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:34.203017950 CEST4434978965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:34.203022957 CEST49789443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:34.203041077 CEST4434978965.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:34.207051039 CEST49790443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:34.207156897 CEST44349790146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:34.207292080 CEST49790443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:34.262644053 CEST49790443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:34.262644053 CEST49790443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:34.262700081 CEST44349790146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:34.262727976 CEST44349790146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:34.262763023 CEST44349790146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:34.266331911 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.266385078 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.266766071 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.311798096 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.311831951 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.311940908 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.311947107 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.312262058 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.313008070 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.313008070 CEST49791443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:34.313035011 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:34.313047886 CEST44349791192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.439829111 CEST49792443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.439925909 CEST44349792192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.442127943 CEST49792443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.506939888 CEST49792443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.506961107 CEST44349792192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.507256985 CEST49792443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.507262945 CEST44349792192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.507688046 CEST44349792192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.509943008 CEST49793443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.509963036 CEST4434979365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.511945963 CEST49793443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.568160057 CEST49793443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.568207979 CEST4434979365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.568257093 CEST4434979365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.569152117 CEST49793443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.569180965 CEST4434979365.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.570396900 CEST49794443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.570435047 CEST44349794146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.571950912 CEST49794443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.633399010 CEST49794443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.633413076 CEST44349794146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.633487940 CEST44349794146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.639131069 CEST49795443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.639240026 CEST44349795192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.639319897 CEST49795443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.701716900 CEST49795443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.701765060 CEST44349795192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.701831102 CEST49795443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.701843977 CEST44349795192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.701893091 CEST44349795192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.705378056 CEST49796443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.705415010 CEST44349796192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.705470085 CEST49796443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.791493893 CEST49796443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.791542053 CEST44349796192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.791591883 CEST49796443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.791613102 CEST44349796192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.796636105 CEST49797443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.796673059 CEST4434979765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.796730995 CEST49797443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.868936062 CEST49797443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.868969917 CEST4434979765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.869039059 CEST49797443192.168.2.765.38.121.69
                                    Apr 26, 2024 09:05:36.869046926 CEST4434979765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.869055033 CEST4434979765.38.121.69192.168.2.7
                                    Apr 26, 2024 09:05:36.872963905 CEST49798443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.873028994 CEST44349798146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.873363018 CEST49798443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.938205957 CEST49798443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.938244104 CEST44349798146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.938296080 CEST49798443192.168.2.7146.19.254.194
                                    Apr 26, 2024 09:05:36.938325882 CEST44349798146.19.254.194192.168.2.7
                                    Apr 26, 2024 09:05:36.941409111 CEST49799443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.941499949 CEST44349799192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.941586971 CEST49799443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.989902020 CEST49799443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.989991903 CEST44349799192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.990115881 CEST44349799192.121.22.224192.168.2.7
                                    Apr 26, 2024 09:05:36.990196943 CEST49799443192.168.2.7192.121.22.224
                                    Apr 26, 2024 09:05:36.990247011 CEST44349799192.121.22.224192.168.2.7

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:03:30
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\msiexec.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi"
                                    Imagebase:0x7ff6202a0000
                                    File size:69'632 bytes
                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:03:31
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\msiexec.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                    Imagebase:0x7ff6202a0000
                                    File size:69'632 bytes
                                    MD5 hash:E5DA170027542E25EDE42FC54C929077
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:09:03:34
                                    Start date:26/04/2024
                                    Path:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
                                    Imagebase:0xab0000
                                    File size:569'744 bytes
                                    MD5 hash:F6AC2A17BDFB64C090280DD734A77651
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1295035414.0000000007E84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1299209569.0000000008420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1307529167.0000000008F62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1308078998.0000000009501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1306813816.000000000950F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1300004753.0000000008F69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1304480916.0000000008F67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1303682934.000000000950D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1294114246.00000000089DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1310985722.0000000009AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1306280910.0000000008F65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1298422223.0000000008F8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1302926420.0000000008F61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1293571064.0000000008435000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1305389223.0000000009500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DanaBot_stealer_dll, Description: Yara detected DanaBot stealer dll, Source: 00000004.00000003.1301409791.000000000950D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 0%, ReversingLabs
                                    • Detection: 0%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:19
                                    Start time:10:26:06
                                    Start date:26/04/2024
                                    Path:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
                                    Imagebase:0xab0000
                                    File size:569'744 bytes
                                    MD5 hash:F6AC2A17BDFB64C090280DD734A77651
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:10:26:06
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
                                    Imagebase:0x410000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:10:26:06
                                    Start date:26/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:10:26:06
                                    Start date:26/04/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
                                    Imagebase:0xe40000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:10:26:14
                                    Start date:26/04/2024
                                    Path:C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Local\Programs\Advanced ReclaiMe Free RAID Recovery Free\BackupExtractor.exe"
                                    Imagebase:0xab0000
                                    File size:569'744 bytes
                                    MD5 hash:F6AC2A17BDFB64C090280DD734A77651
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:0.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:25.6%
                                      Total number of Nodes:250
                                      Total number of Limit Nodes:5
                                      execution_graph 71223 af968d 71250 afa966 71223->71250 71225 af9692 ___scrt_is_nonwritable_in_current_image 71254 af9a7a 71225->71254 71227 af96aa 71228 af97fd 71227->71228 71232 af96d4 71227->71232 71343 afaa40 6 API calls ___scrt_fastfail 71228->71343 71230 af9804 exit 71231 af980a _exit 71230->71231 71344 afa9b4 71231->71344 71234 af96d8 _initterm_e 71232->71234 71238 af9721 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 71232->71238 71236 af9704 _initterm 71234->71236 71237 af96f3 71234->71237 71235 af9818 _configure_wide_argv 71236->71238 71239 af9775 71238->71239 71243 af976d _register_thread_local_exe_atexit_callback 71238->71243 71258 afab5a memset GetStartupInfoW 71239->71258 71243->71239 71244 af978f 71342 afab93 GetModuleHandleW 71244->71342 71246 af9796 71246->71230 71247 af979a 71246->71247 71248 af979e _cexit 71247->71248 71249 af97a3 ___scrt_uninitialize_crt 71247->71249 71248->71249 71249->71237 71251 afa97c 71250->71251 71253 afa985 71251->71253 71345 afa919 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 71251->71345 71253->71225 71255 af9a83 71254->71255 71346 afa782 IsProcessorFeaturePresent 71255->71346 71257 af9a8f ___scrt_uninitialize_crt 71257->71227 71259 af977a _get_wide_winmain_command_line 71258->71259 71260 adb000 71259->71260 71347 ad4d40 71260->71347 71263 adb037 ?InitPool@AutoRelease@ ?Get@DhTaskPool@@SAPAV1 ?Activate@DhTaskPool@@QAEXI ?StartLocalPool@AutoRelease@ 71266 adb065 71263->71266 71267 adb091 71263->71267 71264 adb026 71372 af9fcc 71264->71372 71266->71267 71272 adb081 CommandLineToArgvW 71266->71272 71379 acdaa0 _callnewh malloc _CxxThrowException _CxxThrowException std::_Facet_Register 71267->71379 71269 adb031 71269->71244 71270 adb0b4 71380 ad0690 223 API calls 3 library calls 71270->71380 71272->71267 71273 adb0c0 memset GetTempPathW memset ?GetNowDateTime@BASUtilitySys@@SAXPADPBD 71381 abc0d0 9 API calls SimpleUString::operator= 71273->71381 71275 adb119 ?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD 71276 adb140 71275->71276 71276->71276 71382 ab9ad0 12 API calls 2 library calls 71276->71382 71278 adb161 71383 ab9ad0 12 API calls 2 library calls 71278->71383 71280 adb186 71384 ab9ad0 12 API calls 2 library calls 71280->71384 71282 adb194 71385 ab9ad0 12 API calls 2 library calls 71282->71385 71285 adb1b8 8 API calls 71286 adb250 71285->71286 71286->71286 71386 ac1000 9 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71286->71386 71288 adb268 71387 acd9f0 _callnewh malloc _CxxThrowException _CxxThrowException std::_Facet_Register 71288->71387 71290 adb291 ?Free@BASUtilityString@@SAXPAX ?Free@BASUtilityString@@SAXPAX ?Free@BASUtilityString@@SAXPAX ?Free@BASUtilityString@@SAXPAX 71388 ad0090 68 API calls 3 library calls 71290->71388 71292 adb2be ??0LogMessage@google@@QAE@PBDH ?stream@LogMessage@google@@QAEAAV?$basic_ostream@DU?$char_traits@D@std@@@std@ 71389 ab1810 14 API calls 71292->71389 71294 adb2ea 71390 ababf0 14 API calls 71294->71390 71296 adb30b 6 API calls 71391 ad0bb0 88 API calls 3 library calls 71296->71391 71298 adb388 CreateRgService 71299 adb3bc 71298->71299 71300 adb39b 71298->71300 71404 ab9ad0 12 API calls 2 library calls 71299->71404 71392 ab9d50 71300->71392 71303 adb3ca 71405 abb1f0 6 API calls SimpleUString::operator= 71303->71405 71305 adb3da ?GetNowDateTime@BASUtilitySys@@SAXPADPBD ?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD 71406 ab9ad0 12 API calls 2 library calls 71305->71406 71307 adb415 71407 ab9ad0 12 API calls 2 library calls 71307->71407 71309 adb438 71408 ab9ad0 12 API calls 2 library calls 71309->71408 71311 adb446 ?Free@BASUtilityString@@SAXPAX ?RegisterCrashFilter@BASDbgReport@@QAEXPB_WP6AX0@ZP6AX0PAPA_W@Z 71312 adb4bd DefWindowProcW InitCommonControlsEx 71311->71312 71313 adb486 71311->71313 71314 adb506 71312->71314 71315 adb520 GetCurrentThreadId 71312->71315 71316 adb4ad _invalid_parameter_noinfo_noreturn 71313->71316 71317 adb4b3 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71313->71317 71314->71315 71409 af9872 _callnewh malloc _CxxThrowException _CxxThrowException std::_Facet_Register 71315->71409 71316->71317 71317->71312 71319 adb53c 71410 ad4740 118 API calls 2 library calls 71319->71410 71321 adb57b ?StandardUserDefaults@BASUserDefaults@@SAPAV1 71322 adb58e ?WriteAll@BASUserDefaults@ 71321->71322 71323 adb596 FreeRgService xmlCleanupParser EnterCriticalSection 71321->71323 71322->71323 71324 adb5bb 71323->71324 71325 adb5d1 71323->71325 71324->71325 71326 adb5c1 DestroyWindow 71324->71326 71327 adb606 LeaveCriticalSection 71325->71327 71329 adb5ed std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71325->71329 71330 adb5e1 free 71325->71330 71326->71325 71328 adb621 71327->71328 71335 adb647 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71327->71335 71331 adb627 free 71328->71331 71332 adb633 71328->71332 71329->71327 71330->71329 71331->71332 71333 adb63a free 71332->71333 71332->71335 71333->71335 71411 ad5280 RaiseException DeleteCriticalSection std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71335->71411 71336 adb6c4 7 API calls 71337 adb710 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71336->71337 71338 adb7be std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71337->71338 71339 adb7b8 _invalid_parameter_noinfo_noreturn 71337->71339 71340 af9fcc __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71338->71340 71339->71338 71341 adb820 71340->71341 71341->71244 71342->71246 71343->71230 71344->71235 71345->71253 71346->71257 71412 abc7f0 71347->71412 71356 aba2c0 14 API calls 71357 ad4e20 71356->71357 71358 acc5d0 14 API calls 71357->71358 71359 ad4e35 71358->71359 71465 ac2bf0 71359->71465 71361 ad4e47 OpenMutexW 71362 ad4e6f CreateMutexW 71361->71362 71363 ad4e64 FindCloseChangeNotification 71361->71363 71366 ad4e87 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71362->71366 71363->71366 71365 ad4f95 _invalid_parameter_noinfo_noreturn 71369 ad4f9b std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71365->71369 71366->71365 71475 abb4b0 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE _invalid_parameter_noinfo_noreturn ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71366->71475 71370 af9fcc __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71369->71370 71371 ad4fb2 71370->71371 71371->71263 71371->71264 71373 af9fd7 IsProcessorFeaturePresent 71372->71373 71374 af9fd5 71372->71374 71376 afa442 71373->71376 71374->71269 71476 afa406 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 71376->71476 71378 afa525 71378->71269 71379->71270 71380->71273 71381->71275 71382->71278 71383->71280 71384->71282 71385->71285 71386->71288 71387->71290 71388->71292 71389->71294 71390->71296 71391->71298 71393 ab9d63 memmove 71392->71393 71398 ab9d97 71392->71398 71393->71299 71395 ab9e4c 71478 ab9990 ?_Xlength_error@std@@YAXPBD 71395->71478 71398->71395 71477 ab9a60 5 API calls std::_Facet_Register 71398->71477 71400 ab9ddf memcpy 71401 ab9e09 71400->71401 71402 ab9e2a std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 71400->71402 71401->71402 71403 ab9e46 _invalid_parameter_noinfo_noreturn 71401->71403 71402->71299 71403->71395 71404->71303 71405->71305 71406->71307 71407->71309 71408->71311 71409->71319 71410->71321 71411->71336 71413 ab9d50 SimpleUString::operator= 9 API calls 71412->71413 71416 abc824 71413->71416 71414 af9fcc __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 71415 abc872 71414->71415 71417 abcad0 71415->71417 71416->71414 71418 ab9d50 SimpleUString::operator= 9 API calls 71417->71418 71419 abcaf8 ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@ ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE 71418->71419 71420 aba2c0 71419->71420 71421 aba300 71420->71421 71421->71421 71422 aba30b ?width@ios_base@std@ 71421->71422 71423 aba323 71422->71423 71432 aba359 ?good@ios_base@std@ 71422->71432 71424 aba329 ?width@ios_base@std@ 71423->71424 71423->71432 71425 aba33a 71424->71425 71424->71432 71427 aba340 ?width@ios_base@std@ 71425->71427 71425->71432 71427->71432 71428 aba38f 71429 aba3a6 ?good@ios_base@std@ 71428->71429 71435 aba3a0 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 71428->71435 71430 aba3c1 ?flags@ios_base@std@ 71429->71430 71431 aba3b7 71429->71431 71434 aba424 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 71430->71434 71442 aba3df 71430->71442 71433 aba4cb ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 71431->71433 71432->71428 71432->71429 71436 aba4ef 71433->71436 71437 aba4e7 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 71433->71437 71438 aba40c ?width@ios_base@std@@QAE_J_J 71434->71438 71439 aba440 71434->71439 71435->71429 71444 acc5d0 ?width@ios_base@std@ 71436->71444 71437->71436 71438->71433 71439->71438 71443 aba44e ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W 71439->71443 71441 aba3ea ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W 71441->71438 71441->71442 71442->71434 71442->71441 71443->71438 71443->71439 71446 acc614 71444->71446 71447 acc640 ?good@ios_base@std@ 71444->71447 71445 acc61a ?width@ios_base@std@ 71445->71447 71448 acc62c ?width@ios_base@std@ 71445->71448 71446->71445 71446->71447 71450 acc66a 71447->71450 71451 acc681 ?good@ios_base@std@ 71447->71451 71448->71447 71450->71451 71457 acc67b ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 71450->71457 71452 acc69c ?flags@ios_base@std@ 71451->71452 71453 acc692 71451->71453 71454 acc6ba 71452->71454 71455 acc6f6 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 71452->71455 71456 acc790 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N ?uncaught_exception@std@ 71453->71456 71454->71455 71462 acc6c4 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W 71454->71462 71460 acc73c 71455->71460 71461 acc6e6 71455->71461 71458 acc7ac ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 71456->71458 71459 acc7b4 71456->71459 71457->71451 71458->71459 71459->71356 71463 acc74f ?width@ios_base@std@@QAE_J_J 71460->71463 71461->71460 71461->71463 71464 acc71a ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W 71461->71464 71462->71454 71462->71461 71463->71456 71464->71460 71464->71461 71466 ac2c4b 71465->71466 71467 ac2c14 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 71465->71467 71469 ac2c7c 71466->71469 71470 ac2c51 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 71466->71470 71467->71466 71468 ac2c20 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 71467->71468 71471 ab9d50 SimpleUString::operator= 9 API calls 71468->71471 71469->71361 71470->71469 71472 ac2c5d 71470->71472 71473 ac2c42 71471->71473 71474 ab9d50 SimpleUString::operator= 9 API calls 71472->71474 71473->71361 71474->71469 71476->71378 71477->71400 71479 624844d0 71480 624846f7 71479->71480 71483 624844e3 71479->71483 71481 62484647 TlsFree 71482 624846ef free 71481->71482 71493 62484548 71481->71493 71482->71480 71483->71481 71486 6248453f SetEvent 71483->71486 71483->71493 71484 624846a1 SetEvent 71484->71493 71485 624846d4 71485->71482 71488 624846e6 SetEvent 71485->71488 71486->71493 71487 62484860 CreateEventA 71490 624849c1 WaitForSingleObject 71487->71490 71491 62484897 CloseHandle 71487->71491 71488->71482 71489 624848d8 CreateEventA 71494 624849ee WaitForSingleObject 71489->71494 71495 6248490f CloseHandle 71489->71495 71497 624849d9 WaitForSingleObject 71490->71497 71491->71493 71492 62484978 CreateEventA 71492->71497 71498 624849b3 CloseHandle 71492->71498 71493->71481 71493->71482 71493->71484 71493->71485 71493->71487 71493->71489 71493->71492 71496 624845af SetEvent 71493->71496 71499 62484704 CreateEventA 71493->71499 71502 624845fc SetEvent 71493->71502 71503 6248478a 71493->71503 71507 62484633 SetEvent 71493->71507 71508 624847a4 CreateEventA 71493->71508 71494->71495 71495->71493 71496->71493 71497->71498 71498->71493 71500 6248473f CloseHandle 71499->71500 71501 62484840 WaitForSingleObject 71499->71501 71500->71493 71501->71487 71502->71493 71504 624847f0 CreateEventA 71503->71504 71503->71508 71505 6248494c WaitForSingleObject CloseHandle 71504->71505 71506 6248482f CloseHandle 71504->71506 71505->71492 71506->71503 71507->71481 71507->71493 71509 62484920 WaitForSingleObject CloseHandle 71508->71509 71510 624847e3 CloseHandle 71508->71510 71509->71505 71510->71493 71511 62484c50 71512 62484d30 pthread_key_create 71511->71512 71513 62484c67 GetSystemDirectoryA 71511->71513 71514 62484d6a 71512->71514 71515 62484d52 pthread_key_create 71512->71515 71516 62484db8 strncat LoadLibraryA 71513->71516 71517 62484c95 71513->71517 71518 62484df0 71514->71518 71519 62484d82 71514->71519 71515->71514 71516->71518 71520 62484cc0 71517->71520 71521 62484ca2 GetProcAddress 71517->71521 71519->71514 71530 62484a08 11 API calls 71519->71530 71523 62484cc8 GetProcAddress 71520->71523 71524 62484d8c 71520->71524 71521->71520 71525 62484cdf 71523->71525 71526 62484ce5 FreeLibrary 71523->71526 71527 62484cfd 71524->71527 71528 62484d9e FreeLibrary 71524->71528 71525->71526 71529 62484d14 71525->71529 71526->71527 71528->71527 71529->71527 71530->71519

                                      Executed Functions

                                      Function 00ADB000 Relevance: 109.0, APIs: 57, Strings: 5, Instructions: 550timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 adb000-adb017 call ad4d40 2 adb01c-adb024 0->2 3 adb037-adb063 ?InitPool@AutoRelease@@SAXXZ ?Get@DhTaskPool@@SAPAV1@XZ ?Activate@DhTaskPool@@QAEXI@Z ?StartLocalPool@AutoRelease@@SA_NXZ 2->3 4 adb026-adb034 call af9fcc 2->4 6 adb065-adb06a 3->6 7 adb091-adb13a call acdaa0 call ad0690 memset GetTempPathW memset ?GetNowDateTime@BASUtilitySys@@SAXPADPBD@Z call abc0d0 ?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z 3->7 10 adb070-adb079 6->10 18 adb140-adb149 7->18 10->10 12 adb07b-adb07f 10->12 12->7 14 adb081-adb08f CommandLineToArgvW 12->14 14->7 18->18 19 adb14b-adb199 call ab9ad0 * 3 18->19 26 adb1a0-adb1a9 19->26 26->26 27 adb1ab-adb24e call ab9ad0 ?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z ?ConvertUtf8ToAnsi@BASUtilityString@@SAPADPBD@Z CreateDirectoryW ?GetAppModule@BASUtilityApp@@SAPA_WXZ wcsrchr ?ConvertUnicodeToUtf8@BASUtilityString@@SAPADPB_W@Z ?ConvertUtf8ToAnsi@BASUtilityString@@SAPADPBD@Z ?InitGoogleLogging@google@@YAXPBD@Z 26->27 30 adb250-adb255 27->30 30->30 31 adb257-adb399 call ac1000 call acd9f0 ?Free@BASUtilityString@@SAXPAX@Z * 4 call ad0090 ??0LogMessage@google@@QAE@PBDH@Z ?stream@LogMessage@google@@QAEAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ call ab1810 call ababf0 ??1LogMessage@google@@QAE@XZ WSAStartup CoInitialize GdiplusStartup xmlInitParser xmlCheckVersion call ad0bb0 CreateRgService 30->31 44 adb3bc-adb41a call ab9ad0 call abb1f0 ?GetNowDateTime@BASUtilitySys@@SAXPADPBD@Z ?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z call ab9ad0 31->44 45 adb39b-adb3b7 call ab9d50 31->45 53 adb420-adb429 44->53 45->44 53->53 54 adb42b-adb484 call ab9ad0 * 2 ?Free@BASUtilityString@@SAXPAX@Z ?RegisterCrashFilter@BASDbgReport@@QAEXPB_WP6AX0@ZP6AX0PAPA_W@Z@Z 53->54 59 adb4bd-adb504 DefWindowProcW InitCommonControlsEx 54->59 60 adb486-adb49b 54->60 63 adb506-adb50a 59->63 64 adb520-adb541 GetCurrentThreadId call af9872 59->64 61 adb49d-adb4ab 60->61 62 adb4b3-adb4ba call af98a2 60->62 61->62 65 adb4ad _invalid_parameter_noinfo_noreturn 61->65 62->59 67 adb50c-adb513 63->67 68 adb519-adb51e 63->68 73 adb568 64->73 74 adb543-adb566 64->74 65->62 67->68 68->63 68->64 75 adb572-adb58c call ad4740 ?StandardUserDefaults@BASUserDefaults@@SAPAV1@XZ 73->75 74->75 78 adb58e-adb590 ?WriteAll@BASUserDefaults@@QAEXXZ 75->78 79 adb596-adb5b9 FreeRgService xmlCleanupParser EnterCriticalSection 75->79 78->79 80 adb5bb-adb5bf 79->80 81 adb5d3-adb5d9 79->81 82 adb5d1 80->82 83 adb5c1-adb5cb DestroyWindow 80->83 84 adb5db-adb5df 81->84 85 adb606-adb61f LeaveCriticalSection 81->85 82->81 83->82 88 adb5ed-adb603 call af98a2 84->88 89 adb5e1-adb5e7 free 84->89 86 adb659-adb661 85->86 87 adb621-adb625 85->87 92 adb68b-adb699 86->92 93 adb663-adb666 86->93 90 adb627-adb62d free 87->90 91 adb633-adb638 87->91 88->85 89->88 90->91 97 adb63a-adb640 free 91->97 98 adb647-adb656 call af98a2 91->98 95 adb69b 92->95 96 adb6ba-adb70e call ad5280 GdiplusShutdown CoUninitialize WSACleanup ?EndLocalPool@AutoRelease@@SAXXZ ?PrintLeakObject@AutoRelease@@SAXPAU_iobuf@@@Z ?DestroyPool@AutoRelease@@SAXXZ CloseHandle 92->96 93->92 99 adb668-adb66d 93->99 101 adb6a0-adb6a4 95->101 110 adb73f-adb765 96->110 111 adb710-adb71f 96->111 97->98 98->86 104 adb66f-adb671 99->104 105 adb675-adb689 99->105 106 adb6a6-adb6ad 101->106 107 adb6b3-adb6b8 101->107 104->105 105->92 105->99 106->107 107->96 107->101 116 adb767-adb76e 110->116 117 adb786-adb78f 110->117 114 adb735-adb73c call af98a2 111->114 115 adb721-adb72f 111->115 114->110 115->114 121 adb7b8 _invalid_parameter_noinfo_noreturn 115->121 116->117 118 adb770-adb77d 116->118 119 adb7c8-adb7ed 117->119 120 adb791-adb7a6 117->120 118->117 132 adb77f-adb781 118->132 125 adb80d-adb823 call af9fcc 119->125 126 adb7ef-adb7f6 119->126 123 adb7be-adb7c5 call af98a2 120->123 124 adb7a8-adb7b6 120->124 121->123 123->119 124->121 124->123 126->125 131 adb7f8-adb804 126->131 131->125 136 adb806-adb808 131->136 132->117 136->125
                                      APIs
                                        • Part of subcall function 00AD4D40: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4D83
                                        • Part of subcall function 00AD4D40: ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000), ref: 00AD4D98
                                        • Part of subcall function 00AD4D40: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4DCB
                                        • Part of subcall function 00AD4D40: OpenMutexW.KERNEL32(00100000,00000000,?,?), ref: 00AD4E5A
                                        • Part of subcall function 00AD4D40: FindCloseChangeNotification.KERNEL32(00000000), ref: 00AD4E65
                                      • ?InitPool@AutoRelease@@SAXXZ.LIBBASIC ref: 00ADB039
                                      • ?Get@DhTaskPool@@SAPAV1@XZ.LIBBASIC(00000005), ref: 00ADB041
                                      • ?Activate@DhTaskPool@@QAEXI@Z.LIBBASIC ref: 00ADB049
                                      • ?StartLocalPool@AutoRelease@@SA_NXZ.LIBBASIC ref: 00ADB04F
                                      • CommandLineToArgvW.SHELL32(?,00000000), ref: 00ADB089
                                      • memset.VCRUNTIME140(?,00000000,00000208,00000000,00000000), ref: 00ADB0CE
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00ADB0E2
                                      • memset.VCRUNTIME140(?,00000000,00000104), ref: 00ADB0F6
                                      • ?GetNowDateTime@BASUtilitySys@@SAXPADPBD@Z.LIBBASIC(?,%Y%m%d,?,00000000,00000104), ref: 00ADB107
                                      • ?ConvertUtf8ToUnicode@BASUtilityString@@SAPA_WPBD@Z.LIBBASIC(?,?), ref: 00ADB120
                                      Strings
                                      • SysInfoStr: , xrefs: 00ADB2C7
                                      • d:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\iosrecoverymanager\src\iosrecoverymanager.cpp, xrefs: 00ADB2D1
                                      • .dmp, xrefs: 00ADB43A
                                      • %Y%m%d%H%M%S, xrefs: 00ADB3E0
                                      • %Y%m%d, xrefs: 00ADB101
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089290413.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000013.00000002.2089273833.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089322146.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089341405.0000000000B11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089355959.0000000000B12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089371466.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089391551.0000000000B14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_ab0000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@_$W@std@@@std@@$AutoPool@Pool@@Release@@TaskUtilitymemset$??0?$basic_ios@_??0?$basic_iostream@_??0?$basic_streambuf@_Activate@ArgvChangeCloseCommandConvertDateFindGet@InitLineLocalMutexNotificationOpenPathStartString@@Sys@@TempTime@Unicode@Utf8V?$basic_streambuf@_W@std@@@1@@
                                      • String ID: %Y%m%d$%Y%m%d%H%M%S$.dmp$SysInfoStr: $d:\software\89.ios-recovery-win-gui-cool-itunes-5.2\projects\gui\iosrecoverymanager\src\iosrecoverymanager.cpp
                                      • API String ID: 4002634025-985293724
                                      • Opcode ID: 1ff518eecef5a0dbad85da3ec39434a2992d6e7aaddb3dcdf79cb207a752b019
                                      • Instruction ID: a8a8c6ec7329cb4a4e02e1f36687cd387275d08fc04c57354913abf062a7e25c
                                      • Opcode Fuzzy Hash: 1ff518eecef5a0dbad85da3ec39434a2992d6e7aaddb3dcdf79cb207a752b019
                                      • Instruction Fuzzy Hash: 1022C271900218DBDB20EFA4DC49BEEB7B8FF05701F054599E50AA72A1DB71AE80CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624844D0 Relevance: 42.3, APIs: 28, Instructions: 338COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 137 624844d0-624844dd 138 624844e3-624844e8 137->138 139 624846f7-62484700 137->139 140 624844ee-624844f3 138->140 141 62484647-62484657 TlsFree 138->141 140->141 142 624844f9-62484524 140->142 143 6248465d-6248468a 141->143 144 624846ef-624846f2 free 141->144 145 6248455a-62484562 142->145 146 62484526-6248453d 142->146 147 624846bc-624846ce 143->147 148 6248468c-6248469f 143->148 144->139 149 62484566-6248456b 145->149 154 62484548-62484554 146->154 155 6248453f-62484547 SetEvent 146->155 152 624848a8-624848b4 147->152 153 624846d4-624846e4 147->153 150 624846aa-624846b6 148->150 151 624846a1-624846a9 SetEvent 148->151 149->141 156 62484571-62484598 149->156 150->147 157 62484860-62484891 CreateEventA 150->157 151->150 152->144 159 624848ba-624848c4 152->159 153->144 158 624846e6-624846ee SetEvent 153->158 154->145 160 624848d8-62484909 CreateEventA 154->160 155->154 161 624845ca-624845e4 call 624817b8 156->161 162 6248459a-624845ad 156->162 163 624849c1-624849d1 WaitForSingleObject 157->163 164 62484897-624848a0 CloseHandle 157->164 158->144 165 62484978-624849b1 CreateEventA 159->165 166 624848ca-624848cc 159->166 167 624849ee-62484a01 WaitForSingleObject 160->167 168 6248490f-62484918 CloseHandle 160->168 178 624845ea-624845fa 161->178 179 6248477c-62484784 161->179 169 624845b8-624845c4 162->169 170 624845af-624845b7 SetEvent 162->170 171 624849d9-624849ec WaitForSingleObject 163->171 164->147 165->171 172 624849b3-624849bc CloseHandle 165->172 166->160 167->168 168->145 169->161 174 62484704-62484739 CreateEventA 169->174 170->169 171->172 172->166 176 6248473f-62484748 CloseHandle 174->176 177 62484840-62484857 WaitForSingleObject 174->177 176->161 177->157 180 624845fc-62484604 SetEvent 178->180 181 62484605-62484617 178->181 179->181 182 6248478a-62484794 179->182 180->181 183 6248461d-6248462d 181->183 184 62484750-6248475c 181->184 185 624847f0-62484829 CreateEventA 182->185 186 62484796-62484798 182->186 183->149 190 62484633-62484641 SetEvent 183->190 184->149 189 62484762-6248476c 184->189 187 6248494c-6248496f WaitForSingleObject CloseHandle 185->187 188 6248482f-62484838 CloseHandle 185->188 191 624847a4-624847dd CreateEventA 186->191 187->165 188->186 189->191 192 6248476e-62484770 189->192 190->141 190->156 193 62484920-62484943 WaitForSingleObject CloseHandle 191->193 194 624847e3-624847ec CloseHandle 191->194 192->179 193->187 194->192
                                      APIs
                                      • SetEvent.KERNEL32 ref: 62484542
                                      • SetEvent.KERNEL32 ref: 624845B2
                                      • SetEvent.KERNEL32(00000000), ref: 624845FF
                                      • SetEvent.KERNEL32(00000000), ref: 62484636
                                      • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6248464C
                                      • SetEvent.KERNEL32(00000000), ref: 624846A4
                                      • SetEvent.KERNEL32(00000000), ref: 624846E9
                                      • free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 624846F2
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$Freefree
                                      • String ID:
                                      • API String ID: 1842897153-0
                                      • Opcode ID: 2bd1197591d7ad28161c57e48fd5c76f83a984e5aa969e3c48ff4743b0cc4cea
                                      • Instruction ID: 831d8dfb63e9d11df6bc7896c692173f11c86926e9654ee590dac13469df5439
                                      • Opcode Fuzzy Hash: 2bd1197591d7ad28161c57e48fd5c76f83a984e5aa969e3c48ff4743b0cc4cea
                                      • Instruction Fuzzy Hash: A0D11A701197029FD745EF78C560B1BBBE4AF85758F018A2CE4A89B380EB78D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AF968D Relevance: 21.1, APIs: 14, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ___security_init_cookie.LIBCMT ref: 00AF968D
                                        • Part of subcall function 00AFA966: ___get_entropy.LIBCMT ref: 00AFA980
                                        • Part of subcall function 00AF9A7A: ___isa_available_init.LIBCMT ref: 00AF9A8A
                                      • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(00AFEAB0,00AFEAC0,00B09D28,00000014), ref: 00AF96E8
                                      • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(00AFEA58,00AFEAAC,00B09D28,00000014), ref: 00AF970E
                                      • ___scrt_release_startup_lock.LIBCMT ref: 00AF9729
                                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00AF973D
                                      • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00AF9763
                                      • _register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00B09D28,00000014), ref: 00AF976F
                                      • _get_wide_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00B09D28,00000014), ref: 00AF977E
                                      • _cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00B09D28,00000014), ref: 00AF979E
                                      • ___scrt_uninitialize_crt.LIBCMT ref: 00AF97A6
                                      • ___scrt_fastfail.LIBCMT ref: 00AF97FF
                                      • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000007,00B09D28,00000014), ref: 00AF9805
                                      • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00B09D28,00000014), ref: 00AF980D
                                      • _configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000007,00B09D28,00000014), ref: 00AF9819
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089290413.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000013.00000002.2089273833.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089322146.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089341405.0000000000B11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089355959.0000000000B12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089371466.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089391551.0000000000B14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_ab0000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___isa_available_init___scrt_fastfail___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie_cexit_configure_wide_argv_exit_get_wide_winmain_command_line_initterm_initterm_e_register_thread_local_exe_atexit_callbackexit
                                      • String ID:
                                      • API String ID: 3486899253-0
                                      • Opcode ID: 3750a7542a0938773ad27387f5e906327a4d99b940f676e3b0efea3d441e9204
                                      • Instruction ID: 26fa8c0fd82c9d397c3aa063cf070519914fa15b973efea9e476fcffeced8171
                                      • Opcode Fuzzy Hash: 3750a7542a0938773ad27387f5e906327a4d99b940f676e3b0efea3d441e9204
                                      • Instruction Fuzzy Hash: 7131363115430CAADB34BBF4AA07BFF6760AF51791F200429F3956B1E2DF2648018266
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62484C50 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102libraryloaderstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 247 62484c50-62484c61 248 62484d30-62484d50 pthread_key_create 247->248 249 62484c67-62484c8f GetSystemDirectoryA 247->249 250 62484d78-62484d80 248->250 251 62484d52-62484d68 pthread_key_create 248->251 252 62484db8-62484de6 strncat LoadLibraryA 249->252 253 62484c95-62484c9c 249->253 255 62484df0 250->255 256 62484d82-62484d87 call 62484a08 250->256 251->250 254 62484d6a 251->254 252->255 257 62484dac-62484db3 253->257 258 62484ca2-62484cba GetProcAddress 253->258 254->250 256->254 259 62484cc0-62484cc2 257->259 258->259 261 62484cc8-62484cdd GetProcAddress 259->261 262 62484d8c-62484d98 259->262 264 62484cdf-62484ce3 261->264 265 62484ce5-62484cfc FreeLibrary 261->265 266 62484cfd 262->266 267 62484d9e-62484da7 FreeLibrary 262->267 264->265 270 62484d14-62484d1b 264->270 265->266 268 62484d07-62484d12 266->268 267->266 270->268 271 62484d1d-62484d2f 270->271
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressLibraryProcpthread_key_create$DirectoryFreeLoadSystemstrncat
                                      • String ID: QueueUserAPCEx$QueueUserAPCEx_Init$\QUSEREX.DLL
                                      • API String ID: 2212840258-2059956921
                                      • Opcode ID: 527cc0d86fdd6c22cc6cdb3589f71905ef06e06c0e0e70491c401841aeb713d3
                                      • Instruction ID: af5ec4c9b78618ccf54e551aee6fed366ce78101f36f0c1317368921c7ad4910
                                      • Opcode Fuzzy Hash: 527cc0d86fdd6c22cc6cdb3589f71905ef06e06c0e0e70491c401841aeb713d3
                                      • Instruction Fuzzy Hash: 16319270A693009ADB04AF38D5A0B9A7FE8AF5378CF01492DDD589B248E73DC584CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD4D40 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 166synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4D83
                                      • ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000), ref: 00AD4D98
                                      • ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4DCB
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140(92FA14B1,?,?,?), ref: 00ABA319
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ABA330
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ABA347
                                        • Part of subcall function 00ABA2C0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ABA385
                                        • Part of subcall function 00ABA2C0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 00ABA3A0
                                        • Part of subcall function 00ABA2C0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ABA3AD
                                        • Part of subcall function 00ABA2C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 00ABA4D5
                                        • Part of subcall function 00ABA2C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00ABA4DB
                                        • Part of subcall function 00ABA2C0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 00ABA4E9
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140(92FA14B1), ref: 00ACC60A
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ACC621
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ACC633
                                        • Part of subcall function 00ACC5D0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ACC660
                                        • Part of subcall function 00ACC5D0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 00ACC67B
                                        • Part of subcall function 00ACC5D0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ACC688
                                        • Part of subcall function 00ACC5D0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 00ACC79A
                                        • Part of subcall function 00ACC5D0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00ACC7A0
                                        • Part of subcall function 00ACC5D0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 00ACC7AE
                                        • Part of subcall function 00ABA2C0: ?flags@ios_base@std@@QBEHXZ.MSVCP140 ref: 00ABA3CF
                                        • Part of subcall function 00ABA2C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ABA3F9
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 00ABA495
                                        • Part of subcall function 00ACC5D0: ?flags@ios_base@std@@QBEHXZ.MSVCP140 ref: 00ACC6AA
                                        • Part of subcall function 00ACC5D0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ACC6D3
                                        • Part of subcall function 00ACC5D0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ACC729
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 00ACC75A
                                        • Part of subcall function 00AC2BF0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000002,77541880,?,00ABBD02,?,?,?,?,?,?,?), ref: 00AC2C16
                                        • Part of subcall function 00AC2BF0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,00ABBD02,?,?,?,?,?,?,?), ref: 00AC2C28
                                      • OpenMutexW.KERNEL32(00100000,00000000,?,?), ref: 00AD4E5A
                                      • FindCloseChangeNotification.KERNEL32(00000000), ref: 00AD4E65
                                      • CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00AD4E7F
                                      • ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140 ref: 00AD4F0D
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00AD4F19
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00AD4F95
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089290413.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000013.00000002.2089273833.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089322146.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089341405.0000000000B11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089355959.0000000000B12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089371466.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089391551.0000000000B14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_ab0000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?width@ios_base@std@@U?$char_traits@_$W@std@@@std@@$?good@ios_base@std@@$?sputc@?$basic_streambuf@_$?flags@ios_base@std@@?flush@?$basic_ostream@?pptr@?$basic_streambuf@?setstate@?$basic_ios@?uncaught_exception@std@@MutexOsfx@?$basic_ostream@V12@$??0?$basic_ios@_??0?$basic_iostream@_??0?$basic_streambuf@_??1?$basic_ios@??1?$basic_iostream@_ChangeCloseCreateFindNotificationOpenV?$basic_streambuf@_W@std@@@1@@_invalid_parameter_noinfo_noreturn
                                      • String ID: Global_
                                      • API String ID: 3705151531-2452770149
                                      • Opcode ID: 74686bab56dc6c228003fb5bbee0a59a5b428923ae3b5103d3bb0b02501dfd8f
                                      • Instruction ID: b2e6a8fd271a2cc9aeb5e1d5b2df9c93ef8b308d02fc3bdda75b5181aca3ad21
                                      • Opcode Fuzzy Hash: 74686bab56dc6c228003fb5bbee0a59a5b428923ae3b5103d3bb0b02501dfd8f
                                      • Instruction Fuzzy Hash: 95619F71A00109DFDF14DFA4DD89FEDBBB9AF48304F1085A9E50AA7690EB349A45CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AD4D3B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 162synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4D83
                                      • ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000), ref: 00AD4D98
                                      • ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 00AD4DCB
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140(92FA14B1,?,?,?), ref: 00ABA319
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ABA330
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ABA347
                                        • Part of subcall function 00ABA2C0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ABA385
                                        • Part of subcall function 00ABA2C0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 00ABA3A0
                                        • Part of subcall function 00ABA2C0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ABA3AD
                                        • Part of subcall function 00ABA2C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 00ABA4D5
                                        • Part of subcall function 00ABA2C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00ABA4DB
                                        • Part of subcall function 00ABA2C0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 00ABA4E9
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140(92FA14B1), ref: 00ACC60A
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ACC621
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00ACC633
                                        • Part of subcall function 00ACC5D0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ACC660
                                        • Part of subcall function 00ACC5D0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140 ref: 00ACC67B
                                        • Part of subcall function 00ACC5D0: ?good@ios_base@std@@QBE_NXZ.MSVCP140 ref: 00ACC688
                                        • Part of subcall function 00ACC5D0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 00ACC79A
                                        • Part of subcall function 00ACC5D0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00ACC7A0
                                        • Part of subcall function 00ACC5D0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 00ACC7AE
                                        • Part of subcall function 00ABA2C0: ?flags@ios_base@std@@QBEHXZ.MSVCP140 ref: 00ABA3CF
                                        • Part of subcall function 00ABA2C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ABA3F9
                                        • Part of subcall function 00ABA2C0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 00ABA495
                                        • Part of subcall function 00ACC5D0: ?flags@ios_base@std@@QBEHXZ.MSVCP140 ref: 00ACC6AA
                                        • Part of subcall function 00ACC5D0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ACC6D3
                                        • Part of subcall function 00ACC5D0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?), ref: 00ACC729
                                        • Part of subcall function 00ACC5D0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 00ACC75A
                                        • Part of subcall function 00AC2BF0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000002,77541880,?,00ABBD02,?,?,?,?,?,?,?), ref: 00AC2C16
                                        • Part of subcall function 00AC2BF0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,00ABBD02,?,?,?,?,?,?,?), ref: 00AC2C28
                                      • OpenMutexW.KERNEL32(00100000,00000000,?,?), ref: 00AD4E5A
                                      • FindCloseChangeNotification.KERNEL32(00000000), ref: 00AD4E65
                                      • CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00AD4E7F
                                      • ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140 ref: 00AD4F0D
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00AD4F19
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00AD4F95
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089290413.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000013.00000002.2089273833.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089322146.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089341405.0000000000B11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089355959.0000000000B12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089371466.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089391551.0000000000B14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_ab0000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?width@ios_base@std@@U?$char_traits@_$W@std@@@std@@$?good@ios_base@std@@$?sputc@?$basic_streambuf@_$?flags@ios_base@std@@?flush@?$basic_ostream@?pptr@?$basic_streambuf@?setstate@?$basic_ios@?uncaught_exception@std@@MutexOsfx@?$basic_ostream@V12@$??0?$basic_ios@_??0?$basic_iostream@_??0?$basic_streambuf@_??1?$basic_ios@??1?$basic_iostream@_ChangeCloseCreateFindNotificationOpenV?$basic_streambuf@_W@std@@@1@@_invalid_parameter_noinfo_noreturn
                                      • String ID: Global_
                                      • API String ID: 3705151531-2452770149
                                      • Opcode ID: e10208de6e45c234ae72c7838d6df12172b4784ed83203ced3ef1ecfb89e9ed9
                                      • Instruction ID: 61b9d554f0415e39f6a620971375719e08a28adfcd4f93cb7a3fb90fe7715f3f
                                      • Opcode Fuzzy Hash: e10208de6e45c234ae72c7838d6df12172b4784ed83203ced3ef1ecfb89e9ed9
                                      • Instruction Fuzzy Hash: 7161AF71A00109DBDF14DFA4DD89FEDBBB9AF48304F1085A9E50AA7690EB349A45CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AF97CC Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 355 af97cc 356 af97cf call afab93 355->356 357 af97d4-af97d6 356->357 358 af980a-af981f _exit call afa9b4 _configure_wide_argv 357->358 359 af97d8-af97dc 357->359 361 af97de _c_exit 359->361 362 af97e3-af97fc 359->362 361->362
                                      APIs
                                        • Part of subcall function 00AFAB93: GetModuleHandleW.KERNEL32(00000000,00AF9796,00B09D28,00000014), ref: 00AFAB95
                                      • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00AF97DE
                                      • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00B09D28,00000014), ref: 00AF980D
                                      • _configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000007,00B09D28,00000014), ref: 00AF9819
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089290413.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                      • Associated: 00000013.00000002.2089273833.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089322146.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089341405.0000000000B11000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089355959.0000000000B12000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089371466.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000013.00000002.2089391551.0000000000B14000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_ab0000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: HandleModule_c_exit_configure_wide_argv_exit
                                      • String ID:
                                      • API String ID: 1530975406-0
                                      • Opcode ID: f9ef06f40f53dfc58ffef80f6ce2a0c636b4e64387211ab71e5376ec96b67586
                                      • Instruction ID: 6b7bba071e67bab2b0c5a12b37b6518b666feef0bc20013a09a4de2116b952c9
                                      • Opcode Fuzzy Hash: f9ef06f40f53dfc58ffef80f6ce2a0c636b4e64387211ab71e5376ec96b67586
                                      • Instruction Fuzzy Hash: D5E0D87291420D9FDF15BBD4D6063FEB771AF40364F100565F621631D1CB3608108760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 6CCAA8A0 Relevance: 84.8, APIs: 43, Strings: 5, Instructions: 763COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new.LIBCRYPTO-1_1 ref: 6CCAA995
                                      • EVP_PKEY_decrypt_init.LIBCRYPTO-1_1 ref: 6CCAA9A7
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCAA9C3
                                      • EVP_PKEY_derive_set_peer.LIBCRYPTO-1_1 ref: 6CCAA9D3
                                      • ASN1_item_d2i.LIBCRYPTO-1_1 ref: 6CCAAA04
                                      • ASN1_TYPE_get.LIBCRYPTO-1_1 ref: 6CCAAA20
                                      • EVP_PKEY_decrypt.LIBCRYPTO-1_1 ref: 6CCAAA73
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAAACF
                                        • Part of subcall function 6CC729E0: CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC72A3C
                                        • Part of subcall function 6CC729E0: memcpy.MSVCRT ref: 6CC72A6D
                                        • Part of subcall function 6CC729E0: memcpy.MSVCRT ref: 6CC72A99
                                        • Part of subcall function 6CC729E0: CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72ABE
                                        • Part of subcall function 6CC729E0: CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72B21
                                        • Part of subcall function 6CC729E0: CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72B5E
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CCAAB56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_clear_free$memcpy$E_getN1_item_d2iO_mallocX509_get0_pubkeyX_ctrlX_newY_decryptY_decrypt_initY_derive_set_peer
                                      • String ID: $0$0$A$P
                                      • API String ID: 1902205542-1211158425
                                      • Opcode ID: 1e3b31b2178495e9165ee6d5c3694ba97d91562cb642479e4bf201265cd5663c
                                      • Instruction ID: 5a4980f6d64577dbfffe0ca7d045aa78a8aed08bcc971883d2d4f6be38dee9b0
                                      • Opcode Fuzzy Hash: 1e3b31b2178495e9165ee6d5c3694ba97d91562cb642479e4bf201265cd5663c
                                      • Instruction Fuzzy Hash: 8A7202B06097069FE310DF65C5A835BBBE1BF85348F10891DE8E89BB50E779D4498F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC80D70 Relevance: 69.2, APIs: 46, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_VERIFY_PARAM_free.LIBCRYPTO-1_1 ref: 6CC80D7F
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,?,?,00000000,6CC81837), ref: 6CC80D95
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80DB5
                                      • X509_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80DCD
                                      • CRYPTO_free_ex_data.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E0F
                                      • BIO_pop.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E21
                                      • BIO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E2F
                                      • BIO_free_all.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E41
                                      • BIO_free_all.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E4C
                                      • BUF_MEM_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E57
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E65
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E73
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E81
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80E8F
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80EDB
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80EED
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80F09
                                      • COMP_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC80F21
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC80F39
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC80F51
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC80F69
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC80F9F
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC80FBD
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC80FE9
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC81007
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC81025
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC81043
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC81059
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC8106F
                                      • SCT_LIST_free.LIBCRYPTO-1_1 ref: 6CC8107D
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8109B
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC810B9
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC810D7
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC810F5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8111D
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8113B
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC81159
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC81167
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC8117D
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC81193
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC811A9
                                      • ASYNC_WAIT_CTX_free.LIBCRYPTO-1_1 ref: 6CC811E0
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC811FE
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8120C
                                      • CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1 ref: 6CC8121A
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC81232
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$X_free$L_sk_pop_free$L_sk_free$M_freeO_free_all$D_lock_freeO_free_ex_dataO_popT_freeX509_X509_free
                                      • String ID:
                                      • API String ID: 1975370867-0
                                      • Opcode ID: 01db3ee70dda48751f61875fb0248ded5cf0ad03acc030f560b7fb45eb1f0d41
                                      • Instruction ID: 4a32d517ba951e44704ce8fa735b877e075a6e8dee44c01779f4728d27bed619
                                      • Opcode Fuzzy Hash: 01db3ee70dda48751f61875fb0248ded5cf0ad03acc030f560b7fb45eb1f0d41
                                      • Instruction Fuzzy Hash: D5C16EB4509B009BDB04AFA4C5C579ABBF0AF45348F45886CEC88EF756E7349488CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC88F80 Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 272stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$R_put_error$O_reallocstrncmp$M_read_bioO_ctrlO_newO_s_filememcpystrlen
                                      • String ID: FOR$A$ERIN$ERIN$FO F$FOV2$OR $SERV$SERV$l
                                      • API String ID: 3095373799-598870608
                                      • Opcode ID: c48df43a25d3d133ebab644574d2214f684c9ec7ceb3cd46e484699ab4c48b8d
                                      • Instruction ID: f7f9235d2f1fb0147cf7e2862c993ec638beb4b1ba1ad2d510ca5a3a626d0979
                                      • Opcode Fuzzy Hash: c48df43a25d3d133ebab644574d2214f684c9ec7ceb3cd46e484699ab4c48b8d
                                      • Instruction Fuzzy Hash: 25D1DBB0A097019BE700DF65C58434FBBE0AFC5748F508D1DE5989BB90E7B9E949CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78DE0 Relevance: 59.7, APIs: 3, Strings: 31, Instructions: 213COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC791EF
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7922D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocR_put_error
                                      • String ID: %-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s$A$AEAD$AES(128)$AES(256)$AESCCM(128)$AESCCM(256)$AESCCM8(128)$AESCCM8(256)$AESGCM(128)$AESGCM(256)$ARIAGCM(128)$ARIAGCM(256)$CHACHA20/POLY1305(256)$Camellia(128)$Camellia(256)$DES(56)$DHEPSK$ECDH$ECDHEPSK$GOST$GOST12$GOST2012$GOST89$GOST89(256)$MD5$PSK$RSAPSK$SEED(128)$SRP$unknown
                                      • API String ID: 2513334388-1049357918
                                      • Opcode ID: d593b084e7b02a020ace8d0e8c295d4c71d9766e9d94a40af37d83129a27a9da
                                      • Instruction ID: a95b43450c5a4ec713b44700a0a6007a5e961ecf8cd7078abd8e6bfe516b95cf
                                      • Opcode Fuzzy Hash: d593b084e7b02a020ace8d0e8c295d4c71d9766e9d94a40af37d83129a27a9da
                                      • Instruction Fuzzy Hash: CF718269705304CBD7244B0984D671AB6E1FB8A384F11483BEA656FF81F771CC84ABA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624868CC Relevance: 54.9, APIs: 29, Strings: 2, Instructions: 685synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait$Event_ftime$pthread_self$pthread_equal
                                      • String ID: 00Ib$00Ib
                                      • API String ID: 2663759302-3143399735
                                      • Opcode ID: c0910315902004cc1d1795d6d346b6d1b0f939e47f483289408a62bb8b7ed586
                                      • Instruction ID: 5fab8a428c89eb576d4e3262919311c36b493f54a953d2e4ed31592648cdad18
                                      • Opcode Fuzzy Hash: c0910315902004cc1d1795d6d346b6d1b0f939e47f483289408a62bb8b7ed586
                                      • Instruction Fuzzy Hash: A55270716297128FD744DF39C5A0B1AB7E1BF85728F108A2DE898CB395D738D941CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC80864 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80C07
                                        • Part of subcall function 6CC7BC50: OPENSSL_init_crypto.LIBCRYPTO-1_1 ref: 6CC7BC84
                                        • Part of subcall function 6CC74410: CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 6CC74422
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC808CD
                                      • CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 6CC80918
                                      • OPENSSL_LH_new.LIBCRYPTO-1_1 ref: 6CC80961
                                      • X509_STORE_new.LIBCRYPTO-1_1 ref: 6CC80971
                                      • CTLOG_STORE_new.LIBCRYPTO-1_1 ref: 6CC80981
                                        • Part of subcall function 6CC78290: OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC7829E
                                        • Part of subcall function 6CC78290: CONF_parse_list.LIBCRYPTO-1_1 ref: 6CC782D1
                                        • Part of subcall function 6CC78290: OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC782E0
                                        • Part of subcall function 6CC78440: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC784F3
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC809EB
                                      • X509_VERIFY_PARAM_new.LIBCRYPTO-1_1 ref: 6CC809F8
                                      • EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 6CC80A12
                                      • EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 6CC80A2C
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC80A3F
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC80A52
                                      • CRYPTO_new_ex_data.LIBCRYPTO-1_1 ref: 6CC80A7A
                                      • CRYPTO_secure_zalloc.LIBCRYPTO-1_1 ref: 6CC80A9E
                                      • RAND_bytes.LIBCRYPTO-1_1 ref: 6CC80AE3
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80B0B
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80B99
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80BC7
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80C43
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC80C5B
                                        • Part of subcall function 6CC74450: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC7446B
                                        • Part of subcall function 6CC74450: CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 6CC744A4
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80C97
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80CB9
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80CDA
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80D27
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80D58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$D_priv_bytesL_sk_new_null$D_lock_newE_newO_zallocP_get_digestbynameX509_$D_bytesD_run_onceF_parse_listH_newL_init_cryptoL_sk_freeL_sk_numM_newO_freeO_new_ex_dataO_secure_zalloc
                                      • String ID: $A$ALL:!COMPLEMENTOFDEFAULT:!eNULL$TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$ssl3-md5$ssl3-sha1
                                      • API String ID: 182319435-1232615831
                                      • Opcode ID: 5400b2b3e113d98efc30c4709b41a459811abb5b3d64dfaa3d2ddd6f8395c841
                                      • Instruction ID: 0cde6d2c613c1c02b24fa7ef1003ce45a915a78cb04cccaacbef9dbf1a35cbb8
                                      • Opcode Fuzzy Hash: 5400b2b3e113d98efc30c4709b41a459811abb5b3d64dfaa3d2ddd6f8395c841
                                      • Instruction Fuzzy Hash: C1B1F4B051A7429FEB009F65C59539BBFE0AF4134CF10886DD8989FB51E7B9C448CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA58C5 Relevance: 53.1, APIs: 27, Strings: 3, Instructions: 580stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCA58FD
                                      • strlen.MSVCRT ref: 6CCA59BD
                                      • BN_num_bits.LIBCRYPTO-1_1 ref: 6CCA5A3D
                                      • BN_bn2bin.LIBCRYPTO-1_1 ref: 6CCA5A8C
                                      • EVP_PKEY_size.LIBCRYPTO-1_1 ref: 6CCA5B28
                                      • EVP_DigestSignInit.LIBCRYPTO-1_1 ref: 6CCA5B78
                                      • EVP_DigestSign.LIBCRYPTO-1_1 ref: 6CCA5BE7
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5C05
                                        • Part of subcall function 6CC644F0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64521
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5C57
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCA5CD5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5CF1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5CFD
                                      • RSA_pkey_ctx_ctrl.LIBCRYPTO-1_1 ref: 6CCA6351
                                      • RSA_pkey_ctx_ctrl.LIBCRYPTO-1_1 ref: 6CCA6381
                                        • Part of subcall function 6CCA4EA0: CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCA4EC5
                                        • Part of subcall function 6CCA4EA0: memcpy.MSVCRT ref: 6CCA4F5D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: A_pkey_ctx_ctrlDigestO_freeSignX_free$InitN_bn2binN_num_bitsO_mallocO_zallocX_newY_freeY_sizememcpystrlen
                                      • String ID: $D$P
                                      • API String ID: 835604786-3315823934
                                      • Opcode ID: e3c32391e792fe48e435e02d963bdb198b4b67d5d0164b79555ae1318c866bf5
                                      • Instruction ID: 8de18f09785dad5470e32869a31c4263c988a51273185676562db692241e6d38
                                      • Opcode Fuzzy Hash: e3c32391e792fe48e435e02d963bdb198b4b67d5d0164b79555ae1318c866bf5
                                      • Instruction Fuzzy Hash: 5242D4B0509B429FE700DF65C58875FBBE0BF84748F50891DE9A89BB50E7B8D4498F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA69B5 Relevance: 51.4, APIs: 25, Strings: 4, Instructions: 646COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCA6B16
                                      • EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 6CCA6B25
                                      • HMAC_CTX_new.LIBCRYPTO-1_1 ref: 6CCA6B2E
                                      • EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1 ref: 6CCA6C41
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CCA6E4D
                                      • RAND_bytes.LIBCRYPTO-1_1 ref: 6CCA6ECD
                                      • time.MSVCRT ref: 6CCA6F87
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA6FC3
                                      • CRYPTO_memdup.LIBCRYPTO-1_1 ref: 6CCA6FF4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_new$D_bytesD_sizeO_freeO_mallocO_memdupX_iv_lengthtime
                                      • String ID: $@$A$resumption
                                      • API String ID: 3790227056-2290827812
                                      • Opcode ID: 77bf50df6d5a3582af991b0dc8bf2673eabf5cb8036cd817334975494f63107a
                                      • Instruction ID: 1e84155d6e33d04d5039d561eb7c79e3a57f65bd2d567104dbe2ed48bf53324f
                                      • Opcode Fuzzy Hash: 77bf50df6d5a3582af991b0dc8bf2673eabf5cb8036cd817334975494f63107a
                                      • Instruction Fuzzy Hash: 2D62D2B4A097469FD710DF69C18879BBBE0BF84348F10892DE998CB750E774D849CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9EA89 Relevance: 48.2, APIs: 24, Strings: 3, Instructions: 908COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9EC76
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCA1B31
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCA1B57
                                      • EVP_PKEY_size.LIBCRYPTO-1_1 ref: 6CCA1C43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeX509_get0_pubkeyX_newY_size
                                      • String ID: D$P$d
                                      • API String ID: 1207971869-2475318186
                                      • Opcode ID: fc317c5e3418688ddc80aa403f9d7df158ea8c15bd8267830d85b0534be63532
                                      • Instruction ID: 8394e8ef30f31766059c080b10234c84a11fabc1e2c04d2f7d77d455a56d313d
                                      • Opcode Fuzzy Hash: fc317c5e3418688ddc80aa403f9d7df158ea8c15bd8267830d85b0534be63532
                                      • Instruction Fuzzy Hash: BF9236B0509702CFD300DF69C58879BBBE0BF85348F04896DE9989BB51E779D949CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6BF40 Relevance: 46.4, APIs: 18, Strings: 8, Instructions: 872COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC6C199
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC6C1A1
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6C218
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6C220
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_sizeR_flagsX_cipherX_md
                                      • String ID: /$CONNE$D$GET $HEAD $POST $PUT $h
                                      • API String ID: 1386929052-3412271234
                                      • Opcode ID: 1d32067eafd05e1e99f8c1aa6db7b3a66b38ec91c654c13a0cb2e9513d4d9773
                                      • Instruction ID: bb116be7861c4c202b15a56c900446986d394cd5abb4cebe8d68658d2fcc20d1
                                      • Opcode Fuzzy Hash: 1d32067eafd05e1e99f8c1aa6db7b3a66b38ec91c654c13a0cb2e9513d4d9773
                                      • Instruction Fuzzy Hash: 2F826EB06093418FDB10DF26C6C435ABBE1BF84308F14896DE8999BF51E775D884CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC82D90 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 341COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC82E13
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC82E2F
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC82E47
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC82E67
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC82E7F
                                      • OPENSSL_sk_new_reserve.LIBCRYPTO-1_1 ref: 6CC82ED8
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC82F16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_numL_sk_pop_free$L_sk_new_reserveL_sk_valueX509_free
                                      • String ID: A
                                      • API String ID: 3363563759-3554254475
                                      • Opcode ID: 8b51379d44da26e2fba2022c0c8f55eaddcaa80972646673097d887cd7d29d09
                                      • Instruction ID: 90bc78f392e8130b2d9d3e9b5fa1773f8033779d5a0e8c5a67f49acf9a57b98d
                                      • Opcode Fuzzy Hash: 8b51379d44da26e2fba2022c0c8f55eaddcaa80972646673097d887cd7d29d09
                                      • Instruction Fuzzy Hash: 2FF1E0B0606B028FDB10DF69C58479ABBE4BF44308F18897DED998B746E734E444CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC98F60 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 208COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC98FA6
                                      • EVP_PKEY_CTX_new.LIBCRYPTO-1_1 ref: 6CC98FB6
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC98FDC
                                      • EVP_PKEY_encrypt_init.LIBCRYPTO-1_1 ref: 6CC98FEE
                                      • RAND_bytes.LIBCRYPTO-1_1 ref: 6CC99006
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC99013
                                      • OBJ_nid2sn.LIBCRYPTO-1_1 ref: 6CC99027
                                      • EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 6CC9902F
                                      • EVP_DigestInit.LIBCRYPTO-1_1 ref: 6CC9903F
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC99063
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC9908B
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC990AF
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC990C3
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CC990EF
                                      • EVP_PKEY_encrypt.LIBCRYPTO-1_1 ref: 6CC99123
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC991A0
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC991FB
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC9921B
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC99227
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: DigestX_free$UpdateX_new$D_bytesFinal_exInitJ_nid2snO_clear_freeO_mallocP_get_digestbynameX509_get0_pubkeyX_ctrlY_encryptY_encrypt_init
                                      • String ID: $ $A$P
                                      • API String ID: 1980337386-3416711434
                                      • Opcode ID: bd199cdf3ce3edef0bc932c59e1f67749ad5ebabf3014cab2b13bbf197f0e8d5
                                      • Instruction ID: d784e2dabacbeeb46979a8ab2ef985937880fa62cfd1c10ef47c773a09aab877
                                      • Opcode Fuzzy Hash: bd199cdf3ce3edef0bc932c59e1f67749ad5ebabf3014cab2b13bbf197f0e8d5
                                      • Instruction Fuzzy Hash: EE91B3B0509B019FE7009F65D58839FBBE0BF85758F408D2DE8989B750E779C5888B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCAFF47 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 223COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFA66
                                      • HMAC_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFA6E
                                      • HMAC_size.LIBCRYPTO-1_1 ref: 6CCAFB5D
                                      • EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1 ref: 6CCAFB7A
                                      • HMAC_Update.LIBCRYPTO-1_1 ref: 6CCAFBA7
                                      • HMAC_Final.LIBCRYPTO-1_1 ref: 6CCAFBCB
                                      • CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 6CCAFBF8
                                      • EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1 ref: 6CCAFC0C
                                      • EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1 ref: 6CCAFC2B
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCAFC48
                                      • EVP_DecryptUpdate.LIBCRYPTO-1_1 ref: 6CCAFC80
                                      • EVP_DecryptFinal.LIBCRYPTO-1_1 ref: 6CCAFCA8
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCAFD0E
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFD4A
                                      • HMAC_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFD52
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFEFF
                                      • HMAC_CTX_free.LIBCRYPTO-1_1 ref: 6CCAFF07
                                      • EVP_sha256.LIBCRYPTO-1_1 ref: 6CCAFF9A
                                      • HMAC_Init_ex.LIBCRYPTO-1_1 ref: 6CCAFFC0
                                      • EVP_aes_256_cbc.LIBCRYPTO-1_1 ref: 6CCAFFDB
                                      • EVP_DecryptInit_ex.LIBCRYPTO-1_1 ref: 6CCB0008
                                      • memcpy.MSVCRT ref: 6CCB00D1
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CCB010E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free$DecryptX_iv_length$FinalInit_exUpdate$C_sizeO_freeO_mallocO_memcmpP_aes_256_cbcP_sha256R_clear_errormemcpy
                                      • String ID:
                                      • API String ID: 2379049402-3916222277
                                      • Opcode ID: 834b938c2befff7bc8b41d7bc47b93ca70f9634415fbef2e3df7ba0e017a637b
                                      • Instruction ID: 1f3b941275c8dd310a6636e25e860a933a8ad243c9bbe3a24c90baeda17386f8
                                      • Opcode Fuzzy Hash: 834b938c2befff7bc8b41d7bc47b93ca70f9634415fbef2e3df7ba0e017a637b
                                      • Instruction Fuzzy Hash: 6EA1C0B56097419FC304CF69C184B5ABBF1BF88748F548A6DE4C8AB750E738D946CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9B890 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 383COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC9B89B
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC9B93D
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC9B94D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_new_nullL_sk_pop_freeX509_free
                                      • String ID: /$@$A
                                      • API String ID: 1383825558-709520065
                                      • Opcode ID: f44fad26c4dc04261cc7868b2d1a74abc1fe112b0a1ed62566a405448b6ee468
                                      • Instruction ID: f248726bd201af70633a92217c2f875e65247718230bb87b7795c9e45ebd3a00
                                      • Opcode Fuzzy Hash: f44fad26c4dc04261cc7868b2d1a74abc1fe112b0a1ed62566a405448b6ee468
                                      • Instruction Fuzzy Hash: A10232B061A705EFD310DF69C19875ABBE1FF85308F11892DE4988BB50E779D849CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC89C70 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 209COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC89C92
                                      • CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 6CC89D56
                                      • CRYPTO_new_ex_data.LIBCRYPTO-1_1 ref: 6CC89D78
                                      • X509_up_ref.LIBCRYPTO-1_1 ref: 6CC89D92
                                      • X509_chain_up_ref.LIBCRYPTO-1_1 ref: 6CC89DB8
                                      • CRYPTO_strdup.LIBCRYPTO-1_1 ref: 6CC89DE8
                                      • CRYPTO_strdup.LIBCRYPTO-1_1 ref: 6CC89E18
                                      • CRYPTO_dup_ex_data.LIBCRYPTO-1_1 ref: 6CC89E40
                                      • CRYPTO_strdup.LIBCRYPTO-1_1 ref: 6CC89E66
                                      • CRYPTO_memdup.LIBCRYPTO-1_1 ref: 6CC89EAC
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC89EE7
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8A01F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_strdup$R_put_error$D_lock_newO_dup_ex_dataO_mallocO_memdupO_new_ex_dataX509_chain_up_refX509_up_ref
                                      • String ID: A
                                      • API String ID: 1748583080-3554254475
                                      • Opcode ID: 52fb87f4fc24a1cd6f5950a72e5e33847b2a7b48fd857acd0a16cb4c683d867d
                                      • Instruction ID: b66293b4fcedd9c938cdbd1f548984ebd52426fd68076101110b19f6fe9464b3
                                      • Opcode Fuzzy Hash: 52fb87f4fc24a1cd6f5950a72e5e33847b2a7b48fd857acd0a16cb4c683d867d
                                      • Instruction Fuzzy Hash: 1991E3B06067028BEB108F65D9943DABBE4AF8134CF15883DEC989F784E775D444CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6CF70 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 316COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6CFD9
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6CFE1
                                      • CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 6CC6D058
                                      • COMP_expand_block.LIBCRYPTO-1_1 ref: 6CC6D0F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_sizeO_memcmpP_expand_blockX_md
                                      • String ID: D$P
                                      • API String ID: 4206775157-307317852
                                      • Opcode ID: 2b10b6356f1858de59b478c2d27b9b73d3b3398d83431f4d0b3bfe52333541ad
                                      • Instruction ID: 9094daeef8900509e3a3a9ebf5304144dca8630bfdf7d4dcc119c1e9b9e8b1da
                                      • Opcode Fuzzy Hash: 2b10b6356f1858de59b478c2d27b9b73d3b3398d83431f4d0b3bfe52333541ad
                                      • Instruction Fuzzy Hash: C8E119B0509705DFE700DF26C6C435ABBE0BF84308F14896DE9989BB56EBB9D4488B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC77E60 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 226COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77E94
                                      • OPENSSL_sk_find.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77EBE
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77ECF
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC7805D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_run_onceL_sk_findL_sk_valueR_flags
                                      • String ID: AES-128-CBC-HMAC-SHA1$AES-128-CBC-HMAC-SHA256$AES-256-CBC-HMAC-SHA1$AES-256-CBC-HMAC-SHA256$RC4-HMAC-MD5
                                      • API String ID: 1582411886-741925770
                                      • Opcode ID: fa47945009ee7e25e71a4245ba35f974205e762a9e8c8bb4e0a412f3204f7072
                                      • Instruction ID: 715f0d1d7c8d3a4fc09d9d8fb1cd69074110dcb9b0949770a00160f25e81ab00
                                      • Opcode Fuzzy Hash: fa47945009ee7e25e71a4245ba35f974205e762a9e8c8bb4e0a412f3204f7072
                                      • Instruction Fuzzy Hash: 0F8152702097098BE7358F66C684B2AB7B1FF46348F10452AEA51D7F50F731E885DBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7CC70 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7CCC5
                                      • BUF_MEM_free.LIBCRYPTO-1_1 ref: 6CC7CD3D
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CD56
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CD72
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CD8A
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CDA2
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CDBA
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CDD2
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC7CDFE
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC7CE2A
                                      • X509_VERIFY_PARAM_move_peername.LIBCRYPTO-1_1 ref: 6CC7CE54
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7CE72
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7CF01
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7CF69
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free$O_freeR_put_error$M_freeM_move_peernameX509_X509_free
                                      • String ID: D
                                      • API String ID: 489103953-2746444292
                                      • Opcode ID: 51f7f9f6960eb39479a26636b21b9328d514b1a0f46685fbcb487789c9185182
                                      • Instruction ID: 3cbacf60cc2adec1047fe9ce910266c2250ac8f7596847a769ce8b677332651e
                                      • Opcode Fuzzy Hash: 51f7f9f6960eb39479a26636b21b9328d514b1a0f46685fbcb487789c9185182
                                      • Instruction Fuzzy Hash: 2D71B3B05087018FDB10AF65C4D879A7BE4FF04318F0989BCDD989F786E77984448BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6D990 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_iv_lengthmemcpymemmove
                                      • String ID: D$P
                                      • API String ID: 2315481903-307317852
                                      • Opcode ID: 38b3fc2376513c953f9008fa536888bbae97174cc4d810f9cbb19f3d58088b40
                                      • Instruction ID: b85be4ae0ccb3db007c3a9bfb9bd6d89afef79b0c538ee32ab42a25f8ef0d235
                                      • Opcode Fuzzy Hash: 38b3fc2376513c953f9008fa536888bbae97174cc4d810f9cbb19f3d58088b40
                                      • Instruction Fuzzy Hash: FBF116B06087459FD700DF2AC68475AFBF0BF89358F14896DE8988BB41E375E584CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9ACA8 Relevance: 21.6, APIs: 9, Strings: 3, Instructions: 634COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: memcmp$O_free
                                      • String ID: $/$D
                                      • API String ID: 1164154733-2616952194
                                      • Opcode ID: 288b34a630e7b412ab5e5beb745dad395ba4c6112ced6ebe883f2876a5c3b65c
                                      • Instruction ID: 83f10b50e99e0482640b3efb5ff2e969a22efb1fc1c1798d50f59b75e3763d9f
                                      • Opcode Fuzzy Hash: 288b34a630e7b412ab5e5beb745dad395ba4c6112ced6ebe883f2876a5c3b65c
                                      • Instruction Fuzzy Hash: 5062E2B0509305EFE710CF15C59475ABBF0BF84748F50892DE8988BB51E7B9D989CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA0E62 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCA0F0B
                                      • memcpy.MSVCRT ref: 6CCA0F42
                                        • Part of subcall function 6CC64DF0: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC64E58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_mallocmemcpy
                                      • String ID: A
                                      • API String ID: 2350084802-3554254475
                                      • Opcode ID: 0fb3597e84fd80318b238c2615f6fd64582bb4783611b0ba4a1d4421b0d0e7a5
                                      • Instruction ID: 53c9b370ee3c7139f64733e4ec0b43918f86f3f518b432f3d9a3977f6166730a
                                      • Opcode Fuzzy Hash: 0fb3597e84fd80318b238c2615f6fd64582bb4783611b0ba4a1d4421b0d0e7a5
                                      • Instruction Fuzzy Hash: 32712DB0509346CFCB00DF65C58479ABBE0FF88348F15896DE898AB755E374D886CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9BF37 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 299COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID: 2$A
                                      • API String ID: 2581946324-681408588
                                      • Opcode ID: 634900587f990bec556f10d163db84d73378839cd0832a382c32fb0e277eba1a
                                      • Instruction ID: 02b460da35ae21ba9a8385c4ccde907712df3fca07cff12c90db202cb82e7636
                                      • Opcode Fuzzy Hash: 634900587f990bec556f10d163db84d73378839cd0832a382c32fb0e277eba1a
                                      • Instruction Fuzzy Hash: 7FD1E3B060AB01DFD700DF25C58939BBBE1BF85748F50892DE8988BB50E779D5498F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E86D4C Relevance: 17.7, Strings: 13, Instructions: 1478COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$@$invalid bit length repeat$invalid block type$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$invalid stored block lengths$too many length or distance symbols
                                      • API String ID: 0-2458015535
                                      • Opcode ID: 480458d99bb864b81686c7c00a8d1d5f481d88d2b69fc0b0877fc06832221fc5
                                      • Instruction ID: aaecf94b156e6b576ec74117f0522ce8d58e1a662c1c956ddeb41d848e17a0b8
                                      • Opcode Fuzzy Hash: 480458d99bb864b81686c7c00a8d1d5f481d88d2b69fc0b0877fc06832221fc5
                                      • Instruction Fuzzy Hash: 65D20975E142598FCB14CFA9C4A069DFBF2BF89314F24C16AD898AB345D3389946CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCAACD9 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_get0_RSA.LIBCRYPTO-1_1 ref: 6CCAACEC
                                      • RSA_size.LIBCRYPTO-1_1 ref: 6CCAAD59
                                      • RSA_size.LIBCRYPTO-1_1 ref: 6CCAAD72
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCAAD8A
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CCAADB2
                                      • RSA_private_decrypt.LIBCRYPTO-1_1 ref: 6CCAADE2
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCAAF73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: A_size$A_private_decryptD_priv_bytesO_freeO_mallocY_get0_
                                      • String ID: 0$0$0
                                      • API String ID: 4135349637-3137946472
                                      • Opcode ID: 0520738dc7391001fc3e48f28d6e7c7dd51b5253200c820631e7da4d5a715fdd
                                      • Instruction ID: 5c64b7a8c1d507f88a70889e600b24a98a7be617bb556bd7bff1808b3f5944e3
                                      • Opcode Fuzzy Hash: 0520738dc7391001fc3e48f28d6e7c7dd51b5253200c820631e7da4d5a715fdd
                                      • Instruction Fuzzy Hash: B371AE766197518FC740CF3AC84426EBBE2AFC8304F598A1DF8D8DB744E638E9058B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72FF0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new.LIBCRYPTO-1_1 ref: 6CC73026
                                      • EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CC73030
                                      • EVP_PKEY_derive_set_peer.LIBCRYPTO-1_1 ref: 6CC73044
                                      • EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 6CC73064
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC73088
                                      • EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 6CC730A2
                                        • Part of subcall function 6CCB3480: EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCB34A0
                                        • Part of subcall function 6CCB3480: EVP_MD_size.LIBCRYPTO-1_1 ref: 6CCB34B2
                                        • Part of subcall function 6CCB3480: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCB34E1
                                        • Part of subcall function 6CCB3480: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CCB34FF
                                        • Part of subcall function 6CCB3480: EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CCB3522
                                        • Part of subcall function 6CCB3480: EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3536
                                        • Part of subcall function 6CCB3480: EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CCB359A
                                        • Part of subcall function 6CCB3480: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB35CE
                                        • Part of subcall function 6CCB3480: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB35FE
                                        • Part of subcall function 6CCB3480: EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3650
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC731A7
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC731AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free$DigestX_ctrlX_newY_deriveY_derive_init$D_sizeFinal_exInit_exO_clear_freeO_mallocX_new_idY_derive_set_peer
                                      • String ID: D$P
                                      • API String ID: 2026687770-307317852
                                      • Opcode ID: 79b7b4fb83a53cfd39a5c881af0174f9a21a0b477f7d617137a12d0ca6258dd6
                                      • Instruction ID: aff1edb42153d22f235553b590c14fb7d6ddacd76849ea342515756a1cd4c19c
                                      • Opcode Fuzzy Hash: 79b7b4fb83a53cfd39a5c881af0174f9a21a0b477f7d617137a12d0ca6258dd6
                                      • Instruction Fuzzy Hash: 4461CFB16097029FE3109F65C48835BFBE4FF84758F05891DE8989BB40E779D9488BA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E83A1C Relevance: 16.2, APIs: 10, Instructions: 1189COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2dc84d752ab22db368e2445b2ee5d4f5e6c19ea1a26093189653a4d12f05a17
                                      • Instruction ID: 0b55bcc0457bd966d224f664962f56c9b95e7839219aa461617d24bcc9624a2d
                                      • Opcode Fuzzy Hash: c2dc84d752ab22db368e2445b2ee5d4f5e6c19ea1a26093189653a4d12f05a17
                                      • Instruction Fuzzy Hash: 80C23A75A04605CFCB14CF28C1A069AF7F1FF49318F29C6AAD8995B756D338E842CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9EFC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC9EFE2
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC9F02B
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC9F05D
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9F077
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC9F099
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC9F0CD
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9F0E5
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC9F117
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$O_freeO_malloc$O_zalloc
                                      • String ID: A
                                      • API String ID: 3443764238-3554254475
                                      • Opcode ID: 635a987aa77e01696e1d04815114256a1e3c17f4bdc345fc5a93fbbd01392a5f
                                      • Instruction ID: 582f6a8dc801120a3f80a8d05af2052bb9097f5e6410fa68774deb713c8d9b20
                                      • Opcode Fuzzy Hash: 635a987aa77e01696e1d04815114256a1e3c17f4bdc345fc5a93fbbd01392a5f
                                      • Instruction Fuzzy Hash: D43128B111D7019EE7009F95C44535EBAE4BF81388F01C92CE5C8ABB50E7BAC4998B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC729E0 Relevance: 15.2, APIs: 10, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_clear_free$O_mallocmemcpy$memset
                                      • String ID:
                                      • API String ID: 2823221857-0
                                      • Opcode ID: b2549512d35050ae996b70454183a71eccea14fbcf4ea0a2d0a2fc92e50db2ca
                                      • Instruction ID: 0c1bcec24bca3c7e976feb8ecb5df4a78efdc8125d419efb595fa21d3513da60
                                      • Opcode Fuzzy Hash: b2549512d35050ae996b70454183a71eccea14fbcf4ea0a2d0a2fc92e50db2ca
                                      • Instruction Fuzzy Hash: AD7113B4A08341CFD700DF69C49865AFBE0FF88754F15C96DE888AB721E774D8488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB4DE0 Relevance: 15.1, APIs: 10, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E16
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E34
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E42
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E50
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E5E
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E6C
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E7A
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E88
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4E96
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CCB4EA4
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: N_free$O_free
                                      • String ID:
                                      • API String ID: 3506937590-0
                                      • Opcode ID: 8f7a5bc715f27901e007b78d9a6437be902b80f7e8edb1b8f92757869ded0f3d
                                      • Instruction ID: 705d11c179430d5826f44c493971d05cbe8a4cbbef36167e47ce3714ef884f2f
                                      • Opcode Fuzzy Hash: 8f7a5bc715f27901e007b78d9a6437be902b80f7e8edb1b8f92757869ded0f3d
                                      • Instruction Fuzzy Hash: B221D5B5604B418BDB04AFA8C4C4BDEBBF0AF05348F8549BDDC88AF745E77494458B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB4EF0 Relevance: 15.1, APIs: 10, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F26
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F44
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F52
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F60
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F6E
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F7C
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F8A
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4F98
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4FA6
                                      • BN_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CCB4FB4
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: N_free$O_free
                                      • String ID:
                                      • API String ID: 3506937590-0
                                      • Opcode ID: fe5ca425fc4dfdbd36cfa9490ccaafd2cfa1cd5c832fab92eb467905b807058a
                                      • Instruction ID: 87b68e25f85b60719ab81e3b81f7eb0ca2f213eedf96a3ab3d05911253f28550
                                      • Opcode Fuzzy Hash: fe5ca425fc4dfdbd36cfa9490ccaafd2cfa1cd5c832fab92eb467905b807058a
                                      • Instruction Fuzzy Hash: F22107B5605B008BDB04AFA8C0C479EBBE1EF84314F854ABCEC88AF705E7359455CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA89A1 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 551COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zallocmemcpy
                                      • String ID: /$D$d
                                      • API String ID: 366052536-1715934810
                                      • Opcode ID: 8fb45d0a39be1009b6a269d48a4537e7e3267cd4dafbef987686d6933cc6eaed
                                      • Instruction ID: d641ad58f1ba8e5e3c91effce54f46c8a3bbe7e04cc1b3b79cd8d3db6722900f
                                      • Opcode Fuzzy Hash: 8fb45d0a39be1009b6a269d48a4537e7e3267cd4dafbef987686d6933cc6eaed
                                      • Instruction Fuzzy Hash: F6428BB1909752CFC710CF15C58875ABBF1BF89308F258A6EE8899B745E331D946CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC789EC Relevance: 13.6, APIs: 9, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC789F7
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC78A03
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC78A16
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC78B57
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC78C17
                                      • OPENSSL_sk_dup.LIBCRYPTO-1_1 ref: 6CC78C23
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC78C3B
                                      • OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1 ref: 6CC78C51
                                      • OPENSSL_sk_sort.LIBCRYPTO-1_1 ref: 6CC78C5F
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC78C6D
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_free$L_sk_dupL_sk_numL_sk_pushL_sk_set_cmp_funcL_sk_sortL_sk_valueO_free
                                      • String ID:
                                      • API String ID: 752987063-0
                                      • Opcode ID: 18b9de6e49ad1ebcef7d832e97f74051c9b6ba4d706870c216d6b6dfb3241a16
                                      • Instruction ID: fa2847fb03c03a0dcc0c30bc96fb7fe6554d96bdaefa8c2bbabd250a63b452e1
                                      • Opcode Fuzzy Hash: 18b9de6e49ad1ebcef7d832e97f74051c9b6ba4d706870c216d6b6dfb3241a16
                                      • Instruction Fuzzy Hash: 6B21A475509B108FD7109FA8C48055EBBE0EF88798F05491EEA95E7720E734D8849B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC76813 Relevance: 13.5, APIs: 9, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • COMP_zlib.LIBCRYPTO-1_1 ref: 6CC76825
                                      • CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 6CC76833
                                      • OPENSSL_sk_new.LIBCRYPTO-1_1 ref: 6CC7683F
                                      • COMP_get_type.LIBCRYPTO-1_1 ref: 6CC7684C
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC76875
                                      • COMP_get_name.LIBCRYPTO-1_1 ref: 6CC7688C
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC768A0
                                      • OPENSSL_sk_sort.LIBCRYPTO-1_1 ref: 6CC768AD
                                      • CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 6CC768B9
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mem_ctrl$L_sk_newL_sk_pushL_sk_sortO_mallocP_get_nameP_get_typeP_zlib
                                      • String ID:
                                      • API String ID: 680475741-0
                                      • Opcode ID: e12f9f1e80db1d42b9d1ee247f3ef7440652285eb30c5cce2702d201662bd6a2
                                      • Instruction ID: 022b49465fcda8c9e593d04f144d5a42ef51013657ffba266cf721b9f7111805
                                      • Opcode Fuzzy Hash: e12f9f1e80db1d42b9d1ee247f3ef7440652285eb30c5cce2702d201662bd6a2
                                      • Instruction Fuzzy Hash: 3811DBB1A05B018ADF146FB4D54436ABBF4BF01348F06882CD4C9EBB40EB74A485CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78CD9 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 323COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC78596
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC788D3
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC789CD
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC789D2
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC78D52
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC78DD5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_malloc$L_sk_new_nullR_put_error
                                      • String ID: DEFAULT$ECDHE-ECDSA-AES128-GCM-SHA256
                                      • API String ID: 3714357774-1565048056
                                      • Opcode ID: ef5141efe3f992f7660a3dcb5acd8142b02855968b37cf957fdfb336afddc159
                                      • Instruction ID: d77ccbbf1525af31330bdeb5013704c322b5e92c9771d40eec9d0ae94190afb1
                                      • Opcode Fuzzy Hash: ef5141efe3f992f7660a3dcb5acd8142b02855968b37cf957fdfb336afddc159
                                      • Instruction Fuzzy Hash: 0FD124B06097019FD764CF29C480B1BBBE2FF84358F15C92EE5999B790EB34D8458B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7F820 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: :$:
                                      • API String ID: 0-3780739392
                                      • Opcode ID: 2e7039fab5fbc316f661a580583dfe90aa6af0eaf5ac368b7e1452707ce23841
                                      • Instruction ID: a36c2da18aa43679b96aa35ea3aa6c4226de8a0298ac570a0bd7c4cf54f56cce
                                      • Opcode Fuzzy Hash: 2e7039fab5fbc316f661a580583dfe90aa6af0eaf5ac368b7e1452707ce23841
                                      • Instruction Fuzzy Hash: 7BB12974A49700CFD714CF1AC4C0B8AB7E5FB8AB14F148669EC489B74AE770D945CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC918F3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_mallocmemcpy
                                      • String ID: D$P
                                      • API String ID: 2350084802-307317852
                                      • Opcode ID: b20f653699824cbb3d6338bcc110f93aa82960cbcaee31887699d2317ca936c2
                                      • Instruction ID: cb5c5a943a23a5353745b9ca7b6cd281a2ba354a9b93ac1e75f2a3c20eebc7c3
                                      • Opcode Fuzzy Hash: b20f653699824cbb3d6338bcc110f93aa82960cbcaee31887699d2317ca936c2
                                      • Instruction Fuzzy Hash: F45101B5609701CFD700CF29C09575AFBE4BF84748F15896DE8988BB50E774EA44CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC88D53 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$O_reallocmemcpy
                                      • String ID: A
                                      • API String ID: 1318616892-3554254475
                                      • Opcode ID: c1d161441f567e207047642063f0fadda2bed571e77fe9a0dccd2def95447f41
                                      • Instruction ID: 96518e68fb139fceb1d01d4ee1f3e4f6255560ef8ff3f444e746d097a5b8890c
                                      • Opcode Fuzzy Hash: c1d161441f567e207047642063f0fadda2bed571e77fe9a0dccd2def95447f41
                                      • Instruction Fuzzy Hash: CA5148B560A3129FE700DF65C58475BBBE0FF80348F508D2EE4989BA50E379E448CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA9D89 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CCA9B6A
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CCA9B76
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA9B94
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA9BB2
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CCA9DB5
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CCA9DCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_freeO_free$L_sk_numL_sk_value
                                      • String ID: V
                                      • API String ID: 106368298-1342839628
                                      • Opcode ID: 60f6fe82bbfaaa85019c89f34f8ba777fbb1027607272ed1836611542d6b29c4
                                      • Instruction ID: 076de909db39d0d8d162770e0c338c105504709db0ba6ac2468c741f87a6f5d9
                                      • Opcode Fuzzy Hash: 60f6fe82bbfaaa85019c89f34f8ba777fbb1027607272ed1836611542d6b29c4
                                      • Instruction Fuzzy Hash: A221B5B0509B018FD750AFA4C4C939EBBF0AF80348F058C2DE8988BB51E776D4898B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC70CCC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$O_freeO_strdupstrlen
                                      • String ID: D
                                      • API String ID: 2679567148-2746444292
                                      • Opcode ID: 9d06aba8189d4555de04c9478478e404a840d58b92f3b4c6987dc6fb8a512ec3
                                      • Instruction ID: 39b873bb1328ca18865b58cc0a70bbcb7d8d203ec5994bcd74e9d0740969e643
                                      • Opcode Fuzzy Hash: 9d06aba8189d4555de04c9478478e404a840d58b92f3b4c6987dc6fb8a512ec3
                                      • Instruction Fuzzy Hash: 2D21FCB15087419EE7109F55D45435FBAE0FF80359F108C2DE4889FB50EB7AC149DBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8FC84 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zalloc
                                      • String ID: D$P
                                      • API String ID: 1208671065-307317852
                                      • Opcode ID: ebfcd7c4b3d6e08372774e7850e413d93f9a7395db84ae7ef6e246a01f6909b0
                                      • Instruction ID: ee823ab428d41c76b46929962692b6316b280f7b32b0b76ca53bf54bc608bed7
                                      • Opcode Fuzzy Hash: ebfcd7c4b3d6e08372774e7850e413d93f9a7395db84ae7ef6e246a01f6909b0
                                      • Instruction Fuzzy Hash: E771C2B050A7059EE310DF25C59935BBBE0BF84788F118C1EE9988BB50E779D548CB93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7D883 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7D917
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error
                                      • String ID: A
                                      • API String ID: 1767461275-3554254475
                                      • Opcode ID: bde1c524749c3cea40f7cea7adeb5dd57a39c6ca92bcf054759e38728771805d
                                      • Instruction ID: a8060d2a447f1ac364e547bfe866530dbd2a1bf379a716daf8824dafe5186c66
                                      • Opcode Fuzzy Hash: bde1c524749c3cea40f7cea7adeb5dd57a39c6ca92bcf054759e38728771805d
                                      • Instruction Fuzzy Hash: 426136B16083419FDB10CF29C48075ABBE1FFC5318F498A6DE8999B351E370E845CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC92E35 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC92E62
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC92E80
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC92F03
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC92F1B
                                      • CRYPTO_realloc.LIBCRYPTO-1_1 ref: 6CC92FAA
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,00000000,?,6CC87154), ref: 6CC930F3
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,00000000,?,6CC87154), ref: 6CC9310B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$O_malloc$O_realloc
                                      • String ID:
                                      • API String ID: 3762033618-0
                                      • Opcode ID: 8a26696ce772c7e84af168959d8cf3eadd6b5715c242e06513b05322618d1beb
                                      • Instruction ID: 21d791b46fa8c5b4c6009ce288dfa434630cc8854ec02448086d0b616f3fc8e6
                                      • Opcode Fuzzy Hash: 8a26696ce772c7e84af168959d8cf3eadd6b5715c242e06513b05322618d1beb
                                      • Instruction Fuzzy Hash: 90514BB25097028BD714CF28C4A535AFBE0FF85354F11892DE8999BB50F375D884CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC89850 Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC89885
                                      • OPENSSL_LH_delete.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC8989C
                                      • CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899A9
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899B8
                                      • OPENSSL_LH_delete.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899CD
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: H_deleteH_retrieve$D_write_lock
                                      • String ID:
                                      • API String ID: 1544393016-0
                                      • Opcode ID: 47b7952d6e2d18e52c957b194c01ca04e06264c0cd8e604bb8e5cac739606cb8
                                      • Instruction ID: ca4928d2ab57bcb9a7ffa18481c5aee4bb0078ef00d40752ff64de738bafbfe0
                                      • Opcode Fuzzy Hash: 47b7952d6e2d18e52c957b194c01ca04e06264c0cd8e604bb8e5cac739606cb8
                                      • Instruction Fuzzy Hash: 8D512770646B018FEB549F6AC49079BBBE0BB45318F14853DD89E8BA40FB35D484CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACD90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_key_length.LIBCRYPTO-1_1 ref: 6CCACE3E
                                      • EVP_CIPHER_iv_length.LIBCRYPTO-1_1 ref: 6CCACE50
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCACE76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocR_iv_lengthR_key_length
                                      • String ID: A$P$key expansion
                                      • API String ID: 1279322062-264840606
                                      • Opcode ID: de371f67d42e17273423bac524719c28a736a3bb0d28c6704c831402fb113ed9
                                      • Instruction ID: 2fa9f2c249bfa287f7b72f15a8f88647dc7a3ea8a2b3094125afd8bfeef69701
                                      • Opcode Fuzzy Hash: de371f67d42e17273423bac524719c28a736a3bb0d28c6704c831402fb113ed9
                                      • Instruction Fuzzy Hash: 6551D3B0509301CFD700DF55D488B9ABBE0FB88308F158A6EE8988B755E779D548CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACDC3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC77E60: CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77E94
                                        • Part of subcall function 6CC77E60: OPENSSL_sk_find.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77EBE
                                        • Part of subcall function 6CC77E60: OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,00000001,6CC6F4AE), ref: 6CC77ECF
                                        • Part of subcall function 6CC77E60: EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC7805D
                                      • EVP_CIPHER_key_length.LIBCRYPTO-1_1 ref: 6CCACE3E
                                      • EVP_CIPHER_iv_length.LIBCRYPTO-1_1 ref: 6CCACE50
                                        • Part of subcall function 6CC6F9C0: CRYPTO_clear_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CC6F9EE
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CCACE76
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCAC3E0
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CCAC3F2
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC426
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC45E
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC492
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC4CA
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC502
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC53A
                                        • Part of subcall function 6CCAC3B0: EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAC56E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_ctrl$D_run_onceL_sk_findL_sk_valueO_clear_freeO_mallocR_flagsR_iv_lengthR_key_lengthX_new_idY_derive_init
                                      • String ID: $ $key expansion
                                      • API String ID: 969527974-4258685823
                                      • Opcode ID: e32a69ca2ad98cab82e2661bec11a42db96f81ea1f304c5ade7e454b6f692132
                                      • Instruction ID: 464ebd5b8f725ab241dac4b9d058cabcc5f320f1d6ff1c27869dec937fd8002b
                                      • Opcode Fuzzy Hash: e32a69ca2ad98cab82e2661bec11a42db96f81ea1f304c5ade7e454b6f692132
                                      • Instruction Fuzzy Hash: 0D41E6B0908301CFD704DF55C084B9ABBE0BF88308F158AAEE8989B755E775D949CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7BC50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_init_crypto.LIBCRYPTO-1_1 ref: 6CC7BC84
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BCA7
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BD16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_run_onceL_init_cryptoR_put_error
                                      • String ID: F
                                      • API String ID: 1977717042-1304234792
                                      • Opcode ID: d82720e4575877df66f920952ec83f1f6f60793c2156beb921dd90bdd1eedd59
                                      • Instruction ID: e568f26efccafd099593de255c95b86a727337edf0ac93966de338a3c9ad7f3d
                                      • Opcode Fuzzy Hash: d82720e4575877df66f920952ec83f1f6f60793c2156beb921dd90bdd1eedd59
                                      • Instruction Fuzzy Hash: F9210AB06093068BD7149F66C5A131AB7F4EB85788F04841CE998C7B54FB71D840CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC99864 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • BN_num_bits.LIBCRYPTO-1_1 ref: 6CC99881
                                        • Part of subcall function 6CC644F0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64521
                                      • BN_bn2bin.LIBCRYPTO-1_1 ref: 6CC998CB
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC998EF
                                      • CRYPTO_strdup.LIBCRYPTO-1_1 ref: 6CC99913
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: N_bn2binN_num_bitsO_freeO_strdupO_zallocR_put_error
                                      • String ID: A$P
                                      • API String ID: 2241039121-345673399
                                      • Opcode ID: 6d5806862b7dbb8bb56a35b794eb7be5baa020bf9fb8fb0e6f3da492a0f4e649
                                      • Instruction ID: 69b4a3c8934b1e05e57cfc60fc1d0d6bb1198e8addde8c0c3325465a6a8230d2
                                      • Opcode Fuzzy Hash: 6d5806862b7dbb8bb56a35b794eb7be5baa020bf9fb8fb0e6f3da492a0f4e649
                                      • Instruction Fuzzy Hash: CD21AFB45097019FE700DF64C18579ABBE0BF84308F44896DE898AB745E774E9498F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC98EC9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC98D5F
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC98D6F
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC98D8F
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC98DB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_cleanseO_clear_free$R_put_error
                                      • String ID: A$P
                                      • API String ID: 1256280376-345673399
                                      • Opcode ID: 623a8c5285c773b2c1e9035b5c4081ba233f408725a3ee665c5a90956041d091
                                      • Instruction ID: 169e2ab52c450e1a166414724ef36db728ed1d72875ccab4d71d0cd28f8c2569
                                      • Opcode Fuzzy Hash: 623a8c5285c773b2c1e9035b5c4081ba233f408725a3ee665c5a90956041d091
                                      • Instruction Fuzzy Hash: 2C116AB15197009ED3049F69C08539EBBE0AF88758F008D1EE098A7760D77999888F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64900 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC6497A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zalloc
                                      • String ID: A
                                      • API String ID: 1208671065-3554254475
                                      • Opcode ID: da9d1ba8628bb05287837062412b4f2a9d93de5c06743bc2396c4005a944dd00
                                      • Instruction ID: d8761ca2a228018affc33c91a27af42e8a315a4640e692f29cd94f452b38430a
                                      • Opcode Fuzzy Hash: da9d1ba8628bb05287837062412b4f2a9d93de5c06743bc2396c4005a944dd00
                                      • Instruction Fuzzy Hash: C44178716046018FDB04CF2AD6E034BBBE6EFC4314F19C16AD8989BB49E775D885CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC93F4B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D$P
                                      • API String ID: 0-307317852
                                      • Opcode ID: 076451a15d1e1c8dae6d49fae8bc024bdafc362b10f71f9fdf5ef3c78ae0c94a
                                      • Instruction ID: 1e6b9e66dba949994afbbca64da9dc778817fb7396571224fd7406b7540003f5
                                      • Opcode Fuzzy Hash: 076451a15d1e1c8dae6d49fae8bc024bdafc362b10f71f9fdf5ef3c78ae0c94a
                                      • Instruction Fuzzy Hash: C1413DB0208742DFE7148F25C19935AFBF5FB81348F14891DE4A99BB40E77AE549CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC98DC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC98D5F
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC98D6F
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC98D8F
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC98DB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_cleanseO_clear_free$R_put_error
                                      • String ID: (
                                      • API String ID: 1256280376-3887548279
                                      • Opcode ID: b23bd845964f231b7540efb72033ca374db73b464ebcac7a4f80da0fc876f608
                                      • Instruction ID: beeff24e912af76c2c1a6977f3c5ceb42df12677361b0568f0020d6fc6cc561f
                                      • Opcode Fuzzy Hash: b23bd845964f231b7540efb72033ca374db73b464ebcac7a4f80da0fc876f608
                                      • Instruction Fuzzy Hash: 951198B11197009FD3049F69C08539EBBE0BF89758F008D1EE0C8A7750D7B899888F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA5C66 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCA5CD5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5CF1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5CFD
                                      • EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CCA5DE9
                                      • EVP_PKEY_get1_tls_encodedpoint.LIBCRYPTO-1_1 ref: 6CCA60D0
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_errorX_freeY_freeY_get1_tls_encodedpointY_security_bits
                                      • String ID: D$P
                                      • API String ID: 868766672-307317852
                                      • Opcode ID: 8ea2767d80a6d06d692bf2c6cc4fdb09c9f1d1d9aab227ce9c6b67215acd1186
                                      • Instruction ID: 43d9f1e7f3faa61bd20f3b893d5604d6cf980bf0d1a5cb051de9890f7908d3a8
                                      • Opcode Fuzzy Hash: 8ea2767d80a6d06d692bf2c6cc4fdb09c9f1d1d9aab227ce9c6b67215acd1186
                                      • Instruction Fuzzy Hash: 5701DE71519B42CFD7009F61C48835FB7E0FF84348F01892DD5D967740D77995498B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA5E5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 6CCA59BD
                                      • BN_num_bits.LIBCRYPTO-1_1 ref: 6CCA5A3D
                                      • BN_bn2bin.LIBCRYPTO-1_1 ref: 6CCA5A8C
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCA5CD5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5CF1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5CFD
                                      • EVP_PKEY_size.LIBCRYPTO-1_1 ref: 6CCA5B28
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: N_bn2binN_num_bitsO_freeR_put_errorX_freeY_freeY_sizestrlen
                                      • String ID: 2$D
                                      • API String ID: 2272274274-1492618435
                                      • Opcode ID: 337ba5dc99b8fa7c4a16b8041548badbc7baf04d6ec122e4cc5699fa17c56b90
                                      • Instruction ID: a77b0c0b0400e84dded77737f19edc962693b229738b3985072f21a85e23ddc8
                                      • Opcode Fuzzy Hash: 337ba5dc99b8fa7c4a16b8041548badbc7baf04d6ec122e4cc5699fa17c56b90
                                      • Instruction Fuzzy Hash: 6BF0E2B1608B01CFD7009FA4D48835EBBE0BB84358F008C2EE5C8AB710E77995498B43
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7CC11 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7C9A7
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC7C9B2
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7C9CA
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7C9F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$R_put_errorY_free
                                      • String ID: A
                                      • API String ID: 3920316597-3554254475
                                      • Opcode ID: 9269d1f35a632e6adeb6e729991b9d480e2dbfa0c36b4c5bcfd97ee8717d1a41
                                      • Instruction ID: 60c9d6deed0721dca451da0cab161af83c8ad4e3cd841308e2ce61f6215905c0
                                      • Opcode Fuzzy Hash: 9269d1f35a632e6adeb6e729991b9d480e2dbfa0c36b4c5bcfd97ee8717d1a41
                                      • Instruction Fuzzy Hash: 63F0E7B1148B02AED700AF55D44135EBBE0FF81368F00C90DE4989BB60E7799489CB83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA5F59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCA5CD5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5CF1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5CFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_errorX_freeY_free
                                      • String ID: D$P
                                      • API String ID: 448281063-307317852
                                      • Opcode ID: 8023ee760e24531bc270e27e1fabb838eba5c672645477b7dea8cbaa06228caa
                                      • Instruction ID: 4c8ca3b7b996b29274ac09850ca59c17b749691e93bda6b0b93804a39eeab67b
                                      • Opcode Fuzzy Hash: 8023ee760e24531bc270e27e1fabb838eba5c672645477b7dea8cbaa06228caa
                                      • Instruction Fuzzy Hash: 29F0AFB1509B41DFD7009FA4D48439FBBE0BB85358F008C2DE5D8AB750E77995498B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7C986 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7C9A7
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC7C9B2
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC7C9CA
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7C9F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$R_put_errorY_free
                                      • String ID: A
                                      • API String ID: 3920316597-3554254475
                                      • Opcode ID: 6984287acf30ac701f58dffc951bb96f9265fe0a99cc8d3826a89885a9a98728
                                      • Instruction ID: db55ba6d857c0bf6426d1539a869be8bcdf9556a3b71a57a76e2d5733461de15
                                      • Opcode Fuzzy Hash: 6984287acf30ac701f58dffc951bb96f9265fe0a99cc8d3826a89885a9a98728
                                      • Instruction Fuzzy Hash: EBF0A4B1548B01ABDB009F55D84539EBBF0FF81368F01C90DE5D8ABBA0D77994899B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8AE70 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1 ref: 6CC8AEA9
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 6CC8AEB8
                                      • OPENSSL_LH_delete.LIBCRYPTO-1_1 ref: 6CC8AECF
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8AF33
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlockD_write_lockH_deleteH_retrieve
                                      • String ID:
                                      • API String ID: 3040165603-0
                                      • Opcode ID: 86e6951e3fea21d8fb23b400414df8ff16399109f455ee9cada629f0fa2c4da4
                                      • Instruction ID: 35308a7656dec4d95ea75b2fdd50719d68df1483993e763089772a04e08fde32
                                      • Opcode Fuzzy Hash: 86e6951e3fea21d8fb23b400414df8ff16399109f455ee9cada629f0fa2c4da4
                                      • Instruction Fuzzy Hash: 40311BB0646B018FD7549F6AC48479BBBE0BF85308F14492DE499C7A80F735E8858BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8A900 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT ref: 6CC8A954
                                      • CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 6CC8A969
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 6CC8A97E
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8A9A0
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8A9C7
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock$D_read_lockH_retrievememcpy
                                      • String ID:
                                      • API String ID: 3379989983-0
                                      • Opcode ID: 7f8ac079b271ecf6cf3bb6f341c22a6731e9e0e954fdc168835e461f56d6fb69
                                      • Instruction ID: f14287719311e37d5c4c35afccd4511d576ea8cea0d4b5348e8c9baa321228d6
                                      • Opcode Fuzzy Hash: 7f8ac079b271ecf6cf3bb6f341c22a6731e9e0e954fdc168835e461f56d6fb69
                                      • Instruction Fuzzy Hash: 6F413870609B418FD714DF69D48479BBBE0FF88358F01596DD88887751E734E9848F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC83D35 Relevance: 7.6, APIs: 5, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$O_strdupR_put_errorstrlen
                                      • String ID:
                                      • API String ID: 3219984059-0
                                      • Opcode ID: becba8cee53c5beb399c04022a06a6f326f7d8d7dee0277e024d56a2633e439a
                                      • Instruction ID: 257209f0b6cbd3a62b6586335255fbcf501cd83cfd10d10acfdca31391875ca2
                                      • Opcode Fuzzy Hash: becba8cee53c5beb399c04022a06a6f326f7d8d7dee0277e024d56a2633e439a
                                      • Instruction Fuzzy Hash: C72171F16093109FD710DF65E5C579BBBE0FF84318F05886DEA889B351E37498858B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC83C24 Relevance: 7.6, APIs: 5, Instructions: 63stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$O_strdupR_put_errorstrlen
                                      • String ID:
                                      • API String ID: 3219984059-0
                                      • Opcode ID: 8e025c9e250f0ba685620f62d5a1562161a2205a899d79fed37e681a2045a7d3
                                      • Instruction ID: 4dae57d61349f304c919c0fd043bbc3249d0631a16f3e855ad494428b255232e
                                      • Opcode Fuzzy Hash: 8e025c9e250f0ba685620f62d5a1562161a2205a899d79fed37e681a2045a7d3
                                      • Instruction Fuzzy Hash: 802129B16097009FE710DF65E98579BBBF0FB44318F05896DE5D89B750E374A884CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9FE20 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE49
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE64
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE7C
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,00000000,6CC6241B), ref: 6CC9FE96
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1(?,?,?,?,00000000,6CC6241B), ref: 6CC9FEA1
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$X_free
                                      • String ID:
                                      • API String ID: 306345296-0
                                      • Opcode ID: cd7f8fb2708bc29af9ad4a1504c8242bd7becdd903c9559314558173833b83b7
                                      • Instruction ID: 4ae4a991b6aba86215b1c4b2ebc8cd9e75a3972b9ab29b2cb6276d978d18373e
                                      • Opcode Fuzzy Hash: cd7f8fb2708bc29af9ad4a1504c8242bd7becdd903c9559314558173833b83b7
                                      • Instruction Fuzzy Hash: 4301C4B06187008FCB04EFA4C0C571FBBE4EF44348F40885CE884ABB02E338D8958B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9FE86 Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE49
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE64
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9FE7C
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,00000000,6CC6241B), ref: 6CC9FE96
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1(?,?,?,?,00000000,6CC6241B), ref: 6CC9FEA1
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$X_free
                                      • String ID:
                                      • API String ID: 306345296-0
                                      • Opcode ID: 9524f2167bd7101efafdfb94b2ce9fa1ce1cc853fda1a4cd0dd23f7eb15404f8
                                      • Instruction ID: d737f4b9fc228b90dfc99db7a7d629242cbaa13d252f922911ca36742b798006
                                      • Opcode Fuzzy Hash: 9524f2167bd7101efafdfb94b2ce9fa1ce1cc853fda1a4cd0dd23f7eb15404f8
                                      • Instruction Fuzzy Hash: 23F0A4B5518B019FCB04AF64C08535ABBE0FF84348F41884CE885ABB11E335D8998B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB08E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID: A
                                      • API String ID: 2581946324-3554254475
                                      • Opcode ID: f9306e5dddc4f7b0cd795862510e3f1f9d01f0ed18d34df920e66b03574adbf5
                                      • Instruction ID: 49123792151a3fc5833b02d315263d32d0120e97cce30231d043fa9e45ef1946
                                      • Opcode Fuzzy Hash: f9306e5dddc4f7b0cd795862510e3f1f9d01f0ed18d34df920e66b03574adbf5
                                      • Instruction Fuzzy Hash: 1CC18EB0509381CBD710CFA5C68079AB7E1FF88348F144A6DE998ABB50F730E985CB46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC84EDB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC84F67
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_malloc
                                      • String ID: A
                                      • API String ID: 1457121658-3554254475
                                      • Opcode ID: 5cb48878182f7e9cbc79eea3c96eeaad3bc9285d22fff36cb89d2316a8baf163
                                      • Instruction ID: d81345f5a926612055959d64ac878c7a91e14b486e39218ef38aeb7d27bfee8d
                                      • Opcode Fuzzy Hash: 5cb48878182f7e9cbc79eea3c96eeaad3bc9285d22fff36cb89d2316a8baf163
                                      • Instruction Fuzzy Hash: 97417E7160A3018FDB21CF15C890B9BBBF5EF81369F15892CE9989B750E736A845CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8EFB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocmemcpy
                                      • String ID: D$P
                                      • API String ID: 1834057931-307317852
                                      • Opcode ID: 976b22f7faf8f2dab0f2635c30aee238a19b8db533e17714fc388bcb400c623d
                                      • Instruction ID: a2aa8e13ce9d2910d71dd3aeeae491158e6d1d69e55eb48d16210ef1280976c8
                                      • Opcode Fuzzy Hash: 976b22f7faf8f2dab0f2635c30aee238a19b8db533e17714fc388bcb400c623d
                                      • Instruction Fuzzy Hash: 224168B420A3058FE7109F25D5847ABBBE4EF80748F20886DED9C9B741E775D844DB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC6505F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zallocR_put_error
                                      • String ID: A
                                      • API String ID: 2718799170-3554254475
                                      • Opcode ID: 891e9d410742c66c768bab2f0270261c4ada3de353537badc8b49d69775d6474
                                      • Instruction ID: 4a098a757529d1f829e58acbe5533556ae8ae9152619f0988da45cd16e419115
                                      • Opcode Fuzzy Hash: 891e9d410742c66c768bab2f0270261c4ada3de353537badc8b49d69775d6474
                                      • Instruction Fuzzy Hash: 06317E752097018FDB14CF6AD19074ABBE0EF88358F14C92EE8DA8BB51E771E445CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC76F00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC76F52
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC76FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_zalloc
                                      • String ID: A
                                      • API String ID: 2237658545-3554254475
                                      • Opcode ID: 293b6333a1bc808c7be1f00369a88d7de6f08729b29b6e2e60faf52e528c3b29
                                      • Instruction ID: 13c351e09ae4acad99919257f6c5f1972e64c3983bb13b16e40f5603717d2467
                                      • Opcode Fuzzy Hash: 293b6333a1bc808c7be1f00369a88d7de6f08729b29b6e2e60faf52e528c3b29
                                      • Instruction Fuzzy Hash: 8F314671224B028FE714CF6AC88474BBBE5FF84358F54C92CE989CB610E334E8448BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4EA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocmemcpy
                                      • String ID: A$P
                                      • API String ID: 1834057931-345673399
                                      • Opcode ID: b906dff7e3f1df5ed7a3e810f838b8a6a7f063ba73f4b924f0587162d6c91f34
                                      • Instruction ID: 91070e83e422861d74d566b900f732ccb25da05253abf44548a978754982bfa8
                                      • Opcode Fuzzy Hash: b906dff7e3f1df5ed7a3e810f838b8a6a7f063ba73f4b924f0587162d6c91f34
                                      • Instruction Fuzzy Hash: 6E318EB4A046018FC708CF59D084A46FBE5FF88314F15C6AAED488B316E731E885CFA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC938F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC939B1
                                      • CRYPTO_memdup.LIBCRYPTO-1_1 ref: 6CC939E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_memdup
                                      • String ID: D$P
                                      • API String ID: 3962629258-307317852
                                      • Opcode ID: b34929b2df8f2479ce290f612a8103b4e2bd08996813dd902df131ad42499699
                                      • Instruction ID: 7544fb205be3bc01a5533ea5d2958e3bc7487ce2e2d1552da7a7259841b1dda0
                                      • Opcode Fuzzy Hash: b34929b2df8f2479ce290f612a8103b4e2bd08996813dd902df131ad42499699
                                      • Instruction Fuzzy Hash: 803149B1209B419BE300CF65D48435BFBE0FB81348F45892DE49C5B740E77AA889CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC99F60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocmemcpy
                                      • String ID: A$P
                                      • API String ID: 1834057931-345673399
                                      • Opcode ID: de74dd1bf1c31ebbb4c937e0fc101e99d7eedb7847ba47255dc8318735435b07
                                      • Instruction ID: 168d8fab9babf8d6755a3503eeea567b30600e082652771cfedcf26e8d852e54
                                      • Opcode Fuzzy Hash: de74dd1bf1c31ebbb4c937e0fc101e99d7eedb7847ba47255dc8318735435b07
                                      • Instruction Fuzzy Hash: 992148B15197629FE7009F28C49536EFFE0EF81344F00CA6EE4989B645E3B8C485CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8FDB6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_get1_tls_encodedpoint.LIBCRYPTO-1_1 ref: 6CC8FDF1
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8FE9D
                                        • Part of subcall function 6CC654B0: CRYPTO_zalloc.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CCA8994), ref: 6CC654E1
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8FF0F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$O_zallocY_get1_tls_encodedpoint
                                      • String ID: D$P
                                      • API String ID: 2187447678-307317852
                                      • Opcode ID: ef7689f062ea876a67918f9cff131d041a0f71a1123bd66629c42a9b92689e5f
                                      • Instruction ID: 89c43fa1031d86b6a24a2d6ed8e3c62294c79082815f8474b5f73b7e24590818
                                      • Opcode Fuzzy Hash: ef7689f062ea876a67918f9cff131d041a0f71a1123bd66629c42a9b92689e5f
                                      • Instruction Fuzzy Hash: 0A21A0B150A7059ED710DF25C58435BFBE0AF84348F108C2EE9A897B51E774D448CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA08A3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_mallocR_put_errormemcpy
                                      • String ID: A
                                      • API String ID: 92311482-3554254475
                                      • Opcode ID: 751e9fc604774a2d238ea5a30a326f2128287cb64a90cb6bf1fae5300b30aa19
                                      • Instruction ID: d66f74b5bbb6e77c368cb7524fcfd5e0783d370e614d70999c388b60d46f146f
                                      • Opcode Fuzzy Hash: 751e9fc604774a2d238ea5a30a326f2128287cb64a90cb6bf1fae5300b30aa19
                                      • Instruction Fuzzy Hash: F5F0F8B12097019ED7049F51D44535EBBE0FFC1389F00C81CE689ABB60E379848A8F83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA18E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA171A
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA1722
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_errorX_free
                                      • String ID: A$P
                                      • API String ID: 3043902822-345673399
                                      • Opcode ID: 8744c75a29830559331c85b2dff1fcd187d708726e4236681a891abf775cbe3b
                                      • Instruction ID: e4e4b7aa6ddad342631840b81e90d4655c43f0320396005f392dea6d1ea24547
                                      • Opcode Fuzzy Hash: 8744c75a29830559331c85b2dff1fcd187d708726e4236681a891abf775cbe3b
                                      • Instruction Fuzzy Hash: FCF015B1148B02CEE3009F64D84539FBBE0FB80319F00882EE1D897A50E77985898B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8AE97 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1 ref: 6CC8AEA9
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 6CC8AEB8
                                      • OPENSSL_LH_delete.LIBCRYPTO-1_1 ref: 6CC8AECF
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8AF33
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8AF9B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock$D_write_lockH_deleteH_retrieve
                                      • String ID:
                                      • API String ID: 3617886225-0
                                      • Opcode ID: 258dae04acc087ff7eb3f15126870c20dc507b67e299f3252861565dd2899385
                                      • Instruction ID: f9bdadf8a4a95cbc461f48042b6de6c217ab8ae4e89805ef8f39c587e2b327c5
                                      • Opcode Fuzzy Hash: 258dae04acc087ff7eb3f15126870c20dc507b67e299f3252861565dd2899385
                                      • Instruction Fuzzy Hash: BB210BB0642B018FE7549F79C4807ABBBE0BF85318F11492DD499D7B80F735E8858BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC668A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID: D$P
                                      • API String ID: 2581946324-307317852
                                      • Opcode ID: b042b8f16d8b64071fd533548e6c02d8a9a90f69de39e63004d523fc75710022
                                      • Instruction ID: 081198d373744825d09685bfe8fcf2219af68ab8d8ca58281e09c67dbb4a8ebd
                                      • Opcode Fuzzy Hash: b042b8f16d8b64071fd533548e6c02d8a9a90f69de39e63004d523fc75710022
                                      • Instruction Fuzzy Hash: 4671E5B46057058FD700DF26C280656BBE0BF88358F6485BDDC998FB16E735E982CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB0DF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCB0E14
                                        • Part of subcall function 6CCB08E0: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCB0923
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID: D$P
                                      • API String ID: 2581946324-307317852
                                      • Opcode ID: 7b6b6ea35b3d9a49987367635793cf6b4762b776cb7be45c25a3f35d6e6d47f2
                                      • Instruction ID: 75ede472adf3be2a3877e41baa6ba4c160678486fc865263d79773c77b87f425
                                      • Opcode Fuzzy Hash: 7b6b6ea35b3d9a49987367635793cf6b4762b776cb7be45c25a3f35d6e6d47f2
                                      • Instruction Fuzzy Hash: 7041F4B260A3818BD7108F65D68439AB7A0FF80318F19863DE85C6FB41F735D485CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC94EA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D$P
                                      • API String ID: 0-307317852
                                      • Opcode ID: 77f64b7889de11635b056f8a08dff570e3d058b81eafb6dcd6cb491afcc604fd
                                      • Instruction ID: ac130089d5a73d58643108d63492623ddb4b80f1c69dc32c1597d582cab4abb3
                                      • Opcode Fuzzy Hash: 77f64b7889de11635b056f8a08dff570e3d058b81eafb6dcd6cb491afcc604fd
                                      • Instruction Fuzzy Hash: D13102B1609701CBE310CF25D58874BBBE4FB85398F508A1DE4A98B744E779D8888F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA8DF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID: 2
                                      • API String ID: 2581946324-450215437
                                      • Opcode ID: 4305cf490168df843cfde5447efcc917d714fe379852b460f552cf1216fc6308
                                      • Instruction ID: 2dd4529209a55dc721d941dd48a5fa24cabc5c44c5c739d7a5ea58cc86628afe
                                      • Opcode Fuzzy Hash: 4305cf490168df843cfde5447efcc917d714fe379852b460f552cf1216fc6308
                                      • Instruction Fuzzy Hash: D931C2B59047028FCB04CF55C18464ABBE1FF89348F24CA9ED8889B716E335E956CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8FFBB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC9008B
                                        • Part of subcall function 6CC64FD0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                        • Part of subcall function 6CC654B0: CRYPTO_zalloc.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CCA8994), ref: 6CC654E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zalloc$O_free
                                      • String ID: D$P
                                      • API String ID: 1411191933-307317852
                                      • Opcode ID: d0f19d8c80a979ca87d6edc2645908e65d1e0f30d82b1ed4a72001f50d3cd14b
                                      • Instruction ID: d243ace8c93f8c724ad16ed32ce5401c27729b90bd53b081d67293b0f38afc92
                                      • Opcode Fuzzy Hash: d0f19d8c80a979ca87d6edc2645908e65d1e0f30d82b1ed4a72001f50d3cd14b
                                      • Instruction Fuzzy Hash: F7214DB05097009FE710DF25C58976BBBE4BF84349F00982CE8889B741E779D845CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC90FF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2$n
                                      • API String ID: 0-2202813717
                                      • Opcode ID: 7e8f28db257b22267cbbc6a4b724aeecf2c44189c86cec6b66d84f2378902ebd
                                      • Instruction ID: d79659c188870eef8b862f4dd2d57caa13697751db5534788fc4cdb5fd238676
                                      • Opcode Fuzzy Hash: 7e8f28db257b22267cbbc6a4b724aeecf2c44189c86cec6b66d84f2378902ebd
                                      • Instruction Fuzzy Hash: 7A2156B160D340CBE710CF25E49579BBBE4BF84348F04892CE8985B744E336D884DB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64CE5
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC64D37
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zallocR_put_error
                                      • String ID: A
                                      • API String ID: 2718799170-3554254475
                                      • Opcode ID: 05881272eea45aff69aa3e4c0d814c10318bcbfdf0b7e4bc7b34246939c09138
                                      • Instruction ID: 10dffc8bd3181c8b4fa81dddd9962b29e562d4e7d430cf96270ed05a3939c559
                                      • Opcode Fuzzy Hash: 05881272eea45aff69aa3e4c0d814c10318bcbfdf0b7e4bc7b34246939c09138
                                      • Instruction Fuzzy Hash: 04014BB0609301DFEB04CF56D59430B7BE1AB81358F54C95CE8984FB85E77AC4858BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC81886 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8181B
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC818A3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_error
                                      • String ID: A
                                      • API String ID: 3735976985-3554254475
                                      • Opcode ID: fd1fe1f6b9baad4751dd99dd676ed73b01b34d346fc5e57fd8a820e2a37e1e95
                                      • Instruction ID: dbec38aa9c581d55865454ec99119e26a7464bcd2f818df18cc84f3cdd7970ee
                                      • Opcode Fuzzy Hash: fd1fe1f6b9baad4751dd99dd676ed73b01b34d346fc5e57fd8a820e2a37e1e95
                                      • Instruction Fuzzy Hash: 4CE0C2F22497019EDB009F55E88538ABBE0FB8035CF00C82DE59897760E3B994898B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC80C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC80C43
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC80C5B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_error
                                      • String ID: A
                                      • API String ID: 3735976985-3554254475
                                      • Opcode ID: 111b015e083b7a3eed2215b2c6691190a83b6b5ba6abffc1a55265096fd34e26
                                      • Instruction ID: cde63c473da114c43f051269329030432ba040817b730b8d44dda58aa4041943
                                      • Opcode Fuzzy Hash: 111b015e083b7a3eed2215b2c6691190a83b6b5ba6abffc1a55265096fd34e26
                                      • Instruction Fuzzy Hash: 19E0C2F15093409ED7009F21D44538BBBF0BB81318F00C80CE0D86B760D37A8989CF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC65860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6CC6612A), ref: 6CC6587A
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC658BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zallocR_put_error
                                      • String ID: A
                                      • API String ID: 2718799170-3554254475
                                      • Opcode ID: 3fb789855cc205a5540b27e7652a52c0bebc30276d442495c66fb73c0527b701
                                      • Instruction ID: a4e61c4fad1b5ec067c3cef26aff0235f486b177a174acdb1c12d627ec1d1f31
                                      • Opcode Fuzzy Hash: 3fb789855cc205a5540b27e7652a52c0bebc30276d442495c66fb73c0527b701
                                      • Instruction Fuzzy Hash: CCE0C9B4408340DAD704DF64C10531ABBE0AF84348F80880DE8DC5B760E3BA8559CB43
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC92C74 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92C68
                                      • CRYPTO_memdup.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92C96
                                      • CRYPTO_memdup.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92CBC
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_memdup$O_free
                                      • String ID:
                                      • API String ID: 2280451731-0
                                      • Opcode ID: fac473cf5aaed1700031744a2d1743507c7c3a88db9cb24a732361f0cf3d4452
                                      • Instruction ID: 134c3b0d9cfa59e6813887bd3a8eff97005411b6d8cefbca67ef79feb477295d
                                      • Opcode Fuzzy Hash: fac473cf5aaed1700031744a2d1743507c7c3a88db9cb24a732361f0cf3d4452
                                      • Instruction Fuzzy Hash: 7A212BB6A097029FDB14CF25C4A971AB7E0FB59348F15892DE88A97B10F335E544CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC89999 Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899A9
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899B8
                                      • OPENSSL_LH_delete.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,000004E8,?,6CC8B7CE), ref: 6CC899CD
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC89A11
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC89A35
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock$D_write_lockH_deleteH_retrieve
                                      • String ID:
                                      • API String ID: 3617886225-0
                                      • Opcode ID: 5859caa8d04eaeb6008a2d9847b2640c0a0a2345a1da673a3539084b2e735722
                                      • Instruction ID: ea0b900d100f5419de55626c289e747d94eb8486d272b9ce009d1e0f4cf52c5e
                                      • Opcode Fuzzy Hash: 5859caa8d04eaeb6008a2d9847b2640c0a0a2345a1da673a3539084b2e735722
                                      • Instruction Fuzzy Hash: 800148B560AB018BE710AF69D18079BBBE0AF85308F15493CD88ED7B00FB35D8808B51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC92D40 Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92D80
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92DAC
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92DC7
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 38f5abd263c8aa89c60d7b8aa2e1524829c0bb7d37e3ceaaae51c5d20f7f6965
                                      • Instruction ID: 31507fed8e4ad8f1ff27b2f23f66864ab71411b9d1461852f1807c075ab1062a
                                      • Opcode Fuzzy Hash: 38f5abd263c8aa89c60d7b8aa2e1524829c0bb7d37e3ceaaae51c5d20f7f6965
                                      • Instruction Fuzzy Hash: 620129B69097419BDB009F14E4D971AFBE0FB44348F52895CE899A7B54F330D980CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC92CE7 Relevance: 4.5, APIs: 3, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92C68
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92D0C
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CC92D27
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: a8b8119e7c15c089509a48bad15307e5668b4a17cdedcd4fd548bb8d88488efd
                                      • Instruction ID: 1262fbba7ed6d7389a4e35262ce341d5379b196490999ff88a7466aef55272a1
                                      • Opcode Fuzzy Hash: a8b8119e7c15c089509a48bad15307e5668b4a17cdedcd4fd548bb8d88488efd
                                      • Instruction Fuzzy Hash: 09F0E7B6A497419FDB00DF64D4D575AFBE0FB45344F41885DE48AABB10E331D884CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC92D8C Relevance: 4.5, APIs: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92D80
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92DAC
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,6CC74719,?,?,?,?,?,?,?,00000000,6CC81837), ref: 6CC92DC7
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: bbcc3566731b825bd5bbee14c41f110454534f2383ea46ee31c33265a8ab7897
                                      • Instruction ID: 1e131743762b42426004ff57dbaa02ecadcf68fa3961294a72ae354029f76043
                                      • Opcode Fuzzy Hash: bbcc3566731b825bd5bbee14c41f110454534f2383ea46ee31c33265a8ab7897
                                      • Instruction Fuzzy Hash: 58F017B6908B419BDB009F58E09535AFBE0FB44344F41C81DE489A7750E3309884CB83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA0911 Relevance: 4.5, APIs: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA093B
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA0956
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA096E
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CCA09B7
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA09C2
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$X_free
                                      • String ID:
                                      • API String ID: 306345296-0
                                      • Opcode ID: 9dd33468fd231f6c8e714287673bf2c244ef572b9e9749c0f91e1b4c1e4de8eb
                                      • Instruction ID: 821440ce3fa0d38f02478aa0aa479824e700e7111c14796988343cbccad5e72a
                                      • Opcode Fuzzy Hash: 9dd33468fd231f6c8e714287673bf2c244ef572b9e9749c0f91e1b4c1e4de8eb
                                      • Instruction Fuzzy Hash: 29F0B2B6619B019ED7109F65D18535BBBE0FFC0749F50C81DE589A7B10E734E48A8B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E87F24 Relevance: 4.5, Strings: 3, Instructions: 744COMMON
                                      Download Yara Rule
                                      Strings
                                      • invalid distance code, xrefs: 62E882EF
                                      • invalid literal/length code, xrefs: 62E88244
                                      • invalid distance too far back, xrefs: 62E88796
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                      • API String ID: 0-3255898291
                                      • Opcode ID: 5d427706fd979db04a0442cbd68b594deb61790300ad38829fb2e6046903f22f
                                      • Instruction ID: 92a10079dbac65ad3958358783acd1f0788288010454c260c64923141de04c21
                                      • Opcode Fuzzy Hash: 5d427706fd979db04a0442cbd68b594deb61790300ad38829fb2e6046903f22f
                                      • Instruction Fuzzy Hash: C572E475D046298FCB14CFA9C4905AEFBB2BF89354F24C26AD8997B305D3396942CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8F7E0 Relevance: 4.1, Strings: 3, Instructions: 354COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$gfff$gfff
                                      • API String ID: 0-2819268606
                                      • Opcode ID: a7bdce88798a3121cdbad411e47ad03323a3903414a061856a44396c220ed1d9
                                      • Instruction ID: b93177785e2b3be4e42b3df0c40743118a87bab21836833a35cb292ce8f2099f
                                      • Opcode Fuzzy Hash: a7bdce88798a3121cdbad411e47ad03323a3903414a061856a44396c220ed1d9
                                      • Instruction Fuzzy Hash: 53D18971A083418BDB04CE69C0A070AF7E1AFC8358FA8C97DFCC89B355D679D9458B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9C976 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$D_sizeDigestO_mallocP_sha256memcpytime
                                      • String ID: 2
                                      • API String ID: 131977122-450215437
                                      • Opcode ID: 23de93a6c63657395a80bed3d42f3e5e50541240e429eefb5b7722c79c0fa3c8
                                      • Instruction ID: ecbbbe7676d1f40fdc37af6543fbd9c980047fbbdb4e2083f75425ec26e21f25
                                      • Opcode Fuzzy Hash: 23de93a6c63657395a80bed3d42f3e5e50541240e429eefb5b7722c79c0fa3c8
                                      • Instruction Fuzzy Hash: D42149B54063228FC710AF14C1942AAFBE0FF41718F15895EE9CA5BB45E376D888CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8FEA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC8FE9D
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC8FFB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_errorY_free
                                      • String ID: P
                                      • API String ID: 2117244611-3110715001
                                      • Opcode ID: 9b53a449de4b162cac49babb92ee66cd259f81214a0b03ad0984f1ff32a17f86
                                      • Instruction ID: 8cad0c62d647ea15bee891c52fceca688ec998ed27fbd95e0dc4351a3c8b0f72
                                      • Opcode Fuzzy Hash: 9b53a449de4b162cac49babb92ee66cd259f81214a0b03ad0984f1ff32a17f86
                                      • Instruction Fuzzy Hash: 7AF0B2B520A7019EE300DF25D45939BBBE0BB85388F008C1DE4A99BB50E37594488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCAAAFC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CCAAB56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_clear_freeR_put_error
                                      • String ID: 2
                                      • API String ID: 1004428288-450215437
                                      • Opcode ID: 234491a8c01e4410766ef30c9c74c906b6205b66db5657a81e344dfc8d4afd96
                                      • Instruction ID: d69db957e76eb10dd65fd67416559f92cf9284bcf874d08595b53943964a8d37
                                      • Opcode Fuzzy Hash: 234491a8c01e4410766ef30c9c74c906b6205b66db5657a81e344dfc8d4afd96
                                      • Instruction Fuzzy Hash: 2BF017B1508700CFD310CF54D48879ABBE0FF84354F10C96EE8A89B361D7B994888F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64ED0 Relevance: 3.1, APIs: 2, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 9e391dc05665e82b75913a584d9fbe25f99bac481dc5f7c1393f9d012a44f03a
                                      • Instruction ID: 31bb523582b62b703861b8a05b2fd27ea9725f76c2af12c86ae207ab204405aa
                                      • Opcode Fuzzy Hash: 9e391dc05665e82b75913a584d9fbe25f99bac481dc5f7c1393f9d012a44f03a
                                      • Instruction Fuzzy Hash: 732182726052108FCB05DF1AD6E471BBBA1FF80318F1AC199D8485FB15E331E845CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC76FE9 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC76F52
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC76FCE
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC77027
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeO_zallocR_put_error
                                      • String ID:
                                      • API String ID: 3070865948-0
                                      • Opcode ID: 104aedf8f86b32fe4ecc16065c56747cbee1c4c943b5db74a0e36cab79c25841
                                      • Instruction ID: 404435c5e711d9d98465d7f7822875259a853f936b6f650827a5ce3a9faf0458
                                      • Opcode Fuzzy Hash: 104aedf8f86b32fe4ecc16065c56747cbee1c4c943b5db74a0e36cab79c25841
                                      • Instruction Fuzzy Hash: 4F113371618B028FD7108F69D98434BBBE5FF84348F10C82CE989D7610E330E8448B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6A917 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • COMP_expand_block.LIBCRYPTO-1_1 ref: 6CC6A956
                                      • CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC6A98F
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocP_expand_block
                                      • String ID:
                                      • API String ID: 3543690440-0
                                      • Opcode ID: acaf953e2e64e3e38a9dea05b7d65ea7b60e1610cc2c0a532c3f046eb42ee1c6
                                      • Instruction ID: 25ad52d76417227d0fe3d32411afe767e633f92bd0b2b67ac848b2136e7b7112
                                      • Opcode Fuzzy Hash: acaf953e2e64e3e38a9dea05b7d65ea7b60e1610cc2c0a532c3f046eb42ee1c6
                                      • Instruction Fuzzy Hash: 0301D6B06057019FDB48CF66D5C070BBBE0AF88344F25986DE989DB755E334D8918B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64F7C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 92778468da85514e8a01b4f139a3216e4b42f06e64802aae6bd57fd2d6c9a018
                                      • Instruction ID: 96b94d6f1eb2abbb8fa56b7fa03bcf72b0314fb9b0676fd48c42152088943ea4
                                      • Opcode Fuzzy Hash: 92778468da85514e8a01b4f139a3216e4b42f06e64802aae6bd57fd2d6c9a018
                                      • Instruction Fuzzy Hash: AE01D6B25046008FD704DF59D6E8756BBE1BB80308F1AC49ED4484BA66E775D485CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA8C87 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA8CF8
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA8D10
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$R_put_error
                                      • String ID:
                                      • API String ID: 1631441854-0
                                      • Opcode ID: 58c99ea91cec11df99f0442d75e7df62c910d5ee86e776cd3c307bd7f84ffe09
                                      • Instruction ID: e7a9909b5c47f568b35b59c2262cc16a181c26607add6142dc8568ac9ea668b4
                                      • Opcode Fuzzy Hash: 58c99ea91cec11df99f0442d75e7df62c910d5ee86e776cd3c307bd7f84ffe09
                                      • Instruction Fuzzy Hash: 360119B1A097029FD7009F90D09539BBBE0FF80798F10CD2DE8985BB10D37598898B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78C88 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC789D2
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC78BE4
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC78CC7
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC78DD5
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$L_sk_new_null
                                      • String ID:
                                      • API String ID: 3670098697-0
                                      • Opcode ID: 1756b7b9317c2af5356a94d57966127cb25a54db4f3a1eaa2d383ac810e5184f
                                      • Instruction ID: 3c94847ff4ce93bd510a921280b88f9af4e2f946018f7addd32fce4a466ba97c
                                      • Opcode Fuzzy Hash: 1756b7b9317c2af5356a94d57966127cb25a54db4f3a1eaa2d383ac810e5184f
                                      • Instruction Fuzzy Hash: 4DF0E7716097009FC7109F18D48475FBBE0FB843A8F45891DE5C8A7710E73598899B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72C49 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72B5E
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC72C3F
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72C50
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_clear_free$L_cleanse
                                      • String ID:
                                      • API String ID: 2463162332-0
                                      • Opcode ID: 757dae59a45d1273113293d7b5f06fd4a0e176ea4fe2abfd190b29f3540b32a1
                                      • Instruction ID: 96adfa30c40fca31948b05adba27f10e4c874f52c083f36b5f38759f04e1743b
                                      • Opcode Fuzzy Hash: 757dae59a45d1273113293d7b5f06fd4a0e176ea4fe2abfd190b29f3540b32a1
                                      • Instruction Fuzzy Hash: 29F012757083018BEB14CFA9C89875BF7E0FB80758F00886DE8998BB11E374D8088B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC99FD1 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_mallocmemcpy
                                      • String ID:
                                      • API String ID: 1834057931-0
                                      • Opcode ID: 84862db08438a2755095ede87d604d096e68251e43bed401d40404819722e803
                                      • Instruction ID: caf13635508e9e20b293a927a2318083273cf6b687d59996471431e3909901dd
                                      • Opcode Fuzzy Hash: 84862db08438a2755095ede87d604d096e68251e43bed401d40404819722e803
                                      • Instruction Fuzzy Hash: C7F0F8B5905B619FDB009F28D89139AFBE0FF85744F10C95EE498AB604E770E4858B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89D51 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid bit length repeat
                                      • API String ID: 0-1557105326
                                      • Opcode ID: 8ccb00b87bc10c7008984cdbbef37afef5eec48319d1533b21ea90aae1456f29
                                      • Instruction ID: b26cc5bd88380247d59bfaebd8d6a7e91ee45f5d7353ebef311742df04224b10
                                      • Opcode Fuzzy Hash: 8ccb00b87bc10c7008984cdbbef37afef5eec48319d1533b21ea90aae1456f29
                                      • Instruction Fuzzy Hash: 0F221676D046299FCB14CFA8D4A02DCFBB1BF49314F2A816AE899B7341D734A945CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC66E36 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC6A1E0: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC6A1FD
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC66F2E
                                        • Part of subcall function 6CC65830: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC6584A
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 872c5a033fe49432c4e1a09708f80084ba41db9e5ca0aa079afbe986c9632e9b
                                      • Instruction ID: 14ef89eb0158bbbad057f26a4ba0ad3e3adb0cc4254863c531683d07fa4d6bd7
                                      • Opcode Fuzzy Hash: 872c5a033fe49432c4e1a09708f80084ba41db9e5ca0aa079afbe986c9632e9b
                                      • Instruction Fuzzy Hash: C571C4B46057058FDB04CF16C1C06AABBE1BF88318F1485BDEC989BB56E730A941CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC64DF0 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: d657b79b3314028f61c4f840ca238252c09609709377b00a6b1a75371031a1b0
                                      • Instruction ID: 06504e74d0f738442355c906d5f24ff988771e20980979256cd7c2ff82fbd6a2
                                      • Opcode Fuzzy Hash: d657b79b3314028f61c4f840ca238252c09609709377b00a6b1a75371031a1b0
                                      • Instruction Fuzzy Hash: 68214172A056108FCB10DF2AD6D0756FB65EF81768F29C19DC9489FB15E332E846CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC669C3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC6A1E0: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC6A1FD
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC66AA1
                                        • Part of subcall function 6CC65830: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC6584A
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 7dd178c260ae227d5ba9e699c33ebfb5b4e256822e90c610e1a84b25891acd97
                                      • Instruction ID: f808d1ca120dad47128cb6495400245cad2b7ff5ff8a2f6101931c2357acb0c5
                                      • Opcode Fuzzy Hash: 7dd178c260ae227d5ba9e699c33ebfb5b4e256822e90c610e1a84b25891acd97
                                      • Instruction Fuzzy Hash: 933148B86017099FC744DF1AC180651BBE0BF88608F6485BECD688F717E732AA52CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA5EA3 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCA5CD5
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5CF1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCA5CFD
                                        • Part of subcall function 6CC654B0: CRYPTO_zalloc.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CCA8994), ref: 6CC654E1
                                      • CRYPTO_free.LIBCRYPTO-1_1 ref: 6CCA5F47
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free$O_zallocX_freeY_free
                                      • String ID:
                                      • API String ID: 2708676371-0
                                      • Opcode ID: dcbb5b6b2e9aa0d9382087e5808af13fe2642269183dac6fd0d5202c046a7fc0
                                      • Instruction ID: 38e6d9390becc55b1cee0461aec93cdf9f698bec2210a7080dc4f3666d7003b1
                                      • Opcode Fuzzy Hash: dcbb5b6b2e9aa0d9382087e5808af13fe2642269183dac6fd0d5202c046a7fc0
                                      • Instruction Fuzzy Hash: 490193B4919B01AFE7009F65C18835FBFE0AF84788F50C81DE99897B41E7B9D4898B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8AFB9 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8AF33
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock
                                      • String ID:
                                      • API String ID: 3327040364-0
                                      • Opcode ID: 81aea156abdb4063d50d9b76d052bc9fa4ac68077f9155a43aa604974ce340fd
                                      • Instruction ID: c43833f615a4dd27e88bb4c5e6a7040088c11a829024642c4466e75a51e12e2a
                                      • Opcode Fuzzy Hash: 81aea156abdb4063d50d9b76d052bc9fa4ac68077f9155a43aa604974ce340fd
                                      • Instruction Fuzzy Hash: 95011D70642A018BE7048F39C4407DBBBD0BB8535CF504629E46D97AC0F775E8958BD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72C67 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 6CC72B5E
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC72C3F
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_cleanseO_clear_free
                                      • String ID:
                                      • API String ID: 778410385-0
                                      • Opcode ID: 21bf0e8f7f862114bdf8c810111be3c5dcf433768c455145eabad0e6a0ab5db9
                                      • Instruction ID: d1f1150571c9fca27f059752ddb1436d6946ad4be832a8cb01493ec86de1f784
                                      • Opcode Fuzzy Hash: 21bf0e8f7f862114bdf8c810111be3c5dcf433768c455145eabad0e6a0ab5db9
                                      • Instruction Fuzzy Hash: 1EF0F475B083018BE710CFA9C49475BF7E0FB84759F10882DE89987B11E374D8088B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8AF81 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC8AF9B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock
                                      • String ID:
                                      • API String ID: 3327040364-0
                                      • Opcode ID: 25e36fb2d75438b98691d60a7683056de0de341b79a3a679bf49c10cd834aecc
                                      • Instruction ID: 53c28c0c9ebc60713f88c1e9c83d580d762476a1042a9b559388ed901c60345e
                                      • Opcode Fuzzy Hash: 25e36fb2d75438b98691d60a7683056de0de341b79a3a679bf49c10cd834aecc
                                      • Instruction Fuzzy Hash: 59E0EC71645B108BD7409F69D4C03DAB7E0BB84318F044C2DD99ED7A40E735A5958BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7BC94 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BCA7
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BD37
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BD6F
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_run_once
                                      • String ID:
                                      • API String ID: 1403826838-0
                                      • Opcode ID: 9300a6807a2bec7e4b30f9277b34192a729261df849bf2d2737f217a3e98df79
                                      • Instruction ID: 7fd534f68a035966d9b27d92196cfebba2c16b3f78d79f4c9bb34baac3dde9ab
                                      • Opcode Fuzzy Hash: 9300a6807a2bec7e4b30f9277b34192a729261df849bf2d2737f217a3e98df79
                                      • Instruction Fuzzy Hash: 9EE012B2A467094AEB244F46C5723667274EF50388F09945C9C5197E54FB319480C7B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6F9C0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_clear_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,6CC623F6), ref: 6CC6F9EE
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_clear_free
                                      • String ID:
                                      • API String ID: 2011826501-0
                                      • Opcode ID: 369ccd62fe086b1389c0f8ae3e068a2aa807b4389f95c19e00bba21f6d2c8033
                                      • Instruction ID: 7ffd9c17b538a5b2fbea8ba4a05af962b74a43293ce33b265439cb50891d44c0
                                      • Opcode Fuzzy Hash: 369ccd62fe086b1389c0f8ae3e068a2aa807b4389f95c19e00bba21f6d2c8033
                                      • Instruction Fuzzy Hash: A8E0EEB4505300AFC700DFA8D48CB5ABBE0AB8C314F15C6A9E8984B322E33494448F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC83CB8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: cd3d40de9d628f062ab7c09810097ea9d4a3cb460b88354266331483954e4341
                                      • Instruction ID: 80f4aff74845131041f7785b488344942ca06fe103541badb4b6effe1c692701
                                      • Opcode Fuzzy Hash: cd3d40de9d628f062ab7c09810097ea9d4a3cb460b88354266331483954e4341
                                      • Instruction Fuzzy Hash: AEE0E2B6605B008FE710CF68E884BD6B7F0FB44318F01896CE5999B350D375A885CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7BD57 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BD6F
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_run_once
                                      • String ID:
                                      • API String ID: 1403826838-0
                                      • Opcode ID: 5918c48a773a6482c75bc08806c8136d7b1f609f18fea6985b9ffb006cb747b0
                                      • Instruction ID: 71cc39c12b47de2b5ca72e1afb78a3036eb812f8248620df878756606da2822c
                                      • Opcode Fuzzy Hash: 5918c48a773a6482c75bc08806c8136d7b1f609f18fea6985b9ffb006cb747b0
                                      • Instruction Fuzzy Hash: 17D0C9B2A456128BDB208F668922786B3F4EF42745F09881CD999D7A10FB30F444D7E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7BD24 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,6CC89B42), ref: 6CC7BD37
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_run_once
                                      • String ID:
                                      • API String ID: 1403826838-0
                                      • Opcode ID: 27069e296657768454c3656b13c0fe803ab826e97389c334574280508ebd3adf
                                      • Instruction ID: 14deaa910b1d7ca8042a09467832815bcfac53a5cdcd482c6524d6cd891522ce
                                      • Opcode Fuzzy Hash: 27069e296657768454c3656b13c0fe803ab826e97389c334574280508ebd3adf
                                      • Instruction Fuzzy Hash: 43D0C9B2B456128B9B209F568922647B3B5FB81745B19C41CCDA59BB14FF30E441C7E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7B833 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 42eaec30f882c388e9910211e2e4fd2d616105a8dae0a865ede0666c3bbeadb5
                                      • Instruction ID: 282713b88cb39672421d46ec7bceffbc1655f144bd7ba5762ab070adf5cc8bb2
                                      • Opcode Fuzzy Hash: 42eaec30f882c388e9910211e2e4fd2d616105a8dae0a865ede0666c3bbeadb5
                                      • Instruction Fuzzy Hash: 4DD012B1404F008FD7109F24E444343B7E0FB00308F02C81CD49A67B41D376F8858B80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC768C4 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 258947195992d6e77d7f988f34d96acfb8189fe8de43ca331629f457f08af38d
                                      • Instruction ID: 197b236801f8327f4287f33f53024218a30e1d62bb6bcfdcbc7de8deda5cf4bf
                                      • Opcode Fuzzy Hash: 258947195992d6e77d7f988f34d96acfb8189fe8de43ca331629f457f08af38d
                                      • Instruction Fuzzy Hash: BFD09276804B018FCA00AF24C84535ABBE0BB44308F85894CD88967611E334A5499B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC70C98 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: a993ffdb541c0e39956c05e693de7cf819c8f8574d08355857837aa09d56b7f8
                                      • Instruction ID: 23fb0bd46066dab6be8cc697c8bda79934eec82707da93b0cbf5dd2a45f98550
                                      • Opcode Fuzzy Hash: a993ffdb541c0e39956c05e693de7cf819c8f8574d08355857837aa09d56b7f8
                                      • Instruction Fuzzy Hash: CFD092B0544B408BDB008F58C9A438BBBE0EB4030AF048879A8489F615D77984888FA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC658D0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,6CC66168), ref: 6CC658EA
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 5bd3efb3da0a9d93f68088a9682b3e6c9d41b69d108a2d60380d4cc0ccfc55fc
                                      • Instruction ID: 39a0b6c60fee159fe86f7d8cf2a3d6af4543426989f0cecc9705502e33e9b61f
                                      • Opcode Fuzzy Hash: 5bd3efb3da0a9d93f68088a9682b3e6c9d41b69d108a2d60380d4cc0ccfc55fc
                                      • Instruction Fuzzy Hash: 0BC002B99187409BCB04AF58C15631ABAE0BB84248F84895DE48857711E37985988B53
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC65830 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free
                                      • String ID:
                                      • API String ID: 2581946324-0
                                      • Opcode ID: 5bd3efb3da0a9d93f68088a9682b3e6c9d41b69d108a2d60380d4cc0ccfc55fc
                                      • Instruction ID: 39a0b6c60fee159fe86f7d8cf2a3d6af4543426989f0cecc9705502e33e9b61f
                                      • Opcode Fuzzy Hash: 5bd3efb3da0a9d93f68088a9682b3e6c9d41b69d108a2d60380d4cc0ccfc55fc
                                      • Instruction Fuzzy Hash: 0BC002B99187409BCB04AF58C15631ABAE0BB84248F84895DE48857711E37985988B53
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC899F1 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 6CC89A11
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_unlock
                                      • String ID:
                                      • API String ID: 3327040364-0
                                      • Opcode ID: 935bedb81b99909b4a9e6662a6a4f5c8fa00fd21c70f3adae001d6508bcfd7df
                                      • Instruction ID: 4f87161287280fe3554bfa326ac6d2272525c78d05f74083b2037852c372e259
                                      • Opcode Fuzzy Hash: 935bedb81b99909b4a9e6662a6a4f5c8fa00fd21c70f3adae001d6508bcfd7df
                                      • Instruction Fuzzy Hash: 2AC00275844B148ACB50DF64C4943C6B7E0BB05304F014858CDAAA7700D7757889CA91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E81794 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 1.2.5
                                      • API String ID: 0-1624589015
                                      • Opcode ID: 7f6af4a4a4e4db1c3f10afba68f6cf6a74c8fb202dd94dce20211f2c4acab0e2
                                      • Instruction ID: 97fff856cb81c01c5f15b2ede1ae8f8208f2fec45143211d84cba813d9a4841c
                                      • Opcode Fuzzy Hash: 7f6af4a4a4e4db1c3f10afba68f6cf6a74c8fb202dd94dce20211f2c4acab0e2
                                      • Instruction Fuzzy Hash: 1A81B332D605668FDB18CF69C8402AA73A2FB8F345BDA8D36CB546B245C335B852C7D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6BDB0 Relevance: 1.4, APIs: 1, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: e44618efc19622628a8e86d0663eb07593b5f8df54c72b87aece65cc0ce6556c
                                      • Instruction ID: 0ed7abc14f328f5a04be7b65847ab0d6567488410bd07394e4a5340c628ceedc
                                      • Opcode Fuzzy Hash: e44618efc19622628a8e86d0663eb07593b5f8df54c72b87aece65cc0ce6556c
                                      • Instruction Fuzzy Hash: 1241D836B183158FD714CE3AD89065BF7D2AFC8314F09893DE988D7745D631E9098B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248D2D4 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 00Ib
                                      • API String ID: 0-1996699157
                                      • Opcode ID: 94637b37977b380b6d8f5552d228d7ed785c43a112f4300b46994e6d4c880c89
                                      • Instruction ID: 47ed8076a70035953cf547b1d0fabe9f8f19dfbea49840aa5485feac178cd378
                                      • Opcode Fuzzy Hash: 94637b37977b380b6d8f5552d228d7ed785c43a112f4300b46994e6d4c880c89
                                      • Instruction Fuzzy Hash: 8131D432B66621D7D308897EC860B4BB3D79BC5764F55C22BA859C3750D5B8CC428781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6BDE9 Relevance: 1.4, APIs: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 4793f309d4b477a4a255f244b689c64fc5ba8f53cd1a1c6c902018e1f46f8868
                                      • Instruction ID: d0ec12bd54fe014c16a46e0f3a2aa00f910bf2d7ac6565d4de0657d27f451c72
                                      • Opcode Fuzzy Hash: 4793f309d4b477a4a255f244b689c64fc5ba8f53cd1a1c6c902018e1f46f8868
                                      • Instruction Fuzzy Hash: B0419736A183158FC714CE39D89025BF7E2AFC8304F098A6DE8C9E7755D631E9058B86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8B0B0 Relevance: .7, Instructions: 656COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbfed040cc350f9fd59cb8271e1be1f16654e09b398c2feb77068450b9bbe418
                                      • Instruction ID: 9957f4c4087d2eb1905f693f290502094b70e56f9a117a61b2e7a8c403008a6d
                                      • Opcode Fuzzy Hash: cbfed040cc350f9fd59cb8271e1be1f16654e09b398c2feb77068450b9bbe418
                                      • Instruction Fuzzy Hash: 09620674D04269CBDB24CFA8C4A06EDBBB1FF48308F20816DC899AB395D7785986CF54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E81A7C Relevance: .2, Instructions: 175COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 179ba01b676e9bfb6a232a472cd12f1a68e9df7310133ca9ef2023848d7b84f8
                                      • Instruction ID: e42ec29be8b5d45d3129bbedd441990b735a0303d4e9108531445820a5536ff9
                                      • Opcode Fuzzy Hash: 179ba01b676e9bfb6a232a472cd12f1a68e9df7310133ca9ef2023848d7b84f8
                                      • Instruction Fuzzy Hash: D251A470A046188BDB298EADC4F17DA77B0EB0630CF2085B9C6EEDB350D6759691CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E934C4 Relevance: .1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e105391766f0ab4855c16481151d701a6c3501fc1efd9a16d337f89b6c32a7f
                                      • Instruction ID: 1127256c9fd36870edb8a28e7fe60fa87920e39060669afeb26e6129623aeee0
                                      • Opcode Fuzzy Hash: 9e105391766f0ab4855c16481151d701a6c3501fc1efd9a16d337f89b6c32a7f
                                      • Instruction Fuzzy Hash: 8E316072F00125479B14CABE98A01DEF7E7ABDC668B29C236D819E3344E571DC0287D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7B9E0 Relevance: 122.6, APIs: 64, Strings: 6, Instructions: 114COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • EVP_des_cbc.LIBCRYPTO-1_1 ref: 6CC7B9E3
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7B9EB
                                      • EVP_des_ede3_cbc.LIBCRYPTO-1_1 ref: 6CC7B9F0
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7B9F8
                                      • EVP_rc4.LIBCRYPTO-1_1 ref: 6CC7B9FD
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA05
                                      • EVP_rc4_hmac_md5.LIBCRYPTO-1_1 ref: 6CC7BA0A
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA12
                                      • EVP_rc2_cbc.LIBCRYPTO-1_1 ref: 6CC7BA17
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA1F
                                      • EVP_rc2_40_cbc.LIBCRYPTO-1_1 ref: 6CC7BA24
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA2C
                                      • EVP_aes_128_cbc.LIBCRYPTO-1_1 ref: 6CC7BA31
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA39
                                      • EVP_aes_192_cbc.LIBCRYPTO-1_1 ref: 6CC7BA3E
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA46
                                      • EVP_aes_256_cbc.LIBCRYPTO-1_1 ref: 6CC7BA4B
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA53
                                      • EVP_aes_128_gcm.LIBCRYPTO-1_1 ref: 6CC7BA58
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA60
                                      • EVP_aes_256_gcm.LIBCRYPTO-1_1 ref: 6CC7BA65
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA6D
                                      • EVP_aes_128_ccm.LIBCRYPTO-1_1 ref: 6CC7BA72
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA7A
                                      • EVP_aes_256_ccm.LIBCRYPTO-1_1 ref: 6CC7BA7F
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA87
                                      • EVP_aes_128_cbc_hmac_sha1.LIBCRYPTO-1_1 ref: 6CC7BA8C
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BA94
                                      • EVP_aes_256_cbc_hmac_sha1.LIBCRYPTO-1_1 ref: 6CC7BA99
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAA1
                                      • EVP_aes_128_cbc_hmac_sha256.LIBCRYPTO-1_1 ref: 6CC7BAA6
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAAE
                                      • EVP_aes_256_cbc_hmac_sha256.LIBCRYPTO-1_1 ref: 6CC7BAB3
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BABB
                                      • EVP_aria_128_gcm.LIBCRYPTO-1_1 ref: 6CC7BAC0
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAC8
                                      • EVP_aria_256_gcm.LIBCRYPTO-1_1 ref: 6CC7BACD
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAD5
                                      • EVP_camellia_128_cbc.LIBCRYPTO-1_1 ref: 6CC7BADA
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAE2
                                      • EVP_camellia_256_cbc.LIBCRYPTO-1_1 ref: 6CC7BAE7
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAEF
                                      • EVP_chacha20_poly1305.LIBCRYPTO-1_1 ref: 6CC7BAF4
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BAFC
                                      • EVP_seed_cbc.LIBCRYPTO-1_1 ref: 6CC7BB01
                                      • EVP_add_cipher.LIBCRYPTO-1_1 ref: 6CC7BB09
                                      • EVP_md5.LIBCRYPTO-1_1 ref: 6CC7BB0E
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BB16
                                      • OBJ_NAME_add.LIBCRYPTO-1_1 ref: 6CC7BB32
                                      • EVP_md5_sha1.LIBCRYPTO-1_1 ref: 6CC7BB37
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BB3F
                                      • EVP_sha1.LIBCRYPTO-1_1 ref: 6CC7BB44
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BB4C
                                      • OBJ_NAME_add.LIBCRYPTO-1_1 ref: 6CC7BB68
                                      • OBJ_NAME_add.LIBCRYPTO-1_1 ref: 6CC7BB84
                                      • EVP_sha224.LIBCRYPTO-1_1 ref: 6CC7BB89
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BB91
                                      • EVP_sha256.LIBCRYPTO-1_1 ref: 6CC7BB96
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BB9E
                                      • EVP_sha384.LIBCRYPTO-1_1 ref: 6CC7BBA3
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BBAB
                                      • EVP_sha512.LIBCRYPTO-1_1 ref: 6CC7BBB0
                                      • EVP_add_digest.LIBCRYPTO-1_1 ref: 6CC7BBB8
                                        • Part of subcall function 6CC794A0: CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 6CC794B2
                                        • Part of subcall function 6CC77A30: OBJ_nid2sn.LIBCRYPTO-1_1 ref: 6CC77A71
                                        • Part of subcall function 6CC77A30: EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 6CC77A79
                                        • Part of subcall function 6CC77A30: OBJ_nid2sn.LIBCRYPTO-1_1 ref: 6CC77AD9
                                        • Part of subcall function 6CC77A30: EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 6CC77AE1
                                        • Part of subcall function 6CC77A30: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 6CC77B5B
                                        • Part of subcall function 6CC77A30: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 6CC77B8F
                                        • Part of subcall function 6CC77A30: ENGINE_finish.LIBCRYPTO-1_1 ref: 6CC77BA3
                                        • Part of subcall function 6CC77A30: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 6CC77BE6
                                        • Part of subcall function 6CC77A30: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 6CC77C1A
                                        • Part of subcall function 6CC77A30: ENGINE_finish.LIBCRYPTO-1_1 ref: 6CC77C2E
                                      • OPENSSL_atexit.LIBCRYPTO-1_1 ref: 6CC7BBD2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: P_add_cipher$P_add_digest$E_add$E_finishJ_nid2snY_asn1_find_strY_asn1_get0_info$D_run_onceL_atexitP_aes_128_cbcP_aes_128_cbc_hmac_sha1P_aes_128_cbc_hmac_sha256P_aes_128_ccmP_aes_128_gcmP_aes_192_cbcP_aes_256_cbcP_aes_256_cbc_hmac_sha1P_aes_256_cbc_hmac_sha256P_aes_256_ccmP_aes_256_gcmP_aria_128_gcmP_aria_256_gcmP_camellia_128_cbcP_camellia_256_cbcP_chacha20_poly1305P_des_cbcP_des_ede3_cbcP_get_cipherbynameP_get_digestbynameP_md5P_md5_sha1P_rc2_40_cbcP_rc2_cbcP_rc4P_rc4_hmac_md5P_seed_cbcP_sha1P_sha224P_sha256P_sha384P_sha512
                                      • String ID: MD5$RSA-SHA1$RSA-SHA1-2$SHA1$ssl3-md5$ssl3-sha1
                                      • API String ID: 1484551477-3803824401
                                      • Opcode ID: 54d77e22973070e8538bb19ebeebec33449974bb091b87798e0433da02499131
                                      • Instruction ID: 99158490bc4291dbbc8d5b51ae7c134711d4293b14d14f65ac4a0fe204eb76a2
                                      • Opcode Fuzzy Hash: 54d77e22973070e8538bb19ebeebec33449974bb091b87798e0433da02499131
                                      • Instruction Fuzzy Hash: 7F41C0B0449E009ADB187FF4C2551EDBAA0AF41248F864C3C8491EBF58FB3590AC8B63
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8BCB0 Relevance: 100.1, APIs: 31, Strings: 26, Instructions: 303COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2206 6cc8bcb0-6cc8bccf BIO_puts 2207 6cc8bd88 2206->2207 2208 6cc8bcd5-6cc8bcf5 call 6cc82c10 BIO_printf 2206->2208 2209 6cc8bd8a-6cc8bd91 2207->2209 2208->2207 2212 6cc8bcfb-6cc8bd03 2208->2212 2213 6cc8bd98-6cc8bdac 2212->2213 2214 6cc8bd09-6cc8bd2c BIO_printf 2212->2214 2216 6cc8be90-6cc8beab BIO_printf 2213->2216 2217 6cc8bdb2-6cc8bdcb BIO_printf 2213->2217 2214->2207 2215 6cc8bd2e-6cc8bd40 BIO_puts 2214->2215 2215->2207 2218 6cc8bd42-6cc8bd4a 2215->2218 2216->2215 2219 6cc8beb1 2216->2219 2217->2215 2220 6cc8bdd1 2217->2220 2221 6cc8bdd8-6cc8bdea BIO_puts 2218->2221 2222 6cc8bd50-6cc8bd52 2218->2222 2219->2207 2220->2207 2221->2207 2224 6cc8bdec-6cc8bdf4 2221->2224 2223 6cc8bd63-6cc8bd81 BIO_printf 2222->2223 2225 6cc8bd58-6cc8bd61 2223->2225 2226 6cc8bd83-6cc8bd87 2223->2226 2227 6cc8be30-6cc8be36 2224->2227 2228 6cc8bdf6-6cc8bdf8 2224->2228 2225->2221 2225->2223 2226->2207 2230 6cc8c0e8-6cc8c0fa BIO_puts 2227->2230 2231 6cc8be3c-6cc8be4e BIO_puts 2227->2231 2229 6cc8be0b-6cc8be29 BIO_printf 2228->2229 2234 6cc8be2b 2229->2234 2235 6cc8be00-6cc8be09 2229->2235 2232 6cc8c100 2230->2232 2233 6cc8be54-6cc8be5b 2230->2233 2231->2207 2231->2233 2232->2207 2236 6cc8be68-6cc8be83 BIO_printf 2233->2236 2237 6cc8be5d 2233->2237 2234->2207 2235->2227 2235->2229 2239 6cc8be60-6cc8be66 2236->2239 2240 6cc8be85 2236->2240 2238 6cc8beb6-6cc8bec8 BIO_puts 2237->2238 2238->2207 2241 6cc8bece-6cc8bef4 BIO_printf 2238->2241 2239->2236 2239->2238 2240->2207 2241->2207 2242 6cc8befa-6cc8bf0c BIO_puts 2241->2242 2242->2207 2243 6cc8bf12-6cc8bf33 BIO_printf 2242->2243 2243->2207 2244 6cc8bf39-6cc8bf4b BIO_puts 2243->2244 2244->2207 2245 6cc8bf51-6cc8bf72 BIO_printf 2244->2245 2245->2207 2246 6cc8bf78-6cc8bf80 2245->2246 2247 6cc8c105-6cc8c11b BIO_printf 2246->2247 2248 6cc8bf86-6cc8bf8e 2246->2248 2247->2248 2249 6cc8c121 2247->2249 2250 6cc8bf90-6cc8bfa2 BIO_puts 2248->2250 2251 6cc8bfd4-6cc8bfdc 2248->2251 2249->2207 2250->2207 2252 6cc8bfa8-6cc8bfce BIO_dump_indent 2250->2252 2253 6cc8bfe2-6cc8bfea 2251->2253 2254 6cc8c126-6cc8c168 call 6cc77e60 2251->2254 2252->2207 2252->2251 2256 6cc8c1a0-6cc8c1b6 BIO_printf 2253->2256 2257 6cc8bff0-6cc8bff8 2253->2257 2254->2207 2262 6cc8c16e-6cc8c174 2254->2262 2256->2257 2261 6cc8c1bc 2256->2261 2259 6cc8bffa-6cc8c010 BIO_printf 2257->2259 2260 6cc8c016-6cc8c028 BIO_puts 2257->2260 2259->2207 2259->2260 2260->2207 2263 6cc8c02e-6cc8c040 BIO_puts 2260->2263 2261->2207 2264 6cc8c1c1-6cc8c1dd BIO_printf 2262->2264 2265 6cc8c176-6cc8c195 BIO_printf 2262->2265 2263->2207 2266 6cc8c046-6cc8c074 X509_verify_cert_error_string BIO_printf 2263->2266 2264->2253 2268 6cc8c1e3 2264->2268 2265->2253 2267 6cc8c19b 2265->2267 2266->2207 2269 6cc8c07a-6cc8c0a4 BIO_printf 2266->2269 2267->2207 2268->2207 2269->2207 2270 6cc8c0aa-6cc8c0b5 2269->2270 2270->2209 2271 6cc8c0bb-6cc8c0dd BIO_printf 2270->2271 2271->2209
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_printf$O_puts
                                      • String ID: Compression: %d$ Compression: %d (%s)$ Master-Key: $ PSK identity hint: $ PSK identity: $ Resumption PSK: $ SRP username: $ Session-ID-ctx: $ Start Time: %ld$ TLS session ticket lifetime hint: %ld (seconds)$ TLS session ticket:$ Timeout : %ld (sec)$ Cipher : %04lX$ Cipher : %06lX$ Cipher : %s$ Extended master secret: %s$ Max Early Data: %u$ Protocol : %s$ Session-ID: $ Verify return code: $%02X$%ld (%s)$None$SSL-Session:$unknown$yes
                                      • API String ID: 3508759399-1088782760
                                      • Opcode ID: 52579ebc0eb1c3c3bb5696ad9e0d53282287c01d0f768f78917d9d4514b33910
                                      • Instruction ID: a309cc6a704eb8fa8f60bdac99462ad3782f4ec726f224ef5dd5bd64b00b6a77
                                      • Opcode Fuzzy Hash: 52579ebc0eb1c3c3bb5696ad9e0d53282287c01d0f768f78917d9d4514b33910
                                      • Instruction Fuzzy Hash: 7DC1207060A7119AD700AF65C9A135FBEF4AF45788F04C8ADE888DBB25F735C8419B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248922C Relevance: 63.4, APIs: 33, Strings: 3, Instructions: 387COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$sem_destroy$_errnofreepthread_mutex_unlock
                                      • String ID: 0Ib$ 0Ib$,0Ib
                                      • API String ID: 2697538053-322448077
                                      • Opcode ID: 764b6ea695bbe79398fef36560db64ea86ee1b56fbcc798253f1df5057fa2467
                                      • Instruction ID: 5c6b8f8bf3f909e4653e8845ab6e5be26d0613f209f803b196b899961ee088e9
                                      • Opcode Fuzzy Hash: 764b6ea695bbe79398fef36560db64ea86ee1b56fbcc798253f1df5057fa2467
                                      • Instruction Fuzzy Hash: 5EE12C70619B02CFD704EF39C9A0B1ABBE1AF85718F11892DD4989B380EB79D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6AC67 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 227COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6ACA3
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6ACAB
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6ACDD
                                      • EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 6CC6AD0C
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AD2C
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AD48
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AD68
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AD88
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6ADAB
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6ADC9
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6ADEC
                                      • EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 6CC6AE00
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AE20
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AE38
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6AE57
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6AE76
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6AE82
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6AEAB
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6AEC9
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6AED1
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC6AF08
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC6AF10
                                      • memcpy.MSVCRT ref: 6CC6AF4E
                                      • memcpy.MSVCRT ref: 6CC6AF6C
                                      Strings
                                      • 666666666666666666666666666666666666666666666666, xrefs: 6CC6AD3D, 6CC6AF5F
                                      • \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\, xrefs: 6CC6AE2D
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Update$D_sizeFinal_exX_copy_exX_freeX_mdmemcpy$R_flagsX_cipherX_new
                                      • String ID: 666666666666666666666666666666666666666666666666$\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                      • API String ID: 1548692066-3472175243
                                      • Opcode ID: d39180fe127781bf7772f7af31d4227aacc8fb0f46c1638948fd4d1ddd326db6
                                      • Instruction ID: abc5b17f2656dc6255826121e1720200bf4480bd2342f77247812b3385dde7cc
                                      • Opcode Fuzzy Hash: d39180fe127781bf7772f7af31d4227aacc8fb0f46c1638948fd4d1ddd326db6
                                      • Instruction Fuzzy Hash: 2BA1C2B5609B519FD304DF69C68465EFBE4BF89744F40896EE8C8E7B00E774E8488B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248AB50 Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 344COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_self.PTHREADGC2 ref: 6248AB5F
                                        • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                      • WaitForMultipleObjects.KERNEL32 ref: 6248AB98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: MultipleObjectsWaitpthread_getspecificpthread_self
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 2884636504-1775419244
                                      • Opcode ID: c338cc5b2da1166706ef63746e2fd0e20933603ee93300f9eb5478b9cd23cacd
                                      • Instruction ID: e4d537ff8b970c380cdb3c170cd267c6585d6da0b764a4681caf0be14c34d2df
                                      • Opcode Fuzzy Hash: c338cc5b2da1166706ef63746e2fd0e20933603ee93300f9eb5478b9cd23cacd
                                      • Instruction Fuzzy Hash: E5D14EB16193118BD704DF39C460B2BBBE1AF85368F05892DE9988B380DB79D545CBD3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC75876 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_s_file.LIBCRYPTO-1_1 ref: 6CC75887
                                      • BIO_new.LIBCRYPTO-1_1 ref: 6CC7588F
                                      • OPENSSL_LH_new.LIBCRYPTO-1_1 ref: 6CC758AD
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC758E3
                                      • PEM_read_bio_X509.LIBCRYPTO-1_1 ref: 6CC7590B
                                      • X509_get_subject_name.LIBCRYPTO-1_1 ref: 6CC75923
                                      • X509_NAME_dup.LIBCRYPTO-1_1 ref: 6CC75931
                                      • OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 6CC75943
                                      • X509_NAME_free.LIBCRYPTO-1_1 ref: 6CC75955
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC75960
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC75992
                                      • X509_NAME_free.LIBCRYPTO-1_1 ref: 6CC759A3
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC759B5
                                      • BIO_free.LIBCRYPTO-1_1 ref: 6CC759BD
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC759C9
                                      • OPENSSL_LH_free.LIBCRYPTO-1_1 ref: 6CC759D1
                                      • OPENSSL_LH_insert.LIBCRYPTO-1_1 ref: 6CC759E7
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC759F3
                                      • BIO_free.LIBCRYPTO-1_1 ref: 6CC75A0B
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC75A17
                                      • OPENSSL_LH_free.LIBCRYPTO-1_1 ref: 6CC75A1F
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC75A28
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC75A6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$E_freeH_freeO_freeR_put_errorX509_free$E_dupH_insertH_newH_retrieveL_sk_new_nullL_sk_pop_freeL_sk_pushM_read_bio_O_ctrlO_newO_s_fileR_clear_errorX509X509_get_subject_name
                                      • String ID: A$l
                                      • API String ID: 3214646118-1005974064
                                      • Opcode ID: c3c1adfedafa4f45d54dba35fe77411e2107b8f3e4c46bea0bce452d5930274e
                                      • Instruction ID: 8455fa49f2100cc99bc133db5781283ad2aeac0925d01e9be6ee804d7e8930c3
                                      • Opcode Fuzzy Hash: c3c1adfedafa4f45d54dba35fe77411e2107b8f3e4c46bea0bce452d5930274e
                                      • Instruction Fuzzy Hash: D94105B1109B058ED714AFA5C48036EBBE4FF80358F41882CE9D8A7B40FB75D4499BA7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC86C78 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CCB2180: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCB21CD
                                        • Part of subcall function 6CCB2180: EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CCB21DE
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC86D1B
                                      • X509_get_pubkey.LIBCRYPTO-1_1 ref: 6CC86D2B
                                      • EVP_PKEY_missing_parameters.LIBCRYPTO-1_1 ref: 6CC86D4D
                                      • EVP_PKEY_missing_parameters.LIBCRYPTO-1_1 ref: 6CC86D5D
                                      • EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC86D75
                                      • EVP_PKEY_cmp.LIBCRYPTO-1_1 ref: 6CC86D85
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC86DFE
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC86E33
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC86E43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorY_missing_parameters$L_sk_numX509_get0_pubkeyX509_get_pubkeyY_cmpY_copy_parametersY_freeY_security_bits
                                      • String ID: A
                                      • API String ID: 1453465034-3554254475
                                      • Opcode ID: de663cca9008b58373ecf10f339c9e0b1732632a08ca73a54a4fe7ede4cb2c2b
                                      • Instruction ID: 7b0e1a097cafb343b7c41cf81700d98e62ea8f16a016dee656f5af8c1dd35357
                                      • Opcode Fuzzy Hash: de663cca9008b58373ecf10f339c9e0b1732632a08ca73a54a4fe7ede4cb2c2b
                                      • Instruction Fuzzy Hash: 53A112B091AB069FD704DF69C08475FBBE0BF85708F01892DE4989BB50E775E948CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624872FC Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 372synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$ObjectSingleWait$pthread_equalpthread_self$CloseCreateHandle
                                      • String ID: 00Ib$00Ib
                                      • API String ID: 4018796677-3143399735
                                      • Opcode ID: 77074f3d504798ca0d636a72bcd6d98a8419e553bd5ed188a103e09cba2e5062
                                      • Instruction ID: 4b5e02841eb104ac91b603bd3b23e4eb402a2909b6e6ad553adb0a6a8227033e
                                      • Opcode Fuzzy Hash: 77074f3d504798ca0d636a72bcd6d98a8419e553bd5ed188a103e09cba2e5062
                                      • Instruction Fuzzy Hash: 62E15E746187018FD704DF38C4A0B1ABBE1AF85728F108A6DD8688F395DB79D985CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489D4C Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 192COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489D83
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489D94
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489DB9
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489DC3
                                      • SetEvent.KERNEL32 ref: 62489E24
                                      • SetEvent.KERNEL32(00000000), ref: 62489E73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Eventpthread_mutex_lockpthread_mutex_unlock
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 864068950-971630126
                                      • Opcode ID: 5efa33e29e365dfccee06321513bcb8635aebf8ed7fbe9eaa9a3ae15c540cefc
                                      • Instruction ID: d95caed51f7f7ef76fdebcf8654f8e7deb9af60c29cada252207af0f362cb326
                                      • Opcode Fuzzy Hash: 5efa33e29e365dfccee06321513bcb8635aebf8ed7fbe9eaa9a3ae15c540cefc
                                      • Instruction Fuzzy Hash: 82617571128B068FD751AF78C560B1ABBE1AF85758F01C92CD4998B380EB3ED546CBC6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248B674 Relevance: 37.8, APIs: 25, Instructions: 338sleepsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_testcancel$ObjectSingleSleepWaitpthread_self
                                      • String ID:
                                      • API String ID: 1640746926-0
                                      • Opcode ID: 80fb9c7b1cf065040cedce52d7a0a05687c946ce6a7eea4179b2bde78da8459e
                                      • Instruction ID: 430836e4bc4bacf97ebac3c4ad1e9a0423cd56b27deee1e74b07d253819d3aaf
                                      • Opcode Fuzzy Hash: 80fb9c7b1cf065040cedce52d7a0a05687c946ce6a7eea4179b2bde78da8459e
                                      • Instruction Fuzzy Hash: 06C14FB06157028FD715AF39C860B2BB7E5AF85718F058A2DE898CB380DB39D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62482750 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$Create
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 1287507382-1775419244
                                      • Opcode ID: cf938021c1ccf1f531f9cd12020f411341faddce5ac9abab2156344305d79e26
                                      • Instruction ID: 584c8828d86234b02c2051be1c2cc070bbf35f51a350ff41df1bb38564450644
                                      • Opcode Fuzzy Hash: cf938021c1ccf1f531f9cd12020f411341faddce5ac9abab2156344305d79e26
                                      • Instruction Fuzzy Hash: 1CC149B06157419FE704EF29C564B1BBBE1BF85718F008A2DE8A88B780DB79D545CF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487E68 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 200COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$sem_init$CloseCreateHandle_errnocallocfreepthread_mutex_init
                                      • String ID: $ 0Ib$ 0Ib
                                      • API String ID: 4185087634-169993702
                                      • Opcode ID: be47b92a1a4aee58bf3322a416cb21c5d281b47b8c82653f75f16f00b1ba9353
                                      • Instruction ID: 75da85fc42cf9cf37ebe59a15c02a36c0af402cc8ffe5248b6ce9a35761834cb
                                      • Opcode Fuzzy Hash: be47b92a1a4aee58bf3322a416cb21c5d281b47b8c82653f75f16f00b1ba9353
                                      • Instruction Fuzzy Hash: FB714C756193068FE704AF39C860B1BBBE0AF86358F01892DE4988F350DB79C545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB3840 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCB386A
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CCB387C
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCB389C
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CCB38BA
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CCB38DD
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCB38F1
                                        • Part of subcall function 6CCB2BB0: EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCB2BC9
                                        • Part of subcall function 6CCB2BB0: EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB2C2E
                                      • EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CCB3952
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB3986
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB39CC
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CCB39DC
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3A43
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3A4B
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB3AC7
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB3B05
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB3B39
                                      • EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 6CCB3B5B
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3B7B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free$X_ctrl$DigestX_new_id$D_sizeFinal_exInit_exL_cleanseX_newY_deriveY_derive_init
                                      • String ID: D$P$derived
                                      • API String ID: 3879300329-2753267337
                                      • Opcode ID: 57025eac877207fa37431e1417878f1c64e755026a00829c4463975709442f69
                                      • Instruction ID: 69d3a7448f978a4615a16b850f801240ce6733b48d572264f4c769b370a2920d
                                      • Opcode Fuzzy Hash: 57025eac877207fa37431e1417878f1c64e755026a00829c4463975709442f69
                                      • Instruction Fuzzy Hash: 9E7193B05097429FE310DFA5C58435FBBE4AF84358F118D2DE5E8AB740EB79D4488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACAE7 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 166COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_key_length.LIBCRYPTO-1_1 ref: 6CCAC7D5
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CCAC7E1
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CCAC7F3
                                      • memcpy.MSVCRT ref: 6CCAC868
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CCAC870
                                      • EVP_PKEY_new_mac_key.LIBCRYPTO-1_1 ref: 6CCAC899
                                      • EVP_DigestSignInit.LIBCRYPTO-1_1 ref: 6CCAC8CB
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CCACA5C
                                      • COMP_CTX_new.LIBCRYPTO-1_1 ref: 6CCACA75
                                      • EVP_CIPHER_CTX_reset.LIBCRYPTO-1_1 ref: 6CCACAB8
                                      • EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 6CCACAF0
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCACB17
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_flagsX_new$DigestInitR_key_lengthSignX_freeX_resetY_new_mac_keymemcpy
                                      • String ID: !$D$P
                                      • API String ID: 3267203239-4173552782
                                      • Opcode ID: 78829f05b52fe9a9c300db0198800bd0a58f180c4278932f925b01a59b803849
                                      • Instruction ID: bee0b4792c4f7a979477c920a111f5625ef92bdd7eb3663a5d05a306fc4cfcfe
                                      • Opcode Fuzzy Hash: 78829f05b52fe9a9c300db0198800bd0a58f180c4278932f925b01a59b803849
                                      • Instruction Fuzzy Hash: 1E7118B1909B029FC700EFA4C48475EBBE0FF45748F45886DE998AB711E776D845CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62485AB8 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 281COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_equalpthread_self
                                      • String ID: 00Ib$00Ib
                                      • API String ID: 4252371553-3143399735
                                      • Opcode ID: df0d4fedd25e9aa890ec0607af74fb6d9912d41ea212317f684687d7e089f1a5
                                      • Instruction ID: 1b76d9a27f9589e0acad61f1da92a80ed6212d12696907a0ba393f2260bd8d83
                                      • Opcode Fuzzy Hash: df0d4fedd25e9aa890ec0607af74fb6d9912d41ea212317f684687d7e089f1a5
                                      • Instruction Fuzzy Hash: 6AB160706143018FD704DF29C4A0B1ABBE1BF89328F16CA6DD8A98B355D739D586CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248405C Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 259COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 4201588131-1775419244
                                      • Opcode ID: a4edcf42e6fc0d01650ff76b4edda30c45995600eb74ddf52d3cd89caa306c04
                                      • Instruction ID: 567f79db41a0bb9b57a5034b7b089b3d29cc60533b3e2c5c67fbc4ab7c1bad70
                                      • Opcode Fuzzy Hash: a4edcf42e6fc0d01650ff76b4edda30c45995600eb74ddf52d3cd89caa306c04
                                      • Instruction Fuzzy Hash: E3B12B706197028BD705DF29C864B1BBBE5AFC5758F018A2DE4A88B384DB79C545CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248C13C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      • sem_wait.PTHREADGC2 ref: 6248C181
                                        • Part of subcall function 6248B5C8: pthread_testcancel.PTHREADGC2 ref: 6248B5D5
                                        • Part of subcall function 6248B5C8: pthread_mutex_lock.PTHREADGC2 ref: 6248B5E4
                                        • Part of subcall function 6248B5C8: pthread_mutex_unlock.PTHREADGC2 ref: 6248B5FD
                                      • sem_post.PTHREADGC2 ref: 6248C18F
                                        • Part of subcall function 62487BC8: pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                        • Part of subcall function 62487BC8: pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                      • ptw32_push_cleanup.PTHREADGC2 ref: 6248C1BF
                                        • Part of subcall function 6248A83C: pthread_getspecific.PTHREADGC2 ref: 6248A859
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 6248C1C7
                                      • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C1DB
                                      • _errno.MSVCRT ref: 6248C1F8
                                      • sem_timedwait.PTHREADGC2 ref: 6248C216
                                      • _errno.MSVCRT ref: 6248C21F
                                      • SetEvent.KERNEL32 ref: 6248C278
                                      • SetEvent.KERNEL32(00000000,00000000,00000000), ref: 6248C2D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$Event_errnopthread_mutex_lock$pthread_getspecificpthread_testcancelptw32_pop_cleanupptw32_push_cleanupsem_postsem_timedwaitsem_wait
                                      • String ID: ,0Ib$,0Ib
                                      • API String ID: 4201842389-3949404277
                                      • Opcode ID: aba43c759a62c9a65cecc43a5f94ba5325d51385b4348491598a655008f4d921
                                      • Instruction ID: ed5ccd0084515db3812963aed8b02f251c6edc697c60eb609385e8fe288bd988
                                      • Opcode Fuzzy Hash: aba43c759a62c9a65cecc43a5f94ba5325d51385b4348491598a655008f4d921
                                      • Instruction Fuzzy Hash: 4F811A70519702CFD709DF69C4A0B1BBBE0AF85758F008A2DE9A88B390DB79D545CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248C6D4 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                      • sem_wait.PTHREADGC2 ref: 6248C70C
                                        • Part of subcall function 6248B5C8: pthread_testcancel.PTHREADGC2 ref: 6248B5D5
                                        • Part of subcall function 6248B5C8: pthread_mutex_lock.PTHREADGC2 ref: 6248B5E4
                                        • Part of subcall function 6248B5C8: pthread_mutex_unlock.PTHREADGC2 ref: 6248B5FD
                                      • sem_post.PTHREADGC2 ref: 6248C71A
                                        • Part of subcall function 62487BC8: pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                        • Part of subcall function 62487BC8: pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                      • ptw32_push_cleanup.PTHREADGC2 ref: 6248C74A
                                        • Part of subcall function 6248A83C: pthread_getspecific.PTHREADGC2 ref: 6248A859
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 6248C752
                                      • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C76A
                                      • _errno.MSVCRT ref: 6248C790
                                      • SetEvent.KERNEL32 ref: 6248C7E8
                                      • SetEvent.KERNEL32(00000000), ref: 6248C848
                                      • sem_timedwait.PTHREADGC2 ref: 6248C876
                                      • _errno.MSVCRT ref: 6248C883
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$Event_errnopthread_mutex_lock$pthread_getspecificpthread_testcancelptw32_pop_cleanupptw32_push_cleanupsem_postsem_timedwaitsem_wait
                                      • String ID: ,0Ib$,0Ib
                                      • API String ID: 4201842389-3949404277
                                      • Opcode ID: e106f6ad249a74bb4f0723f65e140e52f76e3bfceb570d38c966e281fafe7441
                                      • Instruction ID: 671b96c5e815200851885c4fcbba4dad442a2894eac12de8bb8b4533a5b473e8
                                      • Opcode Fuzzy Hash: e106f6ad249a74bb4f0723f65e140e52f76e3bfceb570d38c966e281fafe7441
                                      • Instruction Fuzzy Hash: 887140719197128FD704DF39C4A0B1BBBE0AF85758F018A2DE8988B390DB39D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248C404 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 201COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_timedlock.PTHREADGC2 ref: 6248C447
                                      • pthread_mutex_timedlock.PTHREADGC2 ref: 6248C460
                                      • ptw32_push_cleanup.PTHREADGC2 ref: 6248C4A8
                                      • pthread_cond_timedwait.PTHREADGC2 ref: 6248C4C7
                                      • ptw32_pop_cleanup.PTHREADGC2 ref: 6248C4E6
                                      • SetEvent.KERNEL32 ref: 6248C544
                                      • SetEvent.KERNEL32(00000000), ref: 6248C596
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Eventpthread_mutex_timedlock$pthread_cond_timedwaitptw32_pop_cleanupptw32_push_cleanup
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 10865500-971630126
                                      • Opcode ID: 1b3895cf60166baf62c999ac471e97555938a384d049ddc5b389cc9c47731378
                                      • Instruction ID: d91c2851f7f527505f6bb61f8ae4c9933b699ff1348471d4b8e3d13d35dbebc3
                                      • Opcode Fuzzy Hash: 1b3895cf60166baf62c999ac471e97555938a384d049ddc5b389cc9c47731378
                                      • Instruction Fuzzy Hash: 9B7150705297169FD708DF39C560B1BBBE0AF85758F418A2DE8989B380D738D985CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248C9AC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 193COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Eventpthread_mutex_lock$pthread_cond_waitptw32_pop_cleanupptw32_push_cleanup
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 3175075169-971630126
                                      • Opcode ID: c07afd36809e60f3c6c3226cc91d6b10ab2480eac0c57231b4d55449798d91ef
                                      • Instruction ID: 791a6abe4d9565c50d29311a13048179ba49a9f8bd70c9adcf686121e8ddb980
                                      • Opcode Fuzzy Hash: c07afd36809e60f3c6c3226cc91d6b10ab2480eac0c57231b4d55449798d91ef
                                      • Instruction Fuzzy Hash: E17150705197068BD708DF39C460B1FBBE1AF85758F418A2DE8989B380EB78C945CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62485270 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 174libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 62485298
                                      • pthread_key_delete.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 624852C8
                                      • pthread_key_delete.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,62485508), ref: 624852E3
                                      • SetEvent.KERNEL32 ref: 6248533B
                                      • CreateEventA.KERNEL32(?), ref: 6248536E
                                      • CloseHandle.KERNEL32 ref: 62485389
                                      • SetEvent.KERNEL32 ref: 624853D7
                                      • GetProcAddress.KERNEL32 ref: 624853FF
                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 62485415
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_key_delete$AddressCloseCreateFreeHandleLibraryProcpthread_getspecific
                                      • String ID: 40Ib$40Ib$QueueUserAPCEx_Fini
                                      • API String ID: 2430466546-4210186421
                                      • Opcode ID: 257d4bdbd0e7785e3fe1e55744a3efbd2880f56115846b2d30acff4721966edf
                                      • Instruction ID: e3685beca89b1beb982f9fe395082742bab2892dac16449d4fbe9fc2a3ea0125
                                      • Opcode Fuzzy Hash: 257d4bdbd0e7785e3fe1e55744a3efbd2880f56115846b2d30acff4721966edf
                                      • Instruction Fuzzy Hash: 21616170A153018FD705AF39C464B1BBBE0AF86718F028A2DD8999B344EB78D545CFD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248554C Relevance: 30.3, APIs: 20, Instructions: 307COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_self.PTHREADGC2 ref: 62485563
                                        • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                      • SetEvent.KERNEL32 ref: 624855E2
                                      • SetEvent.KERNEL32 ref: 6248563E
                                      • calloc.MSVCRT ref: 6248568B
                                      • SetEvent.KERNEL32(00000000), ref: 624857A8
                                      • SetEvent.KERNEL32(00000000), ref: 624857D7
                                      • TlsSetValue.KERNEL32 ref: 624857F5
                                      • pthread_getspecific.PTHREADGC2 ref: 62485813
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_getspecific$Valuecallocpthread_self
                                      • String ID:
                                      • API String ID: 3177204993-0
                                      • Opcode ID: f14dc5e7eb170be0c857a15c61ea8439d422ee8f49b043bedf31ec358512ca49
                                      • Instruction ID: 336ae45118f71c6f8960d642e2c64ad482e5473e8659e64d019399fba45c21df
                                      • Opcode Fuzzy Hash: f14dc5e7eb170be0c857a15c61ea8439d422ee8f49b043bedf31ec358512ca49
                                      • Instruction Fuzzy Hash: 5DC13A74619702CFE7149F38C460B1BBBE1AF84768F428A2DE8999B350DB38D545CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488404 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_trylock.PTHREADGC2 ref: 6248843B
                                      • pthread_mutex_trylock.PTHREADGC2 ref: 6248844C
                                      • SetEvent.KERNEL32 ref: 624884D4
                                      • SetEvent.KERNEL32(00000000), ref: 62488526
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Eventpthread_mutex_trylock
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 452211298-971630126
                                      • Opcode ID: 6d68e17e18575ab38500b488cfce07384e70acc2575593d775cb3df246303538
                                      • Instruction ID: 24f3f35308945e4f7df15cfec2f1a1a23a0baa62b4b3798d48a74a08d9405954
                                      • Opcode Fuzzy Hash: 6d68e17e18575ab38500b488cfce07384e70acc2575593d775cb3df246303538
                                      • Instruction Fuzzy Hash: 7161647151970A8FD7149F39C860B5B7BE1AF85798F458A2CD8A89B340EB3CC945CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6FD90 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 164COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_free.LIBCRYPTO-1_1 ref: 6CC6FDB4
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6FDCF
                                      • EVP_MD_type.LIBCRYPTO-1_1 ref: 6CC6FDD7
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6FE20
                                      • EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 6CC6FE3F
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6FE4B
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6FE53
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6FE79
                                      • EVP_MD_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CC6FEA1
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6FEE7
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC6FF1B
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6FF2D
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6FF6D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: DigestX_mdX_new$D_sizeD_typeInit_exO_ctrlO_freeR_put_errorUpdateX_copy_exX_ctrlX_free
                                      • String ID: A$P
                                      • API String ID: 2384957067-345673399
                                      • Opcode ID: c952bd678a1511440246a702a582f018dca549b9c7b81a01dd0c095d0a539878
                                      • Instruction ID: b46813567a2b1e2b5963123ed45d34a3f11037b2e58b0cdd19fa8ec145142223
                                      • Opcode Fuzzy Hash: c952bd678a1511440246a702a582f018dca549b9c7b81a01dd0c095d0a539878
                                      • Instruction Fuzzy Hash: 9271E7B46097019FE740DF69D58875BFBE0BF84358F01886DE8A89BB11E774D8488F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6F84B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_sha1.LIBCRYPTO-1_1 ref: 6CC6F615
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6F62D
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F649
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F66D
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F691
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F6B5
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6F6D9
                                      • EVP_md5.LIBCRYPTO-1_1 ref: 6CC6F6E6
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6F6FE
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F722
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F742
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6F76D
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6F7EC
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6F7F8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Update$Final_exInit_exX_free$P_md5P_sha1
                                      • String ID: $D$P
                                      • API String ID: 2676044378-3315823934
                                      • Opcode ID: c1d8cc9349aa8d8f1f9d1a5c2b2484864796d6cf3584278a4a1aa6d3b3982126
                                      • Instruction ID: 85708325e8376bba7b141cbe22a6f3213685c38a8a50b12e4e85862a206ca6d1
                                      • Opcode Fuzzy Hash: c1d8cc9349aa8d8f1f9d1a5c2b2484864796d6cf3584278a4a1aa6d3b3982126
                                      • Instruction Fuzzy Hash: C95116B15097019FE700DF6AC68475EFBE0AF85348F10896DE898EBB51E774D488CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248B03C Relevance: 28.8, APIs: 19, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_kill.PTHREADGC2 ref: 6248B05A
                                        • Part of subcall function 62482540: SetEvent.KERNEL32 ref: 6248259C
                                        • Part of subcall function 62482540: SetEvent.KERNEL32(00000000), ref: 624825F0
                                      • pthread_self.PTHREADGC2 ref: 6248B070
                                      • pthread_equal.PTHREADGC2 ref: 6248B08C
                                      • SetEvent.KERNEL32 ref: 6248B0D8
                                      • CreateEventA.KERNEL32 ref: 6248B10F
                                      • CloseHandle.KERNEL32 ref: 6248B12E
                                      • SetEvent.KERNEL32 ref: 6248B188
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$CloseCreateHandlepthread_equalpthread_killpthread_self
                                      • String ID:
                                      • API String ID: 3567724137-0
                                      • Opcode ID: d28e5e38d8071dc0d53248fbe32a97f24c8b03476967a7ddce328f8150f9984a
                                      • Instruction ID: 8bb0652a742bb1d8a5bceaf13f457368473408656cd5c2653143a8566dcb618d
                                      • Opcode Fuzzy Hash: d28e5e38d8071dc0d53248fbe32a97f24c8b03476967a7ddce328f8150f9984a
                                      • Instruction Fuzzy Hash: 54A109701197028FD311AF39C864B2BBBE4AF85358F108A2DE498CB391DB79D585CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488698 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 4201588131-971630126
                                      • Opcode ID: de03cd6c93a302518bb446aa6f0797731ed3099820f0a9515aff275cc98e422e
                                      • Instruction ID: 1555a84dc194ac38dd83c13e8ffd4e5cfc687441763ef42979562aab9afe904d
                                      • Opcode Fuzzy Hash: de03cd6c93a302518bb446aa6f0797731ed3099820f0a9515aff275cc98e422e
                                      • Instruction Fuzzy Hash: 6361317051570A9FD704AF39C960B1BB7E0AF85798F058A2DE8A89B340DB39C945CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488CF0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 4201588131-971630126
                                      • Opcode ID: 596d7d12b2287f2c7afee225dbd905fefa28e55f7d58832a3fbbc0e62cf0a420
                                      • Instruction ID: 103eda4e75299d63ee53e56a4c6a616f7bcbfc255152b143e6a22f9e9e59f0af
                                      • Opcode Fuzzy Hash: 596d7d12b2287f2c7afee225dbd905fefa28e55f7d58832a3fbbc0e62cf0a420
                                      • Instruction Fuzzy Hash: 4B51537151570A9FD714EF39C860B5BB7E1AF85358F118A2CE8A89B340EB38C945CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488F44 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 4201588131-971630126
                                      • Opcode ID: ab25e8fe1f2f69b6067e763a681a956a372c558be2a74d356a13d1d698b61c16
                                      • Instruction ID: e13ad17809ee1446b02a0a35f5fcb44ce5ebe18ba0400525feaa4b733a28b5b5
                                      • Opcode Fuzzy Hash: ab25e8fe1f2f69b6067e763a681a956a372c558be2a74d356a13d1d698b61c16
                                      • Instruction Fuzzy Hash: DB512C705187069FD715AF39C864B1A7BE1AF85758F01CA2CE8A99B380DB39C945CFC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACFD7 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCAD07E
                                      • EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CCAD090
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD0C4
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD0FF
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD13D
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD171
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD1A9
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD1E1
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCAD219
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_ctrl$X_new_idY_derive_init
                                      • String ID: @$D$P
                                      • API String ID: 1261340603-1553007219
                                      • Opcode ID: 4ebbdcbb18db105ec253cb5ea79a95962c60daabbb2fb9699a6e5705dd825d5d
                                      • Instruction ID: 295f6111a6bba9c412c4ce38f5408473f98544ab7b7040eb4d9b5986f6e8328e
                                      • Opcode Fuzzy Hash: 4ebbdcbb18db105ec253cb5ea79a95962c60daabbb2fb9699a6e5705dd825d5d
                                      • Instruction Fuzzy Hash: 7771A2B01097429FE310AF65C54834FBBE0AF85759F018A1DE9D89B790E7B9C54A8F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC71C70 Relevance: 27.3, APIs: 18, Instructions: 328COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_sha256.LIBCRYPTO-1_1 ref: 6CC71C7F
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC71EFE
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC71F12
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC72076
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC72092
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC720A7
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC720CC
                                      • OPENSSL_sk_new_reserve.LIBCRYPTO-1_1 ref: 6CC720E9
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC72108
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC72167
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC72180
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_value$L_sk_num$L_sk_push$L_sk_new_reserveP_sha256
                                      • String ID:
                                      • API String ID: 2750470393-0
                                      • Opcode ID: d66cb79d09d175b9eaf675cc75bbadf15cce27e0106d06d5ded6d6a4185b5bd1
                                      • Instruction ID: 90bc1ad11514676b1fc1d5f951dd75d568bac44a08415ef954835e7f8f0e48cf
                                      • Opcode Fuzzy Hash: d66cb79d09d175b9eaf675cc75bbadf15cce27e0106d06d5ded6d6a4185b5bd1
                                      • Instruction Fuzzy Hash: 2FD16C706097018FD760DF69C198B6ABBE0FF88308F54496CE9989BB11F734D884CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624862D4 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$CloseHandlefreepthread_mutex_trylockpthread_mutex_unlock
                                      • String ID: 00Ib$00Ib
                                      • API String ID: 1860873260-3143399735
                                      • Opcode ID: 8f775099a7e3675a9abc7b5a77cc5723f5318d5c570ff03822bfc43cbd4b43ed
                                      • Instruction ID: a0bee27f31a0b55c305b74e577c54d7d6452227de1ad7cc80823938bcc8b56b8
                                      • Opcode Fuzzy Hash: 8f775099a7e3675a9abc7b5a77cc5723f5318d5c570ff03822bfc43cbd4b43ed
                                      • Instruction Fuzzy Hash: DD6160706257028FD380AF39C4A0B1BB7E1AF85728F50893DE9A88B354DB79D545CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E85478 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 408COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: freemalloc$Init2_inflate
                                      • String ID: 1.2.5$8$out of memory$unknown compression method$unknown header flags set
                                      • API String ID: 418816003-1559348662
                                      • Opcode ID: d3871141341fc05b0e62c4e622886e13eebcdc4dd41ab7dd671e10db93df7f91
                                      • Instruction ID: fd6cae4127603ca1bf734e033c65c5f862f04db9110aab6d5255d2357481deb9
                                      • Opcode Fuzzy Hash: d3871141341fc05b0e62c4e622886e13eebcdc4dd41ab7dd671e10db93df7f91
                                      • Instruction Fuzzy Hash: 55E1FC706046418BDB088F3CC4E071A3BE5AF45359B6295BDE8ABCF34ADB38D945DB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC848C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC84914
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC8492B
                                      • CT_POLICY_EVAL_CTX_new.LIBCRYPTO-1_1 ref: 6CC8494D
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC8496D
                                      • CT_POLICY_EVAL_CTX_set1_cert.LIBCRYPTO-1_1 ref: 6CC8497B
                                      • CT_POLICY_EVAL_CTX_set1_issuer.LIBCRYPTO-1_1 ref: 6CC84987
                                      • CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE.LIBCRYPTO-1_1 ref: 6CC8499F
                                      • CT_POLICY_EVAL_CTX_set_time.LIBCRYPTO-1_1 ref: 6CC849C6
                                      • SCT_LIST_validate.LIBCRYPTO-1_1 ref: 6CC849DC
                                      • CT_POLICY_EVAL_CTX_free.LIBCRYPTO-1_1 ref: 6CC84A37
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_num$L_sk_valueT_validateX_freeX_newX_set1_certX_set1_issuerX_set_shared_X_set_time
                                      • String ID: A$P
                                      • API String ID: 866506662-345673399
                                      • Opcode ID: a61fe4b341f4426fafda5b583674dd1e9b0ef0fdda232e0f96f6458c44c3a1ec
                                      • Instruction ID: c1dfe8fa1dd53a4b02223e28318db50a1118d078579702c5af68372b6d2d7575
                                      • Opcode Fuzzy Hash: a61fe4b341f4426fafda5b583674dd1e9b0ef0fdda232e0f96f6458c44c3a1ec
                                      • Instruction Fuzzy Hash: 7C51E6B050AB01DBD700DFA5C59439FBBE8AF81748F05882DE898AF751F779C4848B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC63E40 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: strlen$L_sk_findL_sk_new_nullL_sk_pushR_put_errorstrchrstrncmp
                                      • String ID: :
                                      • API String ID: 3969727163-336475711
                                      • Opcode ID: b441c96a318a1de10571b671d09657c46618d2635c6655d955aae4182978a87c
                                      • Instruction ID: cece6f2d6d2e7c16cbd2e1e346ac618b852a32a12ba7829617269fe48e89e1d7
                                      • Opcode Fuzzy Hash: b441c96a318a1de10571b671d09657c46618d2635c6655d955aae4182978a87c
                                      • Instruction Fuzzy Hash: 03413BB16097059BD300AFA6D98439EBBF0AF84748F048D5DE9989BB40F7B5C5448B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248A2A0 Relevance: 24.2, APIs: 16, Instructions: 229threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 62482750: SetEvent.KERNEL32 ref: 624827A1
                                        • Part of subcall function 62482750: SetEvent.KERNEL32 ref: 62482819
                                        • Part of subcall function 62482750: CreateEventA.KERNEL32 ref: 624828AB
                                      • malloc.MSVCRT ref: 6248A2E2
                                      • _beginthreadex.MSVCRT ref: 6248A361
                                      • sched_get_priority_min.PTHREADGC2 ref: 6248A380
                                      • ResumeThread.KERNEL32(?,00000000,00000000,00000000), ref: 6248A392
                                      • pthread_self.PTHREADGC2 ref: 6248A3D4
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$CreateResumeThread_beginthreadexmallocpthread_selfsched_get_priority_min
                                      • String ID:
                                      • API String ID: 2799622174-0
                                      • Opcode ID: 45dd0bba87b6086b20e6a48fffb0cf9a902ba85e061442d65b4db4e611e5d9a0
                                      • Instruction ID: f41924078a323dfdf9ba3bfc2a1e81a84cdddc2bc0f36509bcb1b40e4f2c95af
                                      • Opcode Fuzzy Hash: 45dd0bba87b6086b20e6a48fffb0cf9a902ba85e061442d65b4db4e611e5d9a0
                                      • Instruction Fuzzy Hash: B6911CB0519711DFD7409F28C4A0B1BBBE0AF85718F51992DE8998B390DBB8D981CF93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB1FD0 Relevance: 24.1, APIs: 16, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: H_newN_free$H_freeH_set0_pqgN_get_rfc3526_prime_2048N_newN_set_wordY_security_bits
                                      • String ID:
                                      • API String ID: 1409624883-0
                                      • Opcode ID: 68ae4bb55a82d8cafc5404de1d7deab227ea91ea554969fbced76563d1c5c36b
                                      • Instruction ID: b6bb8f1653360023654a49e6b4b50eea0936ff8919e35998689f209a1184d4f3
                                      • Opcode Fuzzy Hash: 68ae4bb55a82d8cafc5404de1d7deab227ea91ea554969fbced76563d1c5c36b
                                      • Instruction Fuzzy Hash: 2531A671609B018AD7046FF9D8A835FB6E5AF80358F16492CC589FBB01FB34C8499B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624830C4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 00Ib$00Ib
                                      • API String ID: 4201588131-3143399735
                                      • Opcode ID: 62c3b39a172976128c4f555cfa03111433cfdc3e2345d509def2cb0b079a8632
                                      • Instruction ID: 488eaa9ba7482fbc4814b6aea2108f21851de6f0640d3b6763bb7cfcea58370d
                                      • Opcode Fuzzy Hash: 62c3b39a172976128c4f555cfa03111433cfdc3e2345d509def2cb0b079a8632
                                      • Instruction Fuzzy Hash: 075145705157019FD7059F38C9A0B6BBBE0AF85718F118A2CE4A98B380DB7DD546CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62484DF8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_key_delete.PTHREADGC2 ref: 62484E18
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 62484542
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 624845B2
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32(00000000), ref: 624845FF
                                      • pthread_key_delete.PTHREADGC2 ref: 62484E33
                                      • SetEvent.KERNEL32 ref: 62484E8B
                                      • SetEvent.KERNEL32(00000000), ref: 62484EE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_key_delete
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 2183179807-1775419244
                                      • Opcode ID: f8e909874acd18d66664425f2643ce18ecfafd13a9e522c10979637fac04834e
                                      • Instruction ID: 60b34f1ca3dde0ad01dae76935f4fe35604284433b45ede49ce019e7db247fd2
                                      • Opcode Fuzzy Hash: f8e909874acd18d66664425f2643ce18ecfafd13a9e522c10979637fac04834e
                                      • Instruction Fuzzy Hash: 505140716157028FE705AF39C4A4B27BBE8AF85358F018A2CE5988B384DB38D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62484A08 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_key_delete.PTHREADGC2 ref: 62484A1B
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 62484542
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32 ref: 624845B2
                                        • Part of subcall function 624844D0: SetEvent.KERNEL32(00000000), ref: 624845FF
                                      • pthread_key_delete.PTHREADGC2 ref: 62484A36
                                      • SetEvent.KERNEL32 ref: 62484A8E
                                      • SetEvent.KERNEL32(00000000), ref: 62484AEB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_key_delete
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 2183179807-1775419244
                                      • Opcode ID: 51b3cbf14977e92bb8919e5b2c1dbdbefb53680924dfc9b808ad5738c662d670
                                      • Instruction ID: 5d2337c50c4385fccab48cd343a8b2c298bd4024bc5ab4f8d7cd4fa8ca630fa1
                                      • Opcode Fuzzy Hash: 51b3cbf14977e92bb8919e5b2c1dbdbefb53680924dfc9b808ad5738c662d670
                                      • Instruction Fuzzy Hash: C94141706153018FD704AF39C9A4B1BBBE4BF85358F018A2CD4988B384EB79D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC87E90 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_s_file.LIBCRYPTO-1_1 ref: 6CC87E9A
                                      • BIO_new.LIBCRYPTO-1_1 ref: 6CC87EA2
                                      • BIO_ctrl.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FED), ref: 6CC87ECC
                                      • d2i_PrivateKey_bio.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FED), ref: 6CC87EF2
                                      • EVP_PKEY_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F1C
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F51
                                      • BIO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F59
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F99
                                      • PEM_read_bio_PrivateKey.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FED), ref: 6CC87FC7
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC88009
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$Private$Key_bioM_read_bio_O_ctrlO_freeO_newO_s_fileY_freed2i_
                                      • String ID: l$|
                                      • API String ID: 2673981590-383203303
                                      • Opcode ID: 5a5891f7a72319c04b8d3cfc771455b4f06e01f974525ba3202548d59160fda1
                                      • Instruction ID: e66014aea40e8f98b1b3aee9317b7cda8363e6cbcb0dcea1ace04d6acd3a81eb
                                      • Opcode Fuzzy Hash: 5a5891f7a72319c04b8d3cfc771455b4f06e01f974525ba3202548d59160fda1
                                      • Instruction Fuzzy Hash: 7731F6B160A7019FE700DF69C08575FBAE0AF85748F018D2DF4989B750E7B9D848DB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC88930 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_s_file.LIBCRYPTO-1_1 ref: 6CC8893A
                                      • BIO_new.LIBCRYPTO-1_1 ref: 6CC88942
                                      • BIO_ctrl.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FD2), ref: 6CC8896C
                                      • d2i_PrivateKey_bio.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FD2), ref: 6CC88992
                                      • EVP_PKEY_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FD2), ref: 6CC889BC
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC889F1
                                      • BIO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC889F9
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC88A39
                                      • PEM_read_bio_PrivateKey.LIBCRYPTO-1_1(?,?,?,?,?,?,?,6CC79FD2), ref: 6CC88A61
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC88AA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$Private$Key_bioM_read_bio_O_ctrlO_freeO_newO_s_fileY_freed2i_
                                      • String ID: l$|
                                      • API String ID: 2673981590-383203303
                                      • Opcode ID: 04d1298385767ac0012d91cd1bc59ee49479603db94f4bb06ba0ff12ffebb3bf
                                      • Instruction ID: 5ed2da4c8a772a7ade7ac6e4ef6ed7d26e92d34b9262b9ea3c0717ef4c14a247
                                      • Opcode Fuzzy Hash: 04d1298385767ac0012d91cd1bc59ee49479603db94f4bb06ba0ff12ffebb3bf
                                      • Instruction Fuzzy Hash: 1C31C5B190A7019FD704DF69D58474FBBE0AF84348F01891EE4D89BB50E7B9D8888B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCAEED0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 313COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Y_id
                                      • String ID: /
                                      • API String ID: 239174422-2043925204
                                      • Opcode ID: f7dcfe40e9a6d6d3d651339fb8a0b38951b049cc6d7715c2e71e81b2fdeb6e6a
                                      • Instruction ID: aab29ec9ec5dc6c5bb824d603d43ddc4e942ac310988f50147216b15ea786a4d
                                      • Opcode Fuzzy Hash: f7dcfe40e9a6d6d3d651339fb8a0b38951b049cc6d7715c2e71e81b2fdeb6e6a
                                      • Instruction Fuzzy Hash: 07C18F70609302CFD7049FA6C59876AB7E1FB85348F14892DE9A48BB54F734D887CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC96950 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 293COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC64FD0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                      • time.MSVCRT ref: 6CC96B00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_zalloctime
                                      • String ID: $@$A$P
                                      • API String ID: 3668255636-1385469511
                                      • Opcode ID: 1071a45bbd93ac3471987ec0872d294309efc15d4c9e32e14741991b9a5956ea
                                      • Instruction ID: 042ce2819209843731507053691bf6069c833ec1206b7f167ad1899be8647f7e
                                      • Opcode Fuzzy Hash: 1071a45bbd93ac3471987ec0872d294309efc15d4c9e32e14741991b9a5956ea
                                      • Instruction Fuzzy Hash: C5D1B0B0509B419FE740DF25C29435EBBE4AF84788F11882DE9D8C7B90E7B8D548CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489810 Relevance: 21.2, APIs: 14, Instructions: 218COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID:
                                      • API String ID: 4201588131-0
                                      • Opcode ID: 61adb0852c60dfe0bff18c3e4e49c6823a83cb44eafc0adf525e11c6e6d18762
                                      • Instruction ID: d8946bdd81ff0f26273945088fe922bcdd4601d400c77fe9006853402dcb86e5
                                      • Opcode Fuzzy Hash: 61adb0852c60dfe0bff18c3e4e49c6823a83cb44eafc0adf525e11c6e6d18762
                                      • Instruction Fuzzy Hash: 55815070515B128FD705AF39C8A0B1BB7E0AF85318F05CA6CD8A89B344EB3AD545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62485ED4 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 169COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_mutex_trylock
                                      • String ID: $0Ib$$0Ib
                                      • API String ID: 3184621677-2500569730
                                      • Opcode ID: c9eba26ff02bf74570cac68ba09c9133e8a7c6475e91eb9297896b57da61c7f2
                                      • Instruction ID: 5c0e871e969e7a983c1b61fd8b5fa04257b143d2d36fd2db08d99a86f7910e85
                                      • Opcode Fuzzy Hash: c9eba26ff02bf74570cac68ba09c9133e8a7c6475e91eb9297896b57da61c7f2
                                      • Instruction Fuzzy Hash: 655161716257128BD705EF38C860B1BB7E1EF85328F058A2DE59A9B380DB39C545CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487870 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: $0Ib$$0Ib
                                      • API String ID: 4201588131-2500569730
                                      • Opcode ID: 410c90c4e330e00e38379540b9e0ad1cc4a06baab9bcd6bce2bd7627745fd7da
                                      • Instruction ID: bf820d3411786da10a6724afa54165d3d43b985fa8bbf27ba353c8a50516f97a
                                      • Opcode Fuzzy Hash: 410c90c4e330e00e38379540b9e0ad1cc4a06baab9bcd6bce2bd7627745fd7da
                                      • Instruction Fuzzy Hash: 8D513E756197118BE7049F39C870B1BBBE1AF85318F058A2DE4A89F350DB39D545CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62486564 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$freepthread_mutex_destroy
                                      • String ID: $0Ib$$0Ib
                                      • API String ID: 2672132264-2500569730
                                      • Opcode ID: 65b08f52c04a23505dfde8ae2d889a61352856e3c996ceea97357631fb667888
                                      • Instruction ID: 352133d7d5eb32f16512a2cc41c57b1c85b8be264bec4fe8fe1d3cd287de81b4
                                      • Opcode Fuzzy Hash: 65b08f52c04a23505dfde8ae2d889a61352856e3c996ceea97357631fb667888
                                      • Instruction Fuzzy Hash: 495183705257038FE741AF39C960B1BBBE1AF85718F118A2CD5A85B384EB39D546CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62481518 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32 ref: 62481598
                                      • SetEvent.KERNEL32(00000000), ref: 62481624
                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 62481635
                                      • CloseHandle.KERNEL32(00000000), ref: 62481646
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CloseEventHandle
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 827626419-1775419244
                                      • Opcode ID: 61a5dfdf60815d13568b059fa0b9ae81a95ac234d005eafda6131a6303b1a0ba
                                      • Instruction ID: 673400d5c726d73f45a9bb55f1d3d5c9f3c3866edfd70427d7e5378f793ba48d
                                      • Opcode Fuzzy Hash: 61a5dfdf60815d13568b059fa0b9ae81a95ac234d005eafda6131a6303b1a0ba
                                      • Instruction Fuzzy Hash: 935150B05153018FE714AF29C8A0B5BBBE5BF85718F058A2DD8AC9B380DB39D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6AFF5 Relevance: 19.7, APIs: 13, Instructions: 208COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC6B040
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC6B048
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6B0DB
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6B0F9
                                      • EVP_DigestSignFinal.LIBCRYPTO-1_1 ref: 6CC6B11C
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6B130
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6B1D0
                                      • EVP_MD_CTX_copy.LIBCRYPTO-1_1 ref: 6CC6B1F0
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6B20C
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC6B275
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC6B27D
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6B304
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: DigestX_free$Update$D_sizeFinalR_flagsSignX_cipherX_copyX_mdX_new
                                      • String ID:
                                      • API String ID: 1646916410-0
                                      • Opcode ID: 3165c392798aababa902d2717293c3210944d2b3f7b97d90986b391b0bc77608
                                      • Instruction ID: e6cfe1a69dfd11cf9b548180b2db27f47461165efe3fa045660e6ed02af0132f
                                      • Opcode Fuzzy Hash: 3165c392798aababa902d2717293c3210944d2b3f7b97d90986b391b0bc77608
                                      • Instruction Fuzzy Hash: DE912675A087419FC700DF66C59069ABBF0FF88304F04896EF898DBB10E375E8499B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC86890 Relevance: 19.6, APIs: 13, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC8689D
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8699F
                                        • Part of subcall function 6CC763B0: EVP_PKEY_id.LIBCRYPTO-1_1(?,?,?,?,?,?,6CCB1784), ref: 6CC763BA
                                      • EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC868E3
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC868E8
                                      • X509_check_private_key.LIBCRYPTO-1_1 ref: 6CC868FF
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC86916
                                      • X509_up_ref.LIBCRYPTO-1_1 ref: 6CC8691E
                                      • EVP_PKEY_get0_EC_KEY.LIBCRYPTO-1_1 ref: 6CC869B3
                                      • EC_KEY_can_sign.LIBCRYPTO-1_1 ref: 6CC869BB
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC869F7
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$R_clear_errorX509_check_private_keyX509_freeX509_get0_pubkeyX509_up_refY_can_signY_copy_parametersY_get0_Y_id
                                      • String ID:
                                      • API String ID: 2049276590-0
                                      • Opcode ID: b3eb6c63a2b0c87f64133ea4c5903e366e4753b7a1e39ad9f388e4a05e1aa367
                                      • Instruction ID: 85ecf0a37e609a877aca78a9f6b4bdf9e1402666c4d6db1b1fcfc1f95a319966
                                      • Opcode Fuzzy Hash: b3eb6c63a2b0c87f64133ea4c5903e366e4753b7a1e39ad9f388e4a05e1aa367
                                      • Instruction Fuzzy Hash: 7C4125B0509B019FDB00DFA8D084AAABBF0EF85308F418C6DE494DB790E776D549CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9FEB0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 303COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC63970: BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC639B8
                                        • Part of subcall function 6CC63B10: BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC63B3A
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC9FF1A
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC9FF22
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC9FF37
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC9FF3F
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC9FF55
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC9FF5D
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC9FFEE
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CCA002F
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CCA01BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrl$R_flagsX_cipher$D_sizeX_md
                                      • String ID: +
                                      • API String ID: 4215536034-2126386893
                                      • Opcode ID: 6554699a03081e93cb16bc9dcd2de7c093ad252dae1b92a2d66358791d3bbd68
                                      • Instruction ID: ee6c37f7712904b6f718de0f98dddda9ce7dbb602937d366764043e2021d372e
                                      • Opcode Fuzzy Hash: 6554699a03081e93cb16bc9dcd2de7c093ad252dae1b92a2d66358791d3bbd68
                                      • Instruction Fuzzy Hash: E8D159746093408FD700CF65C0C879ABBE1BF99348F1986ADD8998B756E371D846CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248824C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: (0Ib$(0Ib
                                      • API String ID: 4201588131-971630126
                                      • Opcode ID: 969598b40544684028eb1185e9831a6f17668b699bd9478a677ef3f258275902
                                      • Instruction ID: 473f21c6c0d5b7d11f2b679d65c8e1be0d15abefa976d31a49a1a277ab8fc27e
                                      • Opcode Fuzzy Hash: 969598b40544684028eb1185e9831a6f17668b699bd9478a677ef3f258275902
                                      • Instruction Fuzzy Hash: F04132705157068FD704AF7DC960B1BBBE1AF85358F118A2CE4A89B380DB79D946CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62483EA4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: $0Ib$$0Ib
                                      • API String ID: 4201588131-2500569730
                                      • Opcode ID: 547bc38663e883176ec4bc80dd70323e86afabceea9a91ac311d26d537a793ff
                                      • Instruction ID: f5bc865a4b91a314ab61631d099cf50195cdd2f6efc5dfd0235bd7a4d5d48f73
                                      • Opcode Fuzzy Hash: 547bc38663e883176ec4bc80dd70323e86afabceea9a91ac311d26d537a793ff
                                      • Instruction Fuzzy Hash: E94140705197028FD704AF39C860B5BBBE4AF85318F018A2CE5A98B280DB79D546CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488914 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: ,0Ib$,0Ib
                                      • API String ID: 4201588131-3949404277
                                      • Opcode ID: c57045d6f0405f880711823f4ad250034745a2831eedcf9279b4893ed41891e8
                                      • Instruction ID: f0fe42eccbce01bda31c9763d676d694d12827658a4e3aed7b551a17b2c704cb
                                      • Opcode Fuzzy Hash: c57045d6f0405f880711823f4ad250034745a2831eedcf9279b4893ed41891e8
                                      • Instruction Fuzzy Hash: A34151706197068FD704AF38C864B1BBBE5AF85358F118A2CE4E89B380DB79D545CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC87CF0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC87E07
                                        • Part of subcall function 6CC763B0: EVP_PKEY_id.LIBCRYPTO-1_1(?,?,?,?,?,?,6CCB1784), ref: 6CC763BA
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC87D35
                                      • EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC87D45
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC87D4A
                                      • X509_check_private_key.LIBCRYPTO-1_1 ref: 6CC87D61
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC87D7C
                                      • EVP_PKEY_up_ref.LIBCRYPTO-1_1 ref: 6CC87D84
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC87DD7
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC87E2A
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC87E77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$R_clear_errorX509_check_private_keyX509_freeX509_get0_pubkeyY_copy_parametersY_freeY_idY_up_ref
                                      • String ID: C
                                      • API String ID: 3713628426-1037565863
                                      • Opcode ID: b53c99f6e88b37750ae214fdfbe907cec3711ce2d9788499fc4f687d7eb2a301
                                      • Instruction ID: c4753f2506d2c59e1722b4b75c7e5ba2c24227e5de354106cf9cb24d2cf38545
                                      • Opcode Fuzzy Hash: b53c99f6e88b37750ae214fdfbe907cec3711ce2d9788499fc4f687d7eb2a301
                                      • Instruction Fuzzy Hash: 504135B06097028FDB10DF65D084AABBBF0BF84308F408C6DE5998B750E7B5E548CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DF2B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrlO_free_allO_int_ctrlO_method_typeO_newO_popO_pushO_s_socketO_up_ref
                                      • String ID: i
                                      • API String ID: 2765123792-3865851505
                                      • Opcode ID: d44cef23915955236f0fcb7e8c8e73561d8a124c0c823b3b44e79e8b3eeebf85
                                      • Instruction ID: cc73d2af64561e7d5454bd7e9b16310836178ea8b7b3965d9e4c98db2f1c0c76
                                      • Opcode Fuzzy Hash: d44cef23915955236f0fcb7e8c8e73561d8a124c0c823b3b44e79e8b3eeebf85
                                      • Instruction Fuzzy Hash: C221DFB0909B009FDB54EF65C08475EBBE0FF40718F05881DE898ABB44E779D884CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC70E10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_new.LIBCRYPTO-1_1 ref: 6CC70E18
                                      • EVP_PKEY_set1_DH.LIBCRYPTO-1_1 ref: 6CC70E26
                                      • EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CC70E3E
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC70E77
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC70F81
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC70FEB
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC70FF3
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC7106A
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC71096
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorY_free$Y_newY_security_bitsY_set1_
                                      • String ID: A$C
                                      • API String ID: 740373381-2418331497
                                      • Opcode ID: 225d9640126d67da5ac1adc6f000361f95ebef60eefae53e08ff42f58dbd2523
                                      • Instruction ID: 8c11dabd2d1f2ee9366bc808e1196be997262940aa4dd8e4a2ebf54f14a6f958
                                      • Opcode Fuzzy Hash: 225d9640126d67da5ac1adc6f000361f95ebef60eefae53e08ff42f58dbd2523
                                      • Instruction Fuzzy Hash: 9821D8B0809B42DFE7149F65C15434EBAE0EF80748F01CC1DE598AB750EBBAC5498FA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248A610 Relevance: 18.2, APIs: 12, Instructions: 152COMMON
                                      Download Yara Rule
                                      APIs
                                      • free.MSVCRT ref: 6248A630
                                      • pthread_setspecific.PTHREADGC2 ref: 6248A644
                                        • Part of subcall function 6248554C: pthread_self.PTHREADGC2 ref: 62485563
                                        • Part of subcall function 6248554C: SetEvent.KERNEL32 ref: 624855E2
                                        • Part of subcall function 6248554C: SetEvent.KERNEL32 ref: 6248563E
                                        • Part of subcall function 6248554C: calloc.MSVCRT ref: 6248568B
                                      • SetEvent.KERNEL32 ref: 6248A68A
                                      • SetEvent.KERNEL32 ref: 6248A6D9
                                      • _setjmp.MSVCRT ref: 6248A6E8
                                      • _endthreadex.MSVCRT ref: 6248A710
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$_endthreadex_setjmpcallocfreepthread_selfpthread_setspecific
                                      • String ID:
                                      • API String ID: 806548757-0
                                      • Opcode ID: f87e25bdc6cff4e3ee0a063e415998b0c739c2dea3969bf8ead056d6c9356350
                                      • Instruction ID: 2d7551ab7d65c228da910d80f3b1a2b0480012fd727657f449c59f95fdb7ebf2
                                      • Opcode Fuzzy Hash: f87e25bdc6cff4e3ee0a063e415998b0c739c2dea3969bf8ead056d6c9356350
                                      • Instruction Fuzzy Hash: 91512A709117158FDB04EF78C8A0B9ABBF1AF88324F10862DD454AB380D778D985CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC93C31 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 177COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D$P
                                      • API String ID: 0-307317852
                                      • Opcode ID: d81ca9318e6ff70f08b3315f61d819011322917380bb388b1a578d251f8060c6
                                      • Instruction ID: fd69cb9d01875973ca8b5af81ea67fe1a64ae7bd0e5085910cae29e308d2d0ac
                                      • Opcode Fuzzy Hash: d81ca9318e6ff70f08b3315f61d819011322917380bb388b1a578d251f8060c6
                                      • Instruction Fuzzy Hash: 5B7147B5609B019FD310DF29C49479ABBE1BF84308F148A2DE8AC9BB54E775D448CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E864CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • internal error: deflate stream corrupt, xrefs: 62E86654
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: deflate
                                      • String ID: internal error: deflate stream corrupt
                                      • API String ID: 3803212549-3609297558
                                      • Opcode ID: 8b00f5b3e98fcee3e9ec667e9ffc8b91688d401acfe45acdf49123535fda8684
                                      • Instruction ID: 7409c3537517f2f2d82267a7044ba181cb3e5d8f94344fc6b6a3aceb1d8cad71
                                      • Opcode Fuzzy Hash: 8b00f5b3e98fcee3e9ec667e9ffc8b91688d401acfe45acdf49123535fda8684
                                      • Instruction Fuzzy Hash: F55109B0A147428FCB14DF38C1E061A7BE0AF45358B21CABDEC999B399D738D841DB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7AC00 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 167stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorstrlenstrncmp
                                      • String ID: , value=$cmd=
                                      • API String ID: 878892202-765094167
                                      • Opcode ID: 3b390e41a26ad540087b491e561c73e234f920007b81285bfba3643011bbe4f3
                                      • Instruction ID: a17b6e92500603fa197af9fb9e1db433f26c91596e9b44486630262632fb135c
                                      • Opcode Fuzzy Hash: 3b390e41a26ad540087b491e561c73e234f920007b81285bfba3643011bbe4f3
                                      • Instruction Fuzzy Hash: 0F518E70A087049FE7208F55C48135ABBF0FFC1758F14995DE8988BBA0F776C8848BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB6ED0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • VirtualQuery failed for %d bytes at address %p, xrefs: 6CCB7067
                                      • Address %p has no image-section, xrefs: 6CCB707B
                                      • VirtualProtect failed with code 0x%x, xrefs: 6CCB7036
                                      • Mingw-w64 runtime failure:, xrefs: 6CCB6EF8
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: QueryVirtualabortfwritevfprintf
                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                      • API String ID: 2513968241-1534286854
                                      • Opcode ID: eefb93cbdb340f5616f00675a1d3d8d82088a426caedbe84b0bd8d31d10f5d0a
                                      • Instruction ID: f16845d793b7522b18fdc34173327adc049261b0372661eac850a76a1510d883
                                      • Opcode Fuzzy Hash: eefb93cbdb340f5616f00675a1d3d8d82088a426caedbe84b0bd8d31d10f5d0a
                                      • Instruction Fuzzy Hash: 7D516CB1A04711AFC700DFA9C48464AFBF0FF84358F55892DE898AB714E730E845CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248A0E4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_cond_broadcast
                                      • String ID: 0Ib
                                      • API String ID: 1922247177-656040330
                                      • Opcode ID: fb8c758732acc72b575d57a96eb9436728f63b9bad14cc8a0563ec36370ad54d
                                      • Instruction ID: 009af99ccacc6292231ffab6fa452de951346c4b216856c61fc2fe727856fcd6
                                      • Opcode Fuzzy Hash: fb8c758732acc72b575d57a96eb9436728f63b9bad14cc8a0563ec36370ad54d
                                      • Instruction Fuzzy Hash: 84414F705197129FE345AF79C860B1BBBE0AF85358F11892CE4A88B380DBB9D545CBC3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62482540 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 4201588131-1775419244
                                      • Opcode ID: 8a9ecd915b93545e4c6ab9070af4010d42ba5651bcc3d0e93eed5065f9564b71
                                      • Instruction ID: 10daa92af63fe4ebda6afb6f484f13fbf712bd8a8aee3c527c94f3e03fea91e4
                                      • Opcode Fuzzy Hash: 8a9ecd915b93545e4c6ab9070af4010d42ba5651bcc3d0e93eed5065f9564b71
                                      • Instruction Fuzzy Hash: C3413F706157428FD704EF39C960B1BBBE1AF85718F008A2DE8A89B640DB79D945CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62482DC8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 4201588131-1775419244
                                      • Opcode ID: 431498be76d510e7ff107a026c38a00a260c88ffe98c7e0c16f1b03f5c0e4c07
                                      • Instruction ID: 312b01e4fa08bde9aa6c8fbefaa759c000bfd85778b96f0e57d7aa60a5b74ad5
                                      • Opcode Fuzzy Hash: 431498be76d510e7ff107a026c38a00a260c88ffe98c7e0c16f1b03f5c0e4c07
                                      • Instruction Fuzzy Hash: 6F4130B15153418FD705EF29C864B1BBBE1BF85318F408A2DE8A88B744DB39D546CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62482BEC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 4201588131-1775419244
                                      • Opcode ID: 2ccb42cfa1fd7e162ed1f138e23c6a1b99cdf93ad63440b4a1d09f37b80355fb
                                      • Instruction ID: 24563704da45c8e6cbb7f66c7a013fb270b24eccebb48d46b0332d8f40cb8295
                                      • Opcode Fuzzy Hash: 2ccb42cfa1fd7e162ed1f138e23c6a1b99cdf93ad63440b4a1d09f37b80355fb
                                      • Instruction Fuzzy Hash: 85414D705153428FD705EF38C964B1BBBE1AF86318F118A2DE9988B740DB39D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62485014 Relevance: 16.7, APIs: 11, Instructions: 171COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6248552D), ref: 6248503C
                                      • SetEvent.KERNEL32 ref: 6248509C
                                      • SetEvent.KERNEL32(00000000), ref: 624850E9
                                      • SetEvent.KERNEL32(?), ref: 6248510D
                                      • TlsSetValue.KERNEL32 ref: 6248517D
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$Valuepthread_getspecific
                                      • String ID:
                                      • API String ID: 4215522435-0
                                      • Opcode ID: c51424898ff13dbd1864671ff75c2629aaa541b025cf2ea47a64796043d1d622
                                      • Instruction ID: a9c86c5936d5c1a53e8965a5ac2bc45a43bb6bafc8021625b74153ed1a90096f
                                      • Opcode Fuzzy Hash: c51424898ff13dbd1864671ff75c2629aaa541b025cf2ea47a64796043d1d622
                                      • Instruction Fuzzy Hash: C7611A746153018FD705AF39C460B1ABBE1BF85718F028A6DD8A98B341DB39D941CFD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488ACC Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(00000000), ref: 62488B63
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID:
                                      • API String ID: 4201588131-0
                                      • Opcode ID: 0050d3310c4a507fe8ebaca03c5ee2483312844804f46ca9ffdeeafcb668bb3d
                                      • Instruction ID: 196cf9c74c42857dddcffdc8e264a3e93f1df9ff12fbf8d109ef7115e79d3a28
                                      • Opcode Fuzzy Hash: 0050d3310c4a507fe8ebaca03c5ee2483312844804f46ca9ffdeeafcb668bb3d
                                      • Instruction Fuzzy Hash: EB514FB06157068FE705AF39C860B1BB7E1AFC5398F04892CE5988B344DB39D546CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248BB1C Relevance: 16.7, APIs: 11, Instructions: 151synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_self.PTHREADGC2 ref: 6248BB27
                                        • Part of subcall function 624859C4: pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                      • SetEvent.KERNEL32 ref: 6248BB87
                                      • CreateEventA.KERNEL32 ref: 6248BBBE
                                      • CloseHandle.KERNEL32 ref: 6248BBDD
                                      • WaitForSingleObject.KERNEL32 ref: 6248BC19
                                      • ResetEvent.KERNEL32 ref: 6248BC3C
                                      • SetEvent.KERNEL32 ref: 6248BC81
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$CloseCreateHandleObjectResetSingleWaitpthread_getspecificpthread_self
                                      • String ID:
                                      • API String ID: 469051586-0
                                      • Opcode ID: d909507c624697166554d5934a3d978bc523f8cf432f363acc6ae38cd401d231
                                      • Instruction ID: 05ca00d8247925a0dcaa603370cd46df2af8dabc2b69a6ba73b61840a53433e1
                                      • Opcode Fuzzy Hash: d909507c624697166554d5934a3d978bc523f8cf432f363acc6ae38cd401d231
                                      • Instruction Fuzzy Hash: C5514DB05197028FE715AF39C860B1BBBE1AF85318F018A2DD4A8CB344DB79D546CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248386C Relevance: 16.6, APIs: 11, Instructions: 146threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • sched_get_priority_min.PTHREADGC2 ref: 62483882
                                      • sched_get_priority_max.PTHREADGC2 ref: 6248389F
                                      • SetEvent.KERNEL32 ref: 624838FF
                                      • SetThreadPriority.KERNEL32 ref: 62483925
                                      • SetEvent.KERNEL32(?), ref: 6248396A
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$PriorityThreadsched_get_priority_maxsched_get_priority_min
                                      • String ID:
                                      • API String ID: 3746687159-0
                                      • Opcode ID: fbe8749b2fe631893ea311cd2ec7f44f313853df532e3f824f9d849359b7a1cd
                                      • Instruction ID: b5876164b68b2af95b264b247175aa0458504a214cca22a27dd17237607192f8
                                      • Opcode Fuzzy Hash: fbe8749b2fe631893ea311cd2ec7f44f313853df532e3f824f9d849359b7a1cd
                                      • Instruction Fuzzy Hash: 2F514F705197028FD705AF39C4A4B5BBFE1AF85358F018A2DD8A89B380DB39D545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC75D76 Relevance: 16.6, APIs: 11, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 6CC75DDB
                                      • X509_STORE_CTX_init.LIBCRYPTO-1_1 ref: 6CC75E01
                                      • X509_STORE_CTX_set_flags.LIBCRYPTO-1_1 ref: 6CC75E23
                                      • X509_verify_cert.LIBCRYPTO-1_1 ref: 6CC75E2B
                                      • X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1 ref: 6CC75E41
                                      • OPENSSL_sk_shift.LIBCRYPTO-1_1 ref: 6CC75E4D
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC75E55
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC75EC1
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC75EE0
                                      • X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 6CC75F03
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC75F3D
                                      • X509_STORE_new.LIBCRYPTO-1_1 ref: 6CC75F60
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC75F98
                                      • X509_STORE_add_cert.LIBCRYPTO-1_1 ref: 6CC75FAC
                                      • X509_STORE_free.LIBCRYPTO-1_1 ref: 6CC75FCD
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CC75FD9
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC76017
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC76067
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC76077
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC76086
                                      • X509_get_extension_flags.LIBCRYPTO-1_1 ref: 6CC7608E
                                      • OPENSSL_sk_pop.LIBCRYPTO-1_1 ref: 6CC760A3
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC760AB
                                      • X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1 ref: 6CC760D4
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC761B9
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$L_sk_num$R_put_error$X509_freeX_get1_chainX_new$E_add_certE_freeE_newL_sk_popL_sk_pop_freeL_sk_shiftL_sk_valueX509_get_extension_flagsX509_verify_certX_freeX_initX_set_flags
                                      • String ID:
                                      • API String ID: 1984016654-0
                                      • Opcode ID: 13f44390eaad463c720a7b0ae5e5441887daa9c6415436ff6516330f5a7dfbb7
                                      • Instruction ID: 40f432634025421d7b6b48592fd6dd0e40223d4a3ff1d8303c6f57da0add80f9
                                      • Opcode Fuzzy Hash: 13f44390eaad463c720a7b0ae5e5441887daa9c6415436ff6516330f5a7dfbb7
                                      • Instruction Fuzzy Hash: 7F4115B1609B459FD7109FAAC48065FFBE4FF84348F45482DE899E7B00E730E8458B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC65C50 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC65C91
                                      • EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC65CA3
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC65CAB
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC65D37
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC65D3F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_md$D_sizeR_flagsR_put_errorX_cipher
                                      • String ID: D$P
                                      • API String ID: 1734801832-307317852
                                      • Opcode ID: d831cac0cb92d0575a3dde5db02025d8a3a4e79af0485e69c7a887ba2f70e302
                                      • Instruction ID: 8b1341458cf5f367db4b1a5e188200a9e9125eb3bfab2c3f9e131347556a1125
                                      • Opcode Fuzzy Hash: d831cac0cb92d0575a3dde5db02025d8a3a4e79af0485e69c7a887ba2f70e302
                                      • Instruction Fuzzy Hash: 51D127B0609341DFD700CF2AC18475ABBE0BF89348F54896EE8988BB52E775D845CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E85C04 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32$inflate
                                      • String ID: compressed data error$incorrect data check$incorrect length check$internal error: inflate stream corrupt$out of memory$unexpected end of file
                                      • API String ID: 939100155-4274367702
                                      • Opcode ID: 6329e90b1799014abbcf4ddb67cfe1128b07b199997edf13930789a316b4ba66
                                      • Instruction ID: f6d7fb18a85c4529b9037e4fd296b6da6d9ab2ac17fd8c2e465a0c1d906f2912
                                      • Opcode Fuzzy Hash: 6329e90b1799014abbcf4ddb67cfe1128b07b199997edf13930789a316b4ba66
                                      • Instruction Fuzzy Hash: CC51FBB05056018BC7109F38C59029A7BE4AF45768F32DB79E8EADB3D5EB38C441CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72D10 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CC72D55
                                      • EVP_PKEY_keygen_init.LIBCRYPTO-1_1 ref: 6CC72D67
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CC72DA3
                                      • EVP_PKEY_keygen.LIBCRYPTO-1_1 ref: 6CC72DBB
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC72DC7
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CC72DE5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_new_id$X_ctrlX_freeY_keygenY_keygen_init
                                      • String ID: D$P
                                      • API String ID: 2509932494-307317852
                                      • Opcode ID: d339b80c37a7c4f461dc03ccfdae180ef78f93dc9e9f217a8e552ef02b2df092
                                      • Instruction ID: ca431f6ee13ff425e23496161ab7d9ae955d69174b93b8b9e4af248d2c638495
                                      • Opcode Fuzzy Hash: d339b80c37a7c4f461dc03ccfdae180ef78f93dc9e9f217a8e552ef02b2df092
                                      • Instruction Fuzzy Hash: 4741BFB0509701DBE7109FA5D29875BBAE1EB84348F008C2DE4989B740EBB9C548CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB3D66 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CCB2BB0: EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CCB2BC9
                                        • Part of subcall function 6CCB2BB0: EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB2C2E
                                      • EVP_DigestSignInit.LIBCRYPTO-1_1 ref: 6CCB3CBC
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CCB3CD4
                                      • EVP_DigestSignFinal.LIBCRYPTO-1_1 ref: 6CCB3CF3
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CCB3D3D
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCB3D45
                                      • EVP_PKEY_new_raw_private_key.LIBCRYPTO-1_1 ref: 6CCB3DEB
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CCB3E04
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$SignX_free$FinalInitL_cleanseUpdateX_new_idY_freeY_new_raw_private_key
                                      • String ID: @$finished
                                      • API String ID: 2275538953-1631635500
                                      • Opcode ID: 9ac23342446fa43e73d28107e0aed611b5da6d00b73b92427815493d45ef87d3
                                      • Instruction ID: c73d0904b3c028a76cb2f7eaafca8229ab7b703f2c4fa7d5dd20d7405ea48415
                                      • Opcode Fuzzy Hash: 9ac23342446fa43e73d28107e0aed611b5da6d00b73b92427815493d45ef87d3
                                      • Instruction Fuzzy Hash: 6731DEB45197019FD704DFA8C09079EFBE4FF84708F00882EE998A7700EB79E5488B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E863D8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 62E863E7
                                      • malloc.MSVCRT ref: 62E863F5
                                      • deflateInit2_.ZLIB1 ref: 62E8645D
                                      • free.MSVCRT(?,?,?,?,?,?,?,?,62E866E4,?,?,?,?,?,?,?), ref: 62E86487
                                      • free.MSVCRT(?,?,?,?,?,?,?,?,62E866E4,?,?,?,?,?,?,?), ref: 62E86496
                                      • free.MSVCRT ref: 62E864C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: free$malloc$Init2_deflate
                                      • String ID: 1.2.5$8$out of memory
                                      • API String ID: 867007939-1222373650
                                      • Opcode ID: 0315ac42e876d40d05f93404cd1db8c4f143f1f47c4d5ceeb2e0295bf5f41dc5
                                      • Instruction ID: c7dbcca42130abea6c40b80f665fa7cd86052669b9a4737977c570d2bd6fb485
                                      • Opcode Fuzzy Hash: 0315ac42e876d40d05f93404cd1db8c4f143f1f47c4d5ceeb2e0295bf5f41dc5
                                      • Instruction Fuzzy Hash: 2921C2B09143019BDB44DF79C1D470A7BE5BF44308F209A7EE8988B35AE779D984CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC879C0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_new.LIBCRYPTO-1_1 ref: 6CC879CD
                                      • RSA_up_ref.LIBCRYPTO-1_1 ref: 6CC879DF
                                      • EVP_PKEY_assign.LIBCRYPTO-1_1 ref: 6CC879F3
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC87A14
                                      • RSA_free.LIBCRYPTO-1_1 ref: 6CC87A2B
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC87A33
                                        • Part of subcall function 6CC86A50: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC86A83
                                        • Part of subcall function 6CC86A50: EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC86A97
                                        • Part of subcall function 6CC86A50: ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC86A9C
                                        • Part of subcall function 6CC86A50: X509_check_private_key.LIBCRYPTO-1_1 ref: 6CC86AB3
                                        • Part of subcall function 6CC86A50: EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC86ACA
                                        • Part of subcall function 6CC86A50: EVP_PKEY_up_ref.LIBCRYPTO-1_1 ref: 6CC86AD2
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC87A67
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC87A9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Y_free$R_put_error$A_freeA_up_refR_clear_errorX509_check_private_keyX509_get0_pubkeyY_assignY_copy_parametersY_newY_up_ref
                                      • String ID: C
                                      • API String ID: 1772821956-1037565863
                                      • Opcode ID: e1616d6228264de8079fdba5a1f9000facf92cafd94cb92cf6b7473faa019c71
                                      • Instruction ID: e976c3efc7f0705e977f617522e287eab0a7efad2e7fc92a971d9841036b0b2a
                                      • Opcode Fuzzy Hash: e1616d6228264de8079fdba5a1f9000facf92cafd94cb92cf6b7473faa019c71
                                      • Instruction Fuzzy Hash: 17110AF151AB018FE700AF64E48538FBBE0AF80358F019D2CE4989B750E77AC5499B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248A8C0 Relevance: 15.1, APIs: 10, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$CloseCreateHandle
                                      • String ID:
                                      • API String ID: 585692533-0
                                      • Opcode ID: 006387165d5cfc1b13ade4fcfabc8c49c94df3f5710ea86fd58efcc7587482cc
                                      • Instruction ID: 536b8b7eecc040316bb1490d2f8791fb3520a2b949b37b27cd12abebf6f6ca82
                                      • Opcode Fuzzy Hash: 006387165d5cfc1b13ade4fcfabc8c49c94df3f5710ea86fd58efcc7587482cc
                                      • Instruction Fuzzy Hash: 4F514EB06193128BD7059F39C860B1BBBE0AFC5368F05892DE4988B380DB79D546CBD3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248BFB0 Relevance: 15.1, APIs: 10, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_testcancel.PTHREADGC2 ref: 6248BFC9
                                        • Part of subcall function 6248B5C8: pthread_self.PTHREADGC2 ref: 6248B3F3
                                      • _ftime.MSVCRT ref: 6248C01E
                                      • pthread_mutex_lock.PTHREADGC2 ref: 6248C051
                                      • _errno.MSVCRT ref: 6248C05E
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: _errno_ftimepthread_mutex_lockpthread_selfpthread_testcancel
                                      • String ID:
                                      • API String ID: 5459094-0
                                      • Opcode ID: 74c4ea886fec7087c555853deacd0745634a921544c4dc64630510011a0a63e1
                                      • Instruction ID: cfc935541d3f1d0f89be00d6593470304cc0fa27a1a50027ed45eb544d79ff31
                                      • Opcode Fuzzy Hash: 74c4ea886fec7087c555853deacd0745634a921544c4dc64630510011a0a63e1
                                      • Instruction Fuzzy Hash: C64117715187058FC304DF69C4A0A0BBBF0EF86764F508A2EE5A48B291E739D985CF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DC10 Relevance: 15.1, APIs: 10, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free_all$O_nextO_popO_pushO_up_ref
                                      • String ID:
                                      • API String ID: 579895235-0
                                      • Opcode ID: 65dad70835df4f44ff9fa81a2c2bc45c26bf2dc6db201724b8bc85572a066cc9
                                      • Instruction ID: 8548a6b7bd59b454ed3c1a127896b7c6a97b7097f489c34106d2b9e31fbd8105
                                      • Opcode Fuzzy Hash: 65dad70835df4f44ff9fa81a2c2bc45c26bf2dc6db201724b8bc85572a066cc9
                                      • Instruction Fuzzy Hash: 15411A71A05B008BCB14AF69C0C056ABBE5FF81254F258969DCA8DFB05F771E841CBB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC91DEB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 182COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /$A
                                      • API String ID: 0-1013139567
                                      • Opcode ID: e698fc0df3c177d34d2d3ad70673df054a9deacb848394076851afbb64a951b4
                                      • Instruction ID: 5db4005dc4e22fff8982aabee80a8c75f6e4196a4256f561105809177ad938a2
                                      • Opcode Fuzzy Hash: e698fc0df3c177d34d2d3ad70673df054a9deacb848394076851afbb64a951b4
                                      • Instruction Fuzzy Hash: C47115B0509705CFD300DF29C09976ABBE8FF84788F15892EE4A89B750E375D549CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7AEA0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 168stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: strlenstrncmp
                                      • String ID: , value=$cmd=
                                      • API String ID: 1310274236-765094167
                                      • Opcode ID: f6231f95c20043ede46447a4fd36e26ac6fb6fe0436f0f688e89d83faa17036b
                                      • Instruction ID: fb2b099c432cd3ae4dc94d23c441a07962e9582b0440bffe2d525f79aaa5195a
                                      • Opcode Fuzzy Hash: f6231f95c20043ede46447a4fd36e26ac6fb6fe0436f0f688e89d83faa17036b
                                      • Instruction Fuzzy Hash: 215160B16097018FD7218F29C44035ABBE1FFC1358F248A5DE4A88BBA4F775D885CB66
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC82803 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC82857
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error
                                      • String ID: B
                                      • API String ID: 1767461275-1255198513
                                      • Opcode ID: 786a9e66ca9067aba22428d3c0ae7208230d2de4036484ad077bf4ee419a12ed
                                      • Instruction ID: 54571a537b7a956481305494fe87f9faebd7c5e26f61199a4596a7218536811d
                                      • Opcode Fuzzy Hash: 786a9e66ca9067aba22428d3c0ae7208230d2de4036484ad077bf4ee419a12ed
                                      • Instruction Fuzzy Hash: 5E41F4B06067008BEB04DF65C4D875A7BE4BF44308F54486CEC889F786E779D988CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E811B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: _Jv_RegisterClasses$__register_frame_info$libgcc_s_dw2-1.dll$libgcj_s.dll
                                      • API String ID: 1646373207-3040197113
                                      • Opcode ID: 0a9424c55ed9b5f829c031ba5c27a18308786787a832b7ba7b3e82926c329470
                                      • Instruction ID: 1520accef79832f783cd20bba75bebc26024ee9836fc6e95846268a10e259262
                                      • Opcode Fuzzy Hash: 0a9424c55ed9b5f829c031ba5c27a18308786787a832b7ba7b3e82926c329470
                                      • Instruction Fuzzy Hash: 0AF062B09483414ADB00BBF9663232EB6A49F40609F60C87ED8FCCB240EA34C150DB63
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62481184 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: _Jv_RegisterClasses$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-12.dll
                                      • API String ID: 1646373207-874464504
                                      • Opcode ID: 2a6a9bc78e64529146ab12478c4061a61d75a92cf3c6f2f9c848aa52bec0758d
                                      • Instruction ID: 1c61528252c1406d4cf2b8bf18e0471a57e0159f19ba91548c8a38a94f659adc
                                      • Opcode Fuzzy Hash: 2a6a9bc78e64529146ab12478c4061a61d75a92cf3c6f2f9c848aa52bec0758d
                                      • Instruction Fuzzy Hash: DDF06D70A2A3019AE7017B798A31F2E7AE46F42649F41485EDCA886245DA38D180CBA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC86CD7 Relevance: 13.6, APIs: 9, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC86CE7
                                        • Part of subcall function 6CCB2180: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCB21CD
                                        • Part of subcall function 6CCB2180: EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CCB21DE
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC86D1B
                                      • X509_get_pubkey.LIBCRYPTO-1_1 ref: 6CC86D2B
                                      • EVP_PKEY_missing_parameters.LIBCRYPTO-1_1 ref: 6CC86D4D
                                      • EVP_PKEY_missing_parameters.LIBCRYPTO-1_1 ref: 6CC86D5D
                                      • EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC86D75
                                      • EVP_PKEY_cmp.LIBCRYPTO-1_1 ref: 6CC86D85
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC86DFE
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC86E43
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC86E7D
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorY_missing_parameters$L_sk_numL_sk_valueX509_get0_pubkeyX509_get_pubkeyY_cmpY_copy_parametersY_freeY_security_bits
                                      • String ID:
                                      • API String ID: 1672496101-0
                                      • Opcode ID: 11be3ea48f73066fba2822a6111021f7304885da967961b116a36adfa4fc42b1
                                      • Instruction ID: b8924c4f048ab2c3b717aed11faeaf1cf257b4691b156914edf35892c2e975ad
                                      • Opcode Fuzzy Hash: 11be3ea48f73066fba2822a6111021f7304885da967961b116a36adfa4fc42b1
                                      • Instruction Fuzzy Hash: 1831D2B061AB059FD7049FA6C08466FBBE0BF8574CF51882DE498DBB40E775D848CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72EE0 Relevance: 13.6, APIs: 9, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CC72F24
                                      • EVP_PKEY_paramgen_init.LIBCRYPTO-1_1 ref: 6CC72F32
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CC72F64
                                      • EVP_PKEY_paramgen.LIBCRYPTO-1_1 ref: 6CC72F78
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC72F88
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC72FA5
                                      • EVP_PKEY_new.LIBCRYPTO-1_1 ref: 6CC72FB8
                                      • EVP_PKEY_set_type.LIBCRYPTO-1_1 ref: 6CC72FCE
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC72FE0
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Y_free$X_ctrlX_freeX_new_idY_newY_paramgenY_paramgen_initY_set_type
                                      • String ID:
                                      • API String ID: 18677163-0
                                      • Opcode ID: 3a3a91aceda032ca1a4f5b760624f8773e55e5bfd1ece3de3a09b49b95abd147
                                      • Instruction ID: 584ecaa13b7d133a564e783b46191b09e225af97f3ae53f073842b43fe09d0af
                                      • Opcode Fuzzy Hash: 3a3a91aceda032ca1a4f5b760624f8773e55e5bfd1ece3de3a09b49b95abd147
                                      • Instruction Fuzzy Hash: 8121B6B0609B22CED7149F79C55835BBAE0FF89348F01892DE894E7740F774C54A8B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487DB0 Relevance: 13.6, APIs: 9, Instructions: 64sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62487DCB
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • CloseHandle.KERNEL32 ref: 62487DE2
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487DFB
                                      • Sleep.KERNEL32 ref: 62487E07
                                      • pthread_mutex_destroy.PTHREADGC2(00000000), ref: 62487E10
                                        • Part of subcall function 624862D4: pthread_mutex_trylock.PTHREADGC2 ref: 624862F1
                                        • Part of subcall function 624862D4: free.MSVCRT ref: 62486326
                                        • Part of subcall function 624862D4: CloseHandle.KERNEL32 ref: 62486335
                                      • free.MSVCRT(00000000), ref: 62487E1D
                                      • _errno.MSVCRT ref: 62487E31
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487E4B
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487E5B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$CloseHandlefree$ObjectSingleSleepWait_errnopthread_mutex_destroypthread_mutex_lockpthread_mutex_trylock
                                      • String ID:
                                      • API String ID: 1765050713-0
                                      • Opcode ID: 54cdd8695500c320e272304b0787b70abbc485f8a240291c35dd53958e754cf2
                                      • Instruction ID: 1f2a4eb4f731e649fc86398aff19053bdef61e56f828baef3764c5bb707ad8d3
                                      • Opcode Fuzzy Hash: 54cdd8695500c320e272304b0787b70abbc485f8a240291c35dd53958e754cf2
                                      • Instruction Fuzzy Hash: EC11BF762286058AD7107F3CD8B0E7E7BE4AF42728F44052DD9A88F281D73DD8418BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC62ED8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$ErrorLastO_ctrlO_readO_test_flagsR_clear_errorR_free
                                      • String ID: @$.
                                      • API String ID: 278959733-2391434856
                                      • Opcode ID: 9cb5a19841759cf5e53cede249338231029565bbf12a02ad6e7ee914d1a2549b
                                      • Instruction ID: 42377542484eae5004fcf73afbea06a26209be283bfc91a1ab7a38e0fccfe6a1
                                      • Opcode Fuzzy Hash: 9cb5a19841759cf5e53cede249338231029565bbf12a02ad6e7ee914d1a2549b
                                      • Instruction Fuzzy Hash: 97B12AB05087918FD320CF2AC58026ABBF1AF89344F14892EE5D5C7B41E779D549CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89BB5 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 227COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: incorrect header check$invalid window size$unknown compression method
                                      • API String ID: 2947273566-1186847913
                                      • Opcode ID: 57dc7270ef0b4fb978bed968b3a98e8255d0ad1cbe9ed4b5d875d09febdef2da
                                      • Instruction ID: 941fa55b0a0353901e4074778b68a8a0a84c7c45d7d4afe1fb99b3f3076daa76
                                      • Opcode Fuzzy Hash: 57dc7270ef0b4fb978bed968b3a98e8255d0ad1cbe9ed4b5d875d09febdef2da
                                      • Instruction Fuzzy Hash: 07A11975E042058BDB04CF69C4A079DB7F1FF89318F24C16AE898AB745D379E985CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB4DA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CCB4C3F
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CCB4C65
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CCB4C88
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CCB4CA4
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CCB4CC7
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CCB4D95
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Final_exInit_ex$UpdateX_free
                                      • String ID: exporter
                                      • API String ID: 1887130354-111224270
                                      • Opcode ID: 4a31a94b5f2c3b58e69725910256c912310a4e99a37f7d35b07325355b3b60c7
                                      • Instruction ID: bd10da3de7058e59188fd6e146f33bb110d637ea9faf24f8183b5bf7fd08dc44
                                      • Opcode Fuzzy Hash: 4a31a94b5f2c3b58e69725910256c912310a4e99a37f7d35b07325355b3b60c7
                                      • Instruction Fuzzy Hash: 7F4199B090D7429FC350DF69D58469ABBE4BF88748F018D6EE8C8E7710E734D9488B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6FC00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: DigestInit_exO_ctrlO_freeX_new
                                      • String ID: A$P
                                      • API String ID: 3525689870-345673399
                                      • Opcode ID: 37461501f53e3ea4452c7f3303ff03b9101fe683d67c53f0e235b8f7b35b6727
                                      • Instruction ID: 12f719a58d746d914d1d2ccd365fb708fa0a47b691999f78c607f5d99cb97066
                                      • Opcode Fuzzy Hash: 37461501f53e3ea4452c7f3303ff03b9101fe683d67c53f0e235b8f7b35b6727
                                      • Instruction Fuzzy Hash: 57315E756097019FE710CF69D18875AFBE0FF84358F04896EEC689B711E774D8448B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8E0B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 86libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressLibraryProc$FreeLoad
                                      • String ID: __mingwthr_key_dtor$__mingwthr_remove_key_dtor$mingwm10.dll
                                      • API String ID: 2256533930-1831764645
                                      • Opcode ID: dca3f03f7f8a427f3c0aacbf59277b295f8b39fa008d60e53c26890fa56a157f
                                      • Instruction ID: 188a8cc89be2aeae1c7dc13ad815a72b2a9c565f7a2ae5a7d95f6fc933bbfc43
                                      • Opcode Fuzzy Hash: dca3f03f7f8a427f3c0aacbf59277b295f8b39fa008d60e53c26890fa56a157f
                                      • Instruction Fuzzy Hash: 3A313970E40609CBEB10DF24C46575A77A0BB4270CF64893FEC698B741D3BAD594DB12
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8E280 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualQuery.KERNEL32 ref: 62E8E2B8
                                      • VirtualProtect.KERNEL32 ref: 62E8E2ED
                                      • memcpy.MSVCRT ref: 62E8E300
                                      • VirtualProtect.KERNEL32 ref: 62E8E32D
                                        • Part of subcall function 62E8E230: fwrite.MSVCRT ref: 62E8E263
                                        • Part of subcall function 62E8E230: vfprintf.MSVCRT ref: 62E8E276
                                        • Part of subcall function 62E8E230: abort.MSVCRT(?,?,?,?,?,?,62E8E352), ref: 62E8E27B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Virtual$Protect$Queryabortfwritememcpyvfprintf
                                      • String ID: VirtualQuery failed for %d bytes at address %p$@$ab
                                      • API String ID: 1199066469-274822748
                                      • Opcode ID: 0824a50efb910899d306dedb866be40ef55a737763bf0c60ec91adb6255e1c41
                                      • Instruction ID: ef802f27c982afb395bc2e1f88a501fb97280717af3e0fda46f192937daf6c27
                                      • Opcode Fuzzy Hash: 0824a50efb910899d306dedb866be40ef55a737763bf0c60ec91adb6255e1c41
                                      • Instruction Fuzzy Hash: A431D9B5D04709ABDB00DFA8C19069DFBF4BB49314F64C96EE8ACA3310D734AA418B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCADC10 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 73COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: DSA$ECDSA$PSS$RSA$RSA-PSS
                                      • API String ID: 0-2025297953
                                      • Opcode ID: 9daea74874335d6a43f9dfb5e65492035dcd7ddc4676bb1fbf58d24ee31c8465
                                      • Instruction ID: 513e66804699013b275396e3dcae7f3a5c9ee22eecec340e2f601e27f1aeab88
                                      • Opcode Fuzzy Hash: 9daea74874335d6a43f9dfb5e65492035dcd7ddc4676bb1fbf58d24ee31c8465
                                      • Instruction Fuzzy Hash: F011E6F18082096BF3204EA6D15039AB791EB8239CF9A012CDF441B780F37B6C578B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC79D37 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: H_freeHparamsM_read_bio_O_ctrlO_freeO_newO_s_file
                                      • String ID: l
                                      • API String ID: 2896938982-2517025534
                                      • Opcode ID: f8e369a26355bc02c773a178c77364738e60b7058adf0ea38992015c698d7c94
                                      • Instruction ID: 10a7dd831f0ac69adcec941405effd338f1a3e1dd7629227f274d1ff51775680
                                      • Opcode Fuzzy Hash: f8e369a26355bc02c773a178c77364738e60b7058adf0ea38992015c698d7c94
                                      • Instruction Fuzzy Hash: 8F21E9716097029BE3149F26C48435BBBF5FF84758F15C91CE4989B740F779D4448B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA2908 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 6CCA294B
                                      • X509_STORE_CTX_init.LIBCRYPTO-1_1 ref: 6CCA2973
                                      • X509_verify_cert.LIBCRYPTO-1_1 ref: 6CCA2987
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CCA298C
                                      • X509_STORE_CTX_get0_chain.LIBCRYPTO-1_1 ref: 6CCA2998
                                        • Part of subcall function 6CCB2360: OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB23D3
                                        • Part of subcall function 6CCB2360: OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB23E7
                                        • Part of subcall function 6CCB2360: X509_get0_pubkey.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB23F1
                                        • Part of subcall function 6CCB2360: EVP_PKEY_security_bits.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB2402
                                        • Part of subcall function 6CCB2360: X509_get_extension_flags.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB243C
                                        • Part of subcall function 6CCB2360: X509_get_signature_info.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CCB246D
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CCA29CF
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CCA2A67
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CCA2AAF
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CCA2AE0
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CCA2B02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$X_free$L_sk_numL_sk_value$R_clear_errorR_put_errorX509_get0_pubkeyX509_get_extension_flagsX509_get_signature_infoX509_verify_certX_get0_chainX_initX_newY_security_bits
                                      • String ID: P
                                      • API String ID: 3252627264-3110715001
                                      • Opcode ID: 4ab5d58aae2569280586fbfc6a81481620e031ecd5645d17f06f8633ad07dbea
                                      • Instruction ID: daedb391f83d7bad3f5df8dd86458eb76dfd3eee5a2620180a1a6bf6316dcaa6
                                      • Opcode Fuzzy Hash: 4ab5d58aae2569280586fbfc6a81481620e031ecd5645d17f06f8633ad07dbea
                                      • Instruction Fuzzy Hash: 6C21E4B0608B018FD3149FA6C49875FBBE4BF88708F008D2DE59DAB701E7359949CB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489198 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 624891AF
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 624891C8
                                      • _errno.MSVCRT ref: 624891E1
                                      • WaitForSingleObject.KERNEL32 ref: 62489206
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489215
                                      • _errno.MSVCRT ref: 6248921A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait_errnopthread_mutex_unlock$pthread_mutex_lock
                                      • String ID: 0Ib
                                      • API String ID: 1429293333-656040330
                                      • Opcode ID: 2a4fd14349df09ba281d914bcacd7e6ac7283ef163b78c5680cb7050787c8c7b
                                      • Instruction ID: 7a293d9845beca4624def4cf49a97756571c2e85d3996d91e80856f225eb0f4a
                                      • Opcode Fuzzy Hash: 2a4fd14349df09ba281d914bcacd7e6ac7283ef163b78c5680cb7050787c8c7b
                                      • Instruction Fuzzy Hash: 92014931628A148BD7106F7C8C90D5A77E4EF41338F48466DECA88F380D739D441CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC63F57 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: strlen$L_sk_findL_sk_freeL_sk_pushR_put_errorstrchrstrncmp
                                      • String ID: :
                                      • API String ID: 1493756383-336475711
                                      • Opcode ID: 5bcfe592913b39d7787e88cc71b1ad5d2ccb705fe895c6bde5262be241076d19
                                      • Instruction ID: 9c372fd0123bb7112404975bdc2618c19773c42c85511483076b593c14e52295
                                      • Opcode Fuzzy Hash: 5bcfe592913b39d7787e88cc71b1ad5d2ccb705fe895c6bde5262be241076d19
                                      • Instruction Fuzzy Hash: A1111BB16087159AD300AFBAC6C025EBBF4AF49748F19495DE984E7F00F770D9408B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E84DDC Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 62E84DF3
                                      • free.MSVCRT(?,?,?,?,?,?,00000000,?,?,?,62E8505E), ref: 62E84EAB
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: freemalloc
                                      • String ID:
                                      • API String ID: 3061335427-0
                                      • Opcode ID: ddc360ed980349e1b42d068add9228db81a34688485ad773b0f65ce5953cb7ac
                                      • Instruction ID: 55a3ed1b0a9199103f681e3226e51f4db68a519058be425f2fc64b369145972e
                                      • Opcode Fuzzy Hash: ddc360ed980349e1b42d068add9228db81a34688485ad773b0f65ce5953cb7ac
                                      • Instruction Fuzzy Hash: 01515CB14482408BEB108F29C4A475A7BE9EF0231CF6195AFE8D88F395D77DC486CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC81FE0 Relevance: 12.1, APIs: 8, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_peek_error.LIBCRYPTO-1_1 ref: 6CC81FF8
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_peek_error
                                      • String ID:
                                      • API String ID: 3623038435-0
                                      • Opcode ID: 144d227bc7734383edf62ebe8166ef82fca53ea2e2ee28a9833748db6c91e034
                                      • Instruction ID: 7f7332c150889a5333f0195db977b48968ec9734b611587d8b91491f2c695967
                                      • Opcode Fuzzy Hash: 144d227bc7734383edf62ebe8166ef82fca53ea2e2ee28a9833748db6c91e034
                                      • Instruction Fuzzy Hash: F931397060A3048BD3109A69C99CB1FBAF0FB4570CF214969E894DBB52F339D884DB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62483D78 Relevance: 12.1, APIs: 8, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMaskcallocfreepthread_mutexattr_destroypthread_mutexattr_init
                                      • String ID:
                                      • API String ID: 3396887095-0
                                      • Opcode ID: b4fc5ea144f327e93ae330326c8228bb4415432c959202f98755d21fffab3429
                                      • Instruction ID: c03f2f3e922f9d46b93b5dfee573b481d4c2900bbf3dd23521206eca711ebf3e
                                      • Opcode Fuzzy Hash: b4fc5ea144f327e93ae330326c8228bb4415432c959202f98755d21fffab3429
                                      • Instruction Fuzzy Hash: 103121716197008BD704AF69D590B9ABFE4EBC4318F00893DED888B351E779D949CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624859C4 Relevance: 12.1, APIs: 8, Instructions: 64threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,?,?,62485568), ref: 624859D2
                                        • Part of subcall function 62484FD8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FE5
                                        • Part of subcall function 62484FD8: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FF1
                                        • Part of subcall function 62484FD8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,62485041), ref: 62484FFE
                                      • GetCurrentThreadId.KERNEL32 ref: 62485A0C
                                      • GetCurrentProcess.KERNEL32 ref: 62485A17
                                      • GetCurrentThread.KERNEL32 ref: 62485A1E
                                      • GetCurrentProcess.KERNEL32 ref: 62485A25
                                      • DuplicateHandle.KERNEL32 ref: 62485A54
                                      • GetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 62485A6E
                                      • pthread_setspecific.PTHREADGC2 ref: 62485A86
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Current$Thread$ErrorLastProcess$DuplicateHandlePriorityValuepthread_getspecificpthread_setspecific
                                      • String ID:
                                      • API String ID: 3801400185-0
                                      • Opcode ID: f4c334d67835bea2d5980b50e658cf3f5c070f53a40f569ea48807404b259657
                                      • Instruction ID: df89b729fd39c32366203f9e63d96e5a08ef551b968adb438e34e224658af10b
                                      • Opcode Fuzzy Hash: f4c334d67835bea2d5980b50e658cf3f5c070f53a40f569ea48807404b259657
                                      • Instruction Fuzzy Hash: 9C2118B09293018FD704EF39C494A1ABBE0BF85358F41886EE898CB305EB78D545CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB18C4 Relevance: 12.1, APIs: 8, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_id.LIBCRYPTO-1_1(?), ref: 6CCB18D3
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?), ref: 6CCB1909
                                      • X509_get_issuer_name.LIBCRYPTO-1_1(?), ref: 6CCB191F
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?), ref: 6CCB1956
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?), ref: 6CCB1977
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1(?), ref: 6CCB1991
                                      • X509_get_issuer_name.LIBCRYPTO-1_1(?), ref: 6CCB1999
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?), ref: 6CCB19CA
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_num$X509_get_issuer_name$L_sk_valueY_id
                                      • String ID:
                                      • API String ID: 3371085053-0
                                      • Opcode ID: 737d3934dedb72c1b3ac6cacead7afa2a27af4cf13dfe6db40f0bdb584c4d7b7
                                      • Instruction ID: 4fadbb5cceef74acfbe5c57883518360f9b6cd4124d5420182eac2fe4a9386a5
                                      • Opcode Fuzzy Hash: 737d3934dedb72c1b3ac6cacead7afa2a27af4cf13dfe6db40f0bdb584c4d7b7
                                      • Instruction Fuzzy Hash: 4F11C8B1908B418ECB14AFF9C48019EB6E0AF45244F554D2EE895F7B10F734D5498B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC70C50 Relevance: 10.6, APIs: 7, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC74D68
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC74E2B
                                      • X509_up_ref.LIBCRYPTO-1_1 ref: 6CC74E37
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_push$X509_up_ref
                                      • String ID:
                                      • API String ID: 2732516723-0
                                      • Opcode ID: f40d609f3bb3b3907e0aefc62216adcb979c6e0a62769874e81c7e4e4d618130
                                      • Instruction ID: 9789aaa9b3a7d33113c2ffb40c188d3feacf013428fa5b14c230e1cc541afaac
                                      • Opcode Fuzzy Hash: f40d609f3bb3b3907e0aefc62216adcb979c6e0a62769874e81c7e4e4d618130
                                      • Instruction Fuzzy Hash: 494148B160A7019BE710DF66E58075BBBE4FF80368F14896EE4989BB50E331D844CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8EDC5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC7FC3A
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC7FC4A
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC7FC79
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC8EE09
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC8EE3B
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EE56
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EF63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_freeL_sk_numL_sk_value$L_sk_new_null
                                      • String ID: D$P
                                      • API String ID: 3503893677-307317852
                                      • Opcode ID: 0a51b76bb18ba9f400335690229d75bfac2a6e61371545b603f95ca55dd383bf
                                      • Instruction ID: 3bf26914960852cc3387130f2894d0850abf11b1b3766427f4d8868b9116c7e1
                                      • Opcode Fuzzy Hash: 0a51b76bb18ba9f400335690229d75bfac2a6e61371545b603f95ca55dd383bf
                                      • Instruction Fuzzy Hash: 004112B550A7018BE7109F66C58435FBBE4AF8534CF018D2DE8888BB40F778D849CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7EE81 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • ASYNC_get_current_job.LIBCRYPTO-1_1 ref: 6CC7EF20
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EF97
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EFD1
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7F00E
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7F044
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$C_get_current_job
                                      • String ID: B
                                      • API String ID: 2484768174-1255198513
                                      • Opcode ID: 8aa275f8a35f28cdafc8b51ed0abc3be4d99a13154606798ccc548b89b8fa0cb
                                      • Instruction ID: fe73a047ad422eb6cec8c6076460bcf8f41f33f9746b95623c77cc2a4774ec3c
                                      • Opcode Fuzzy Hash: 8aa275f8a35f28cdafc8b51ed0abc3be4d99a13154606798ccc548b89b8fa0cb
                                      • Instruction Fuzzy Hash: 3C41FCB12087019FD710DF55D58478BBBE0FF85768F108A1DF4A89BB90E3B998488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7FF15 Relevance: 10.6, APIs: 7, Instructions: 98stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_num$L_sk_findL_sk_valuememcpystrlen
                                      • String ID:
                                      • API String ID: 4219351304-0
                                      • Opcode ID: c0d1f483aa3e0168e191ceef688246ddfe95e7981562e03641d8ed2dcf1da230
                                      • Instruction ID: 55b488a7b4d97fd7d4c09d8f6f47423e84bef0fa353abfefa36d4ddbabff5ab0
                                      • Opcode Fuzzy Hash: c0d1f483aa3e0168e191ceef688246ddfe95e7981562e03641d8ed2dcf1da230
                                      • Instruction Fuzzy Hash: 13314A7160A7428FD700DF69C48069FBBE0EF85349F15486EE98897711E732E986CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8EC5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC7FC3A
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC7FC4A
                                        • Part of subcall function 6CC7FBE0: OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC7FC79
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC8EC89
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC8ECBB
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8ECD6
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EDB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_freeL_sk_numL_sk_value$L_sk_new_null
                                      • String ID: D$P
                                      • API String ID: 3503893677-307317852
                                      • Opcode ID: b7c8080e21b1fe1e5b898f75143566c147d2086f15a068bdc1e8b72ae2d16c11
                                      • Instruction ID: eda79848765bf84860c6b15e56dd8fdb9db76cbd44b522b3c33dde70c72ec533
                                      • Opcode Fuzzy Hash: b7c8080e21b1fe1e5b898f75143566c147d2086f15a068bdc1e8b72ae2d16c11
                                      • Instruction Fuzzy Hash: BD3159B550A7019BD300AF65C58435FBBE4EF80348F00886EE99897B40F7B9D848CB83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC82DC7 Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC81270: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC812A4
                                        • Part of subcall function 6CC81270: CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 6CC812C0
                                        • Part of subcall function 6CC81270: OPENSSL_sk_dup.LIBCRYPTO-1_1 ref: 6CC81363
                                      • memcpy.MSVCRT ref: 6CC832A5
                                        • Part of subcall function 6CC7E3B0: memcpy.MSVCRT ref: 6CC7E44B
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC82E13
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC82E2F
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC82E47
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC82E67
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC82E7F
                                      • OPENSSL_sk_new_reserve.LIBCRYPTO-1_1 ref: 6CC82ED8
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC82F16
                                        • Part of subcall function 6CC7C5E0: EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC7C64C
                                        • Part of subcall function 6CC7C5E0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC7C686
                                        • Part of subcall function 6CC7C5E0: CRYPTO_malloc.LIBCRYPTO-1_1 ref: 6CC7C6C2
                                        • Part of subcall function 6CC7C5E0: memcpy.MSVCRT ref: 6CC7C6ED
                                        • Part of subcall function 6CC7C5E0: d2i_X509.LIBCRYPTO-1_1 ref: 6CC7C73D
                                      • X509_VERIFY_PARAM_get_depth.LIBCRYPTO-1_1 ref: 6CC83001
                                      • X509_VERIFY_PARAM_set_depth.LIBCRYPTO-1_1 ref: 6CC83013
                                      • CRYPTO_dup_ex_data.LIBCRYPTO-1_1 ref: 6CC8304B
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CC83096
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 6CC830B2
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC830CA
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC830E2
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC830FA
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC83112
                                      • X509_VERIFY_PARAM_inherit.LIBCRYPTO-1_1 ref: 6CC8315E
                                      • OPENSSL_sk_dup.LIBCRYPTO-1_1 ref: 6CC83170
                                      • OPENSSL_sk_dup.LIBCRYPTO-1_1 ref: 6CC83190
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC83387
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free$L_sk_dupX509_memcpy$L_sk_numL_sk_pop_freeO_zalloc$D_lock_newD_sizeL_sk_new_reserveL_sk_valueM_get_depthM_inheritM_set_depthO_dup_ex_dataO_mallocR_put_errorX509X509_freed2i_
                                      • String ID:
                                      • API String ID: 1050195886-0
                                      • Opcode ID: 92dc8391c4f802f0466297fb5cfb43d5377e8e4cb4558df4092e0994144f9d73
                                      • Instruction ID: 835724c9c27e82c602220faacfe01fbf58b6a82b12a816d3018ccf44325170fa
                                      • Opcode Fuzzy Hash: 92dc8391c4f802f0466297fb5cfb43d5377e8e4cb4558df4092e0994144f9d73
                                      • Instruction Fuzzy Hash: 5C41F3B06097018FDB009F79C59879ABBE0AF46258F08497DE9AC9B752E734D809CB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC64FD0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC8C568), ref: 6CCA4E2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_numO_zalloc
                                      • String ID: D$P
                                      • API String ID: 485224183-307317852
                                      • Opcode ID: 3be6c007b3fa90f5ebeb04aff34166b059979903ab43c1dd978ba82f8cdac4a9
                                      • Instruction ID: ac85d6d05b3bbb34bbe77320e166880bb80334bab8b905d1dc0381151c9b392d
                                      • Opcode Fuzzy Hash: 3be6c007b3fa90f5ebeb04aff34166b059979903ab43c1dd978ba82f8cdac4a9
                                      • Instruction Fuzzy Hash: A3214AB16093428BD700DFA5D58825EFBE4BF84748F01882DE898D7B00FB75D8498B43
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62488158 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_destroypthread_mutex_init$callocfreepthread_cond_init
                                      • String ID:
                                      • API String ID: 3621214785-0
                                      • Opcode ID: d4411f55c2928c2ee7e2d787d614a1b616783b924f8275b291e083658494a447
                                      • Instruction ID: 50404560384b63285b1ddc13362130e087dcb06ec77ca5087ec99aabea213cd2
                                      • Opcode Fuzzy Hash: d4411f55c2928c2ee7e2d787d614a1b616783b924f8275b291e083658494a447
                                      • Instruction Fuzzy Hash: F6218E712287198BE711AF79D864B5BB7E4AF80798F05082DD4888F340EB7DC944CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8DF5C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: inflate$Init_
                                      • String ID: 1.2.5$8
                                      • API String ID: 1809909112-3466090614
                                      • Opcode ID: fa1e2a3c19419b2da421abe43be3bb83f8842a9b9a86e05968b84b93a400e217
                                      • Instruction ID: 9d34bc0d892cf22a556c36a55c3321b23fc46b5f6cd7fb9c8d2b8c952d272233
                                      • Opcode Fuzzy Hash: fa1e2a3c19419b2da421abe43be3bb83f8842a9b9a86e05968b84b93a400e217
                                      • Instruction Fuzzy Hash: A01151B4A043158FCB10DF79C49078DBBF0EF44368F20812AF9A897380D7789545CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E81620 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: deflate$Init_
                                      • String ID: 1.2.5$8
                                      • API String ID: 1566556424-3466090614
                                      • Opcode ID: 7ca432e55fd9da5f48acb89b59699b36d5f447cc1724ce9a6a8a830718f5ae4f
                                      • Instruction ID: c357d08c67ef9a89f65b3888ab9b3bd0458c790a783a8e2350b95887148bd9b3
                                      • Opcode Fuzzy Hash: 7ca432e55fd9da5f48acb89b59699b36d5f447cc1724ce9a6a8a830718f5ae4f
                                      • Instruction Fuzzy Hash: CB112BB5A043159FCB00DFA8C89068EBBF0FF48758F148529F9A8AB340D7799905CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E816D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: deflate$Init_
                                      • String ID: 1.2.5$8
                                      • API String ID: 1566556424-3466090614
                                      • Opcode ID: 6aa1fbb3dd6a0dcb7c6f8b0971100bab3856ea484926e79b0889eb65734d916f
                                      • Instruction ID: e2efe5832cbbca7a7eb46289cbfa870a80fd74abf76f8924c9dae7482bd5d918
                                      • Opcode Fuzzy Hash: 6aa1fbb3dd6a0dcb7c6f8b0971100bab3856ea484926e79b0889eb65734d916f
                                      • Instruction Fuzzy Hash: A3113DB5A047159FCB00DFA8C89078EBBF0FF49768F20852DE9A89B340E7799505CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8B878 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • ENGINE_init.LIBCRYPTO-1_1 ref: 6CC8B88B
                                      • ENGINE_get_ssl_client_cert_function.LIBCRYPTO-1_1 ref: 6CC8B897
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8B8E3
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8B91F
                                      • ENGINE_finish.LIBCRYPTO-1_1 ref: 6CC8B927
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$E_finishE_get_ssl_client_cert_functionE_init
                                      • String ID: &
                                      • API String ID: 1926914667-1010288
                                      • Opcode ID: f5378f235fd911dacd4f0b9a827abe04e25bf5530a5b1d53891e9e51bfe997e4
                                      • Instruction ID: cfae224892362f46721bf59143b77b5f1659262fd0fdb473787d9aedc0cae71c
                                      • Opcode Fuzzy Hash: f5378f235fd911dacd4f0b9a827abe04e25bf5530a5b1d53891e9e51bfe997e4
                                      • Instruction Fuzzy Hash: 9E01D0B09097009FE7009F64D98438EBBE0AF85348F808C1CE8D8AB751E37AD458DB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89553 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 388COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • invalid code -- missing end-of-block, xrefs: 62E8AC70
                                      • invalid literal/lengths set, xrefs: 62E8AC58
                                      • invalid literal/length code, xrefs: 62E8AD1C
                                      • invalid distances set, xrefs: 62E8AC40
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: invalid code -- missing end-of-block$invalid distances set$invalid literal/length code$invalid literal/lengths set
                                      • API String ID: 2947273566-1716664648
                                      • Opcode ID: 8c62d92617386be552b07a6704953bc79d239cac3738bd858d3a14cb47e02eee
                                      • Instruction ID: 4b8f2c44db96610f255233766cb11cd5cd4a961a2d2cdd76a04fc67db75caeea
                                      • Opcode Fuzzy Hash: 8c62d92617386be552b07a6704953bc79d239cac3738bd858d3a14cb47e02eee
                                      • Instruction Fuzzy Hash: 3C02E475D042198FCB14CFA9C4A069DFBF1BF49314F24C16AE898AB351D379A985CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248A000 Relevance: 9.1, APIs: 6, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 6248A024
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 6248A04E
                                      • sem_post_multiple.PTHREADGC2 ref: 6248A063
                                      • _errno.MSVCRT ref: 6248A06C
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait_errnopthread_mutex_lockpthread_mutex_unlocksem_post_multiple
                                      • String ID:
                                      • API String ID: 3229830424-0
                                      • Opcode ID: 004b0a202de4e3a029b80d7530bead62efdd82038f3348ef962ed402a199235f
                                      • Instruction ID: 0cf57abceff938b29e0dec53e0a02d87dc7cec3a4dff54b8d74a205e97e88f5e
                                      • Opcode Fuzzy Hash: 004b0a202de4e3a029b80d7530bead62efdd82038f3348ef962ed402a199235f
                                      • Instruction Fuzzy Hash: 2F2157712243258BDB009F2888E0B5A77E4AF4A358F4441ADD8548F385E7BAD945DFA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489B1C Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489B3F
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489B61
                                      • sem_post_multiple.PTHREADGC2 ref: 62489B7A
                                      • _errno.MSVCRT ref: 62489B83
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait_errnopthread_mutex_lockpthread_mutex_unlocksem_post_multiple
                                      • String ID:
                                      • API String ID: 3229830424-0
                                      • Opcode ID: bdf0696f625c77d7ec223198afa49835394e831821e880cb23b5ccc194854b7e
                                      • Instruction ID: 6e249da5fe5393d84f3acde19bdbaed46f888da55134c05398365e249f023941
                                      • Opcode Fuzzy Hash: bdf0696f625c77d7ec223198afa49835394e831821e880cb23b5ccc194854b7e
                                      • Instruction Fuzzy Hash: 31216D71628A118BEB019F38C8E0E5A77E4BF41358F4485ADCC948F345E73AD981DB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487AF0 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62487B13
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487B48
                                      • _errno.MSVCRT ref: 62487B5D
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487B74
                                      • ReleaseSemaphore.KERNEL32 ref: 62487B98
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487BBB
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$ObjectReleaseSemaphoreSingleWait_errnopthread_mutex_lock
                                      • String ID:
                                      • API String ID: 3268020351-0
                                      • Opcode ID: 91ca6bfd74da2f2c87d94b7fd11edf2f7a55ed5991958a0f6b0e2f789b72d0c4
                                      • Instruction ID: eeb53f323481d54401beb26203cb96d2d4befce3eaf0db09278ee3cf308f93cc
                                      • Opcode Fuzzy Hash: 91ca6bfd74da2f2c87d94b7fd11edf2f7a55ed5991958a0f6b0e2f789b72d0c4
                                      • Instruction Fuzzy Hash: 7321533932C7058BD714EF39C8F0A1AB7E5AF86368F10562DD9648F380D738D8468B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489C8C Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489CA7
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489CC8
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489CD9
                                      • sem_post.PTHREADGC2 ref: 62489CFE
                                      • _errno.MSVCRT ref: 62489D07
                                      • sem_post.PTHREADGC2 ref: 62489D37
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_locksem_post$ObjectSingleWait_errnopthread_mutex_unlock
                                      • String ID:
                                      • API String ID: 3860541548-0
                                      • Opcode ID: 02f7d385cd3bef33bfb6848a194454e3509d51fc437b1403ea8b52e2fbb023df
                                      • Instruction ID: 751d1e3366f89a3300d9fef04956b077be6aa83517ec03232611fe9e15de695e
                                      • Opcode Fuzzy Hash: 02f7d385cd3bef33bfb6848a194454e3509d51fc437b1403ea8b52e2fbb023df
                                      • Instruction Fuzzy Hash: F221E574518B01CFC700DF25C5E0A5ABBE4AF89348B14C96DDD958B305E33AE586CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E86780 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: free$_closedeflate
                                      • String ID:
                                      • API String ID: 4255144732-0
                                      • Opcode ID: a4934ba4cd7cdf4555f2c14d2c3098ae8cbf53bfe442ab90beb2520ac2676dc5
                                      • Instruction ID: 8a5e13ef65859c16978f68a852bf346a9b92cf4f4057dc546f77c6fb2d175a12
                                      • Opcode Fuzzy Hash: a4934ba4cd7cdf4555f2c14d2c3098ae8cbf53bfe442ab90beb2520ac2676dc5
                                      • Instruction Fuzzy Hash: B2118FB5A142519BDB00AF78C8D464A7BE4AF04358F259D7DE98C8F305E73AD844CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487BC8 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62487BDF
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487C03
                                      • _errno.MSVCRT ref: 62487C19
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487C30
                                      • ReleaseSemaphore.KERNEL32 ref: 62487C4E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487C66
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$ObjectReleaseSemaphoreSingleWait_errnopthread_mutex_lock
                                      • String ID:
                                      • API String ID: 3268020351-0
                                      • Opcode ID: 94d9388abac63eaea1cc1425e1e7c59fe4976f0fa0d830b769d0df9032cb666f
                                      • Instruction ID: 0912ed0ac1612cbeebf0b1a2632ba4f39efb66b5993e88b6f14087e60a95d8d6
                                      • Opcode Fuzzy Hash: 94d9388abac63eaea1cc1425e1e7c59fe4976f0fa0d830b769d0df9032cb666f
                                      • Instruction Fuzzy Hash: 06119E743282058BE750AF3DC4B0F4A76E4AF42368F51052DDAA88F381D739C485CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62486768 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • calloc.MSVCRT ref: 6248678C
                                      • pthread_mutex_init.PTHREADGC2 ref: 624867A7
                                        • Part of subcall function 62482FA0: calloc.MSVCRT ref: 62482FD8
                                        • Part of subcall function 62482FA0: CreateEventA.KERNEL32 ref: 62483037
                                      • free.MSVCRT ref: 624867B3
                                      • _errno.MSVCRT ref: 624867C5
                                      • CreateSemaphoreA.KERNEL32 ref: 62486807
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Createcalloc$EventSemaphore_errnofreepthread_mutex_init
                                      • String ID:
                                      • API String ID: 2823924184-0
                                      • Opcode ID: 3c86bf6c956822d5426bbc33cb60d7bcfb5f59ce3c48d0582e7c2283fb98d666
                                      • Instruction ID: ab41e06fe66bf51a6269878019794aa549e59f4ee285e0bc982b829d79a050c9
                                      • Opcode Fuzzy Hash: 3c86bf6c956822d5426bbc33cb60d7bcfb5f59ce3c48d0582e7c2283fb98d666
                                      • Instruction Fuzzy Hash: 9F114FB01297428BE340AF39D4A0F4ABBE4AF45718F414A6DD8984B381E77DC984CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487D2C Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62487D43
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487D60
                                      • _errno.MSVCRT ref: 62487D75
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487D87
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487D96
                                      • _errno.MSVCRT ref: 62487D9B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$_errno$ObjectSingleWaitpthread_mutex_lock
                                      • String ID:
                                      • API String ID: 343774353-0
                                      • Opcode ID: bb0c5e95f759443f18a852f167f8a68b7134e4402f8e90802713411ab000dfb9
                                      • Instruction ID: 5c686b06efbd3e7ad38d1418568144dc5a89cc7ce8a2fa5610caeff6ef25bdd3
                                      • Opcode Fuzzy Hash: bb0c5e95f759443f18a852f167f8a68b7134e4402f8e90802713411ab000dfb9
                                      • Instruction Fuzzy Hash: DA018F753286458BD750AF3C88A0E6676E4AF423A8F55056DE8688F3D1EB3CD441CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8530C Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: free$_close
                                      • String ID:
                                      • API String ID: 3165389682-0
                                      • Opcode ID: af059f53bfab33505e401f41de6552891e8dd7dfe260d3f629492ec4ac87afc1
                                      • Instruction ID: 160ff0f32e9bc87e785e62aff389192a6e5eb00d61ba20ee5a0ecb24eae180ad
                                      • Opcode Fuzzy Hash: af059f53bfab33505e401f41de6552891e8dd7dfe260d3f629492ec4ac87afc1
                                      • Instruction Fuzzy Hash: D4014CB09087009BDB00AF38C4E465EBBE4EF01358F569D7DE8C98B345E779D8448B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC829E0 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,6CC61FD5), ref: 6CC82A14
                                      • EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,6CC61FD5), ref: 6CC82A30
                                      • COMP_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,6CC61FD5), ref: 6CC82A48
                                      • COMP_CTX_free.LIBCRYPTO-1_1 ref: 6CC82A60
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC82A78
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC82A90
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_free
                                      • String ID:
                                      • API String ID: 2268491255-0
                                      • Opcode ID: 3114eaad9e7848359ee04c7887b090b48228af64e9c8786cef83fc6a1dfeebd4
                                      • Instruction ID: 5409a5bbf1aaa1ecfe21724fb02e9977dc6208af59beae11d47b241b3bcad965
                                      • Opcode Fuzzy Hash: 3114eaad9e7848359ee04c7887b090b48228af64e9c8786cef83fc6a1dfeebd4
                                      • Instruction Fuzzy Hash: 3411D3B45007408BDB05EFA5C0D878A7BE8BF04308F4545B8DC88AF38AE77995848FA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62483BE0 Relevance: 9.0, APIs: 6, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Process$CloseCurrentHandleOpen
                                      • String ID:
                                      • API String ID: 2750122171-0
                                      • Opcode ID: c1fcd7bd7ab2f25389089149eb784afca9c50725c689cee58fca9348804c1656
                                      • Instruction ID: ae4d7c052e25bd282b889815f45a2f8fd85fffda5d99fa73a144c9943f91f659
                                      • Opcode Fuzzy Hash: c1fcd7bd7ab2f25389089149eb784afca9c50725c689cee58fca9348804c1656
                                      • Instruction Fuzzy Hash: 73F068B0629301CADB107F7D84A5F5A7AE46F0575CF80565EEC54CB282EB3DC984C752
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89801 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: incorrect data check$incorrect length check
                                      • API String ID: 2947273566-170994517
                                      • Opcode ID: 9a6373a2dd88d93dcf448920684c522c8deccbfc060399cad25c55581f3f1963
                                      • Instruction ID: 70e7c29451de6695e873c9dc313817eea4516100233e55ffa2c5821c56bce0fe
                                      • Opcode Fuzzy Hash: 9a6373a2dd88d93dcf448920684c522c8deccbfc060399cad25c55581f3f1963
                                      • Instruction Fuzzy Hash: 6DA11C75E002199FDB04CFA8D59069DF7F2BF89318F25C169E858AB345D378E982CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248CDA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • VirtualQuery failed for %d bytes at address %p, xrefs: 6248CE78
                                      • @, xrefs: 6248CDF8
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Virtual$Protect$Query
                                      • String ID: VirtualQuery failed for %d bytes at address %p$@
                                      • API String ID: 3618607426-709786108
                                      • Opcode ID: 3535b8eecc28fd789f9e604bc0d9278115e5cea7124c0b6604ef54f6e19b3003
                                      • Instruction ID: 82a6f78d64b2ea053938f93a62a5791c8660329faaf86ef685fe132c40891215
                                      • Opcode Fuzzy Hash: 3535b8eecc28fd789f9e604bc0d9278115e5cea7124c0b6604ef54f6e19b3003
                                      • Instruction Fuzzy Hash: 56312DB5D152089FDB04EFA9E4919DEFBF4EB88258F00852EE858E3350E335D940CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7ED10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                      • ASYNC_get_current_job.LIBCRYPTO-1_1 ref: 6CC7ED90
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EE03
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EE42
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EE75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$C_get_current_job
                                      • String ID: B
                                      • API String ID: 2484768174-1255198513
                                      • Opcode ID: aae2f46e404400ff3ffb43bdb244da359919d17736e3db654e49892763701924
                                      • Instruction ID: 8b95519f4fd939ed821d3c324381dd0581ae2751e92ede18b41c8bf91e177f30
                                      • Opcode Fuzzy Hash: aae2f46e404400ff3ffb43bdb244da359919d17736e3db654e49892763701924
                                      • Instruction Fuzzy Hash: A031F8B15087009FD710CF25C58479ABBE0FF85368F208A5DE9A88B7A1E379D844CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB48D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_sizeL_cleansememcpy
                                      • String ID: @$traffic upd
                                      • API String ID: 2940768226-3337784387
                                      • Opcode ID: 24c98e5b5cebd5ce7ff2fa9bc89607373922b21fed2ecb17069ea81257075957
                                      • Instruction ID: c6c3433f1b9c30f5ea529971e33d7f8cac39509919785bf6379f88e77eb09736
                                      • Opcode Fuzzy Hash: 24c98e5b5cebd5ce7ff2fa9bc89607373922b21fed2ecb17069ea81257075957
                                      • Instruction Fuzzy Hash: F6311A715097058FD700DF69C08069EBBE4FF88748F15896EEC88AB705E735AA45CF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB2D71 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC64FD0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB2C9F
                                        • Part of subcall function 6CC64DF0: CRYPTO_free.LIBCRYPTO-1_1 ref: 6CC64E58
                                        • Part of subcall function 6CC654B0: CRYPTO_zalloc.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6CCA8994), ref: 6CC654E1
                                      • EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 6CCB2E55
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB2E61
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB2EF8
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB2F33
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB2F6A
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCB2F9E
                                      • EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 6CCB2FC4
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CCB2FD4
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CCB3007
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_ctrl$X_free$O_zallocR_put_error$O_freeY_deriveY_derive_init
                                      • String ID: D$P$tls13
                                      • API String ID: 1018461966-2588271356
                                      • Opcode ID: ae63ed5f4a122534e88a0071cd165c79bbf7c1580406bc19f341299e26509912
                                      • Instruction ID: 6c115fd159bd5bf14be6aef17c4fe697c80162e3e7c26c98d2f4d272d7aa0fd7
                                      • Opcode Fuzzy Hash: ae63ed5f4a122534e88a0071cd165c79bbf7c1580406bc19f341299e26509912
                                      • Instruction Fuzzy Hash: C631CEB050A7418BE7519F65C69839EBBE0AF88748F118C2CE898D7B41F778D544DB43
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72920 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_bytes$time
                                      • String ID: DOWN$GRD
                                      • API String ID: 743935771-793235962
                                      • Opcode ID: 0c25ad39bf0be56d0d6d06174eef50bd38200806940a39061fa2767c41ac9160
                                      • Instruction ID: c684d6f3339418ba6bbbf9abd50e22ec09f353ad6abb17bdcdb78f1e696a53e2
                                      • Opcode Fuzzy Hash: 0c25ad39bf0be56d0d6d06174eef50bd38200806940a39061fa2767c41ac9160
                                      • Instruction Fuzzy Hash: 6F112AB1509700CFDB20AF25D19869AFBE0FB45308F598A6EE8C997704E7319581CB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78E60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_snprintf.LIBCRYPTO-1_1 ref: 6CC78FC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_snprintf
                                      • String ID: %-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s$DES(56)$MD5$unknown
                                      • API String ID: 3142812517-2458424396
                                      • Opcode ID: 0dfea6133089fc83cc27a03bde76e732a91bd4fd0f9e4a10a47f97a93d3a1491
                                      • Instruction ID: 717bbc9d1618c559ce188590504b5f04b5c12527ccb41c37c969d9947570bba6
                                      • Opcode Fuzzy Hash: 0dfea6133089fc83cc27a03bde76e732a91bd4fd0f9e4a10a47f97a93d3a1491
                                      • Instruction Fuzzy Hash: 9A1170767053008BC7208F49C08160AFBE1FB89245F41492FEA98ABB40F330C8849B97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6FC57 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC6FC81
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6FC93
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6FCD3
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6FD38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Init_exO_ctrlUpdateX_new
                                      • String ID: D$P
                                      • API String ID: 2441367972-307317852
                                      • Opcode ID: 23fd01f067dda01166112ea97daaca20b836871ef2e348cd875a0f5414a71484
                                      • Instruction ID: dacf4a046dbd46f4323f1277a294442375961cae54e5e7b0d5514aaa590197df
                                      • Opcode Fuzzy Hash: 23fd01f067dda01166112ea97daaca20b836871ef2e348cd875a0f5414a71484
                                      • Instruction Fuzzy Hash: 28113CB0508B019FD700DF65D58874AFBE0BF84348F11C96DE8A8AB711E774D8488F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACCAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CCACBB7
                                      • EVP_CIPHER_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCACCC7
                                      • EVP_CIPHER_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCACCEF
                                      • EVP_CipherInit_ex.LIBCRYPTO-1_1 ref: 6CCACD27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_ctrl$CipherInit_exR_flags
                                      • String ID: D$P
                                      • API String ID: 635281127-307317852
                                      • Opcode ID: fd03e35aa8f7b0c8920a867effeedd68fa7686ae416ee53daf1ed275cb746344
                                      • Instruction ID: 80c8346067a46ad5201d4f7dd3de0f84b3024cbd3f58d05e3da73140122fc646
                                      • Opcode Fuzzy Hash: fd03e35aa8f7b0c8920a867effeedd68fa7686ae416ee53daf1ed275cb746344
                                      • Instruction Fuzzy Hash: 92119BB01097029EE3009FA5D54834BBBE0AF84758F10991DE5E89B690E7BAC4498F97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6FEF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC6FF1B
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CC6FF2D
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6FF6D
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6FFC8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Init_exO_ctrlUpdateX_new
                                      • String ID: D$P
                                      • API String ID: 2441367972-307317852
                                      • Opcode ID: 3de9ce0748f4a33aabac8e1a54ad0446220739b615c10410a87af06378575a57
                                      • Instruction ID: 9592e5db79362ff0c8939fb395d65966e1af0108d9fdf8a7fb464f9a4b1a6d01
                                      • Opcode Fuzzy Hash: 3de9ce0748f4a33aabac8e1a54ad0446220739b615c10410a87af06378575a57
                                      • Instruction Fuzzy Hash: C11135B0508B019FE740DF64D58834ABBE0FF84358F11C86EE8A8AB711E775D8488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC70DB7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • EC_KEY_get0_group.LIBCRYPTO-1_1 ref: 6CC70DC2
                                      • EC_GROUP_get_curve_name.LIBCRYPTO-1_1 ref: 6CC70DD2
                                        • Part of subcall function 6CCAE770: CRYPTO_malloc.LIBCRYPTO-1_1(?,?,?,6CCAE925), ref: 6CCAE79B
                                        • Part of subcall function 6CCAE770: CRYPTO_free.LIBCRYPTO-1_1(?,?,?,6CCAE925), ref: 6CCAE800
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC70F81
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7105B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$O_freeO_mallocP_get_curve_nameY_get0_group
                                      • String ID: |
                                      • API String ID: 787136657-2343686810
                                      • Opcode ID: a676aafdc789119b8e0e5c92d6d311483867a109a1a286b662bfe2a55c071d21
                                      • Instruction ID: b4fdb4e1323eb0f26e0330772499bc4ee8f58a2b8720ae605378b4547efddcc9
                                      • Opcode Fuzzy Hash: a676aafdc789119b8e0e5c92d6d311483867a109a1a286b662bfe2a55c071d21
                                      • Instruction Fuzzy Hash: 9101D7B15097419EE7009F65D45435FBBE0EF80359F108C2EE8D88A750EB7AC149DFA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCB5D10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CCB5D28
                                      • BN_bin2bn.LIBCRYPTO-1_1 ref: 6CCB5D4A
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CCB5D60
                                      • SRP_Calc_A.LIBCRYPTO-1_1 ref: 6CCB5D82
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Calc_D_priv_bytesL_cleanseN_bin2bn
                                      • String ID: 0
                                      • API String ID: 4178199679-4108050209
                                      • Opcode ID: f7cb22311fb67573b214a9e9772b14fea3e36110f1022f989e801cb1f5bb7556
                                      • Instruction ID: 74676ad3be699e667f5173b82f5a3c89abad7a908a6f8addac7fcf603b607614
                                      • Opcode Fuzzy Hash: f7cb22311fb67573b214a9e9772b14fea3e36110f1022f989e801cb1f5bb7556
                                      • Instruction Fuzzy Hash: D901D6B450AB109BD700DF68C29428ABBE5AF88744F05887DEC88DB305E735D559DB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DE92 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_s_socket.LIBCRYPTO-1_1 ref: 6CC7DEA4
                                      • BIO_new.LIBCRYPTO-1_1 ref: 6CC7DEAC
                                      • BIO_int_ctrl.LIBCRYPTO-1_1 ref: 6CC7DED2
                                        • Part of subcall function 6CC7DC10: BIO_up_ref.LIBCRYPTO-1_1 ref: 6CC7DC39
                                        • Part of subcall function 6CC7DC10: BIO_free_all.LIBCRYPTO-1_1 ref: 6CC7DC5E
                                        • Part of subcall function 6CC7DC10: BIO_pop.LIBCRYPTO-1_1 ref: 6CC7DC73
                                        • Part of subcall function 6CC7DC10: BIO_free_all.LIBCRYPTO-1_1 ref: 6CC7DC7E
                                        • Part of subcall function 6CC7DC10: BIO_push.LIBCRYPTO-1_1 ref: 6CC7DC94
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7DF1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free_all$O_int_ctrlO_newO_popO_pushO_s_socketO_up_refR_put_error
                                      • String ID: h
                                      • API String ID: 2112571325-2439710439
                                      • Opcode ID: c3f1f8240e3a3c079fc08384ffd859ce9ce7ecc00d7201de206470b3a7c325c1
                                      • Instruction ID: 5436fe122e35ed9d953f05fd77030098b05019b9aa4c3cbc46fb466d268e9eab
                                      • Opcode Fuzzy Hash: c3f1f8240e3a3c079fc08384ffd859ce9ce7ecc00d7201de206470b3a7c325c1
                                      • Instruction Fuzzy Hash: 1E01A4B190A7019BDB449FA5C48475EBBE0FB88348F508C1CE4D8A7740E779A4889B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC75EFB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_STORE_CTX_init.LIBCRYPTO-1_1 ref: 6CC75E01
                                      • X509_STORE_CTX_set_flags.LIBCRYPTO-1_1 ref: 6CC75E23
                                      • X509_verify_cert.LIBCRYPTO-1_1 ref: 6CC75E2B
                                      • X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1 ref: 6CC75E41
                                      • OPENSSL_sk_shift.LIBCRYPTO-1_1 ref: 6CC75E4D
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC75E55
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC75EC1
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC75EE0
                                      • X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 6CC75F03
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC75F3D
                                      • X509_STORE_free.LIBCRYPTO-1_1 ref: 6CC75FCD
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CC75FD9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$E_freeL_sk_numL_sk_pop_freeL_sk_shiftR_put_errorX509_freeX509_verify_certX_freeX_get1_chainX_initX_newX_set_flags
                                      • String ID: A
                                      • API String ID: 809722490-3554254475
                                      • Opcode ID: 819c719339830f02e2d0bac210ce0f6d21b9c37b4a4cc4acae8c2556d1269142
                                      • Instruction ID: 4b6e45e1324c456df92f61eca0f382842e31d07d488140059ab8379ca39349f4
                                      • Opcode Fuzzy Hash: 819c719339830f02e2d0bac210ce0f6d21b9c37b4a4cc4acae8c2556d1269142
                                      • Instruction Fuzzy Hash: 16F0B7B1209B018FD3049FA5D88424EF7E4FF45349F00892DE59CE7B51E775D4498B56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8997B Relevance: 7.8, APIs: 5, Instructions: 346COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID:
                                      • API String ID: 2947273566-0
                                      • Opcode ID: 274d402638a11a853ca8fe09caaeaa5f210151aa81707fc5d458484df5fea087
                                      • Instruction ID: 0dd4f34f4fd303bb361b4fe4f0f464aa07be77880cb2470da16a0d6ef7f4540f
                                      • Opcode Fuzzy Hash: 274d402638a11a853ca8fe09caaeaa5f210151aa81707fc5d458484df5fea087
                                      • Instruction Fuzzy Hash: 7FE11975E042159FCB04CFA8D49069DFBF2BF89314F25C16AE898AB345D339E942CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624860F8 Relevance: 7.6, APIs: 5, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_equalpthread_self$Event
                                      • String ID:
                                      • API String ID: 2888742973-0
                                      • Opcode ID: ea30a8af798378eed405a452b5080392133deee9a42f152d28ae5ec645788012
                                      • Instruction ID: d757fe6912fff80dfe02d2f7d50fbd0a55a01bdb25e3bb9bab7edcad2b5bd322
                                      • Opcode Fuzzy Hash: ea30a8af798378eed405a452b5080392133deee9a42f152d28ae5ec645788012
                                      • Instruction Fuzzy Hash: 61412E74A346028FDB82DF29D4A0B26B7E0EF84354F14C969D858CB34BD639D541CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62489BF8 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62489C35
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62489C4E
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_lockpthread_mutex_unlock
                                      • String ID:
                                      • API String ID: 3887897452-0
                                      • Opcode ID: 9e179671e8e8507e57c94dbf67b1ec35332b27422c1fe8f3cd31f2d3e35853c9
                                      • Instruction ID: b4d7fdb01edce8e4d13813977ab174c56d11737cae7a6bfc93e689e450ef5424
                                      • Opcode Fuzzy Hash: 9e179671e8e8507e57c94dbf67b1ec35332b27422c1fe8f3cd31f2d3e35853c9
                                      • Instruction Fuzzy Hash: 93118E31628A11CBDB50AF3888E0E5A76E0EE42394B058A6CCE659F345E73FC98187D5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E92750 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32 ref: 62E9279B
                                      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,62E928A9,?,00000000,?,?,?,?,?,62E8F56A), ref: 62E927AE
                                      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,62E928A9,?,00000000), ref: 62E927BD
                                        • Part of subcall function 62E81030: __dllonexit.MSVCRT ref: 62E8104C
                                      • EnterCriticalSection.KERNEL32(?,?,?,?,?,62E928A9,?,00000000,?,?,?,?,?,62E8F56A), ref: 62E927E8
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Initialize$EnterExchangeInterlocked__dllonexit
                                      • String ID:
                                      • API String ID: 3890555841-0
                                      • Opcode ID: b5ec3e1168a080fb18bfb390a9c230624c41d9f0d75ef1bd0ffd1c7c9c3af3fc
                                      • Instruction ID: 3954937a00dee6ca7a11cd5329a941a3a87a51a2f10728bdea63c367cc8d4d64
                                      • Opcode Fuzzy Hash: b5ec3e1168a080fb18bfb390a9c230624c41d9f0d75ef1bd0ffd1c7c9c3af3fc
                                      • Instruction Fuzzy Hash: 790161F0C4420847DF00FB75C56A65976A4AB52308FB0883FD85597A10E7329198CB53
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC75E79 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC75E87
                                        • Part of subcall function 6CCB2180: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCB21CD
                                        • Part of subcall function 6CCB2180: EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CCB21DE
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC75EC1
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC75EE0
                                      • X509_STORE_free.LIBCRYPTO-1_1 ref: 6CC75FCD
                                      • X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 6CC75FD9
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC76111
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC76125
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_pop_freeX509_$E_freeL_sk_numL_sk_valueR_put_errorX509_get0_pubkeyX_freeY_security_bits
                                      • String ID:
                                      • API String ID: 2925476589-0
                                      • Opcode ID: c0f06a8922599e2ecc6dcc03a11cf633b0c33356eccaac9d9c750fd491bacf1e
                                      • Instruction ID: 2382a9d6ee9b3e3771374d2ec5bc5b8d61ad3050e4ad889046d77755025efd8e
                                      • Opcode Fuzzy Hash: c0f06a8922599e2ecc6dcc03a11cf633b0c33356eccaac9d9c750fd491bacf1e
                                      • Instruction Fuzzy Hash: CA11C5B1A09B019FD710AFA9C48425EF7E4FF84358F418D2DE899E7B00E775E8458B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72C80 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_CTX_new.LIBCRYPTO-1_1 ref: 6CC72C9F
                                      • EVP_PKEY_keygen_init.LIBCRYPTO-1_1 ref: 6CC72CAD
                                      • EVP_PKEY_keygen.LIBCRYPTO-1_1 ref: 6CC72CC1
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC72CCD
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC72CE7
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_freeX_newY_freeY_keygenY_keygen_init
                                      • String ID:
                                      • API String ID: 3963247406-0
                                      • Opcode ID: 92b03751bec0477bdeba33a9de1bf48ec356f69eadd0778ec82396a3e5c9e7f6
                                      • Instruction ID: e83bf9c4d544a7e56739ac91b43f0fbbd1d5efdcab8774e2e1e2920f0b33c49c
                                      • Opcode Fuzzy Hash: 92b03751bec0477bdeba33a9de1bf48ec356f69eadd0778ec82396a3e5c9e7f6
                                      • Instruction Fuzzy Hash: 45F0E7B0A0A702CBE714AFB5D99875EB6E4EF54248F404C2DE8D0D7700F734C4898B62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62483C64 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Process$CloseCurrentHandleOpen
                                      • String ID:
                                      • API String ID: 2750122171-0
                                      • Opcode ID: 00ce8ff9b0e8c66370956f6f24c6d1a522d4a38aa2e33bdba4de23640f243aaf
                                      • Instruction ID: 2bdbcedd7680bd6bd353cfcfc731e1db6234b95e1adf3e0d3e38071b80a0908e
                                      • Opcode Fuzzy Hash: 00ce8ff9b0e8c66370956f6f24c6d1a522d4a38aa2e33bdba4de23640f243aaf
                                      • Instruction Fuzzy Hash: 35F05EA15253018BCB007FB888E4F6A7AE46B0535CF914A6EDE94C7282EB7DC59486D2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DCA4 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_free_all$O_next$O_popO_push
                                      • String ID:
                                      • API String ID: 531699619-0
                                      • Opcode ID: d66562ec66b99aa7f18b99311783004d247f5e9a9618c77cd1b22cf4f6005469
                                      • Instruction ID: 4d421b5f0301683950208e8138d3b113db045097845996e38650ce047ed17a3d
                                      • Opcode Fuzzy Hash: d66562ec66b99aa7f18b99311783004d247f5e9a9618c77cd1b22cf4f6005469
                                      • Instruction Fuzzy Hash: 7DF0C4B1A05B008BDB58AFB9C0C016ABBE0FF40254B168869D899EFB05F734E445CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624854F0 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_win32_thread_detach_np.PTHREADGC2 ref: 624854FE
                                      • pthread_win32_process_detach_np.PTHREADGC2 ref: 62485503
                                      • pthread_win32_process_attach_np.PTHREADGC2 ref: 62485534
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_win32_process_attach_nppthread_win32_process_detach_nppthread_win32_thread_detach_np
                                      • String ID:
                                      • API String ID: 2138137557-0
                                      • Opcode ID: dbfafcfc23c132e08395203645443e26e916211365f4c4235ea158f912d22c50
                                      • Instruction ID: 93aeacb84ae257dc880be4cadc6da14c647561608ef26398b0fb90e903465e32
                                      • Opcode Fuzzy Hash: dbfafcfc23c132e08395203645443e26e916211365f4c4235ea158f912d22c50
                                      • Instruction Fuzzy Hash: 0FE0BFBA87000082C611E7647462F2DB38267B270CFD65429CD1B89314F60AC76CC5F3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89392 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 460COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: @$invalid distance code$invalid distance too far back
                                      • API String ID: 2947273566-2524391019
                                      • Opcode ID: 6382c4bd052844d8dbf9d64fe65519c575dd65f4e6fb7731efeda8d7b65aea69
                                      • Instruction ID: f4015e5727e46ee5faea61a346ca968a2afd6a40c3a4bbab2129ba28ecd3e603
                                      • Opcode Fuzzy Hash: 6382c4bd052844d8dbf9d64fe65519c575dd65f4e6fb7731efeda8d7b65aea69
                                      • Instruction Fuzzy Hash: C9124D35E446298FCB14CFA8D4A06DCFBF2BF89314B25C169D898AB345D775AD42CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC68EB0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC68FC2
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC68FCA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_flagsX_cipher
                                      • String ID: D$P
                                      • API String ID: 2855536855-307317852
                                      • Opcode ID: 915c952854a6c8abf8bb7b45a7554b9d5c9357d61e83f0672c1beac83ea31b14
                                      • Instruction ID: 90f709f6e18f3d5ab1abbe72b2d208973572a677baf3886aacd856127bcaf151
                                      • Opcode Fuzzy Hash: 915c952854a6c8abf8bb7b45a7554b9d5c9357d61e83f0672c1beac83ea31b14
                                      • Instruction Fuzzy Hash: 78D11A706083428FD720CF66C5C4B9ABBE1BF85318F15497DE8989BB52E375E845CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA787B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D$P
                                      • API String ID: 0-307317852
                                      • Opcode ID: 2066fd3012c11f63252ec7302809d233b936b0f3f8ad780f66d6280f7a1bf986
                                      • Instruction ID: c04b7463e0730456bff044ddafa686a38bd604bc4bac2c39746717c54b765d9c
                                      • Opcode Fuzzy Hash: 2066fd3012c11f63252ec7302809d233b936b0f3f8ad780f66d6280f7a1bf986
                                      • Instruction Fuzzy Hash: F2719270A09303CFE7148F99C08C79A77B1FB42308F15866AD4945BA59F376C986EB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89AEE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • unknown compression method, xrefs: 62E8AA5A
                                      • unknown header flags set, xrefs: 62E8AB27
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: unknown compression method$unknown header flags set
                                      • API String ID: 2947273566-1514342171
                                      • Opcode ID: 59aa3717f22dda6edca92f761e8d9bce3569f0a3add75c50a2fb5f08f46b78e4
                                      • Instruction ID: 9ef0602027505ee63f14ff38bfd11187ad865a203ebf7c15134b6a9a63c6a6ed
                                      • Opcode Fuzzy Hash: 59aa3717f22dda6edca92f761e8d9bce3569f0a3add75c50a2fb5f08f46b78e4
                                      • Instruction Fuzzy Hash: B8610B75E042199FDB04CFA8D49069DF7F1BF89318F24C16AD898AB345D378E982CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA09D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT ref: 6CCA0A4E
                                        • Part of subcall function 6CC9FEB0: EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC9FF1A
                                        • Part of subcall function 6CC9FEB0: EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC9FF22
                                        • Part of subcall function 6CC9FEB0: EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 6CC9FF37
                                        • Part of subcall function 6CC9FEB0: EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC9FF3F
                                        • Part of subcall function 6CC9FEB0: EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 6CC9FF55
                                        • Part of subcall function 6CC9FEB0: EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CC9FF5D
                                        • Part of subcall function 6CC9FEB0: BIO_ctrl.LIBCRYPTO-1_1 ref: 6CC9FFEE
                                        • Part of subcall function 6CC9FEB0: BIO_ctrl.LIBCRYPTO-1_1 ref: 6CCA002F
                                      • BIO_ctrl.LIBCRYPTO-1_1 ref: 6CCA0B82
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrl$R_flagsX_cipher$D_sizeX_mdmemcpy
                                      • String ID: D$P
                                      • API String ID: 4035004152-307317852
                                      • Opcode ID: c11df57aba3c9c46d658a4212f44d6919a1b1c2c64c2deab3d5edf9a62dcb04c
                                      • Instruction ID: 4257ef9ffa0d70026ca9a379f6775fbae0dd8afbe0dea4cc8700ad285d2564fc
                                      • Opcode Fuzzy Hash: c11df57aba3c9c46d658a4212f44d6919a1b1c2c64c2deab3d5edf9a62dcb04c
                                      • Instruction Fuzzy Hash: B151D3B45097008FC710CF25C18479ABBE0FF88718F098A6EE8899B755E774E945CF56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9780B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • BUF_MEM_free.LIBCRYPTO-1_1 ref: 6CC973BF
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC978E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: M_freeR_put_error
                                      • String ID: P$P
                                      • API String ID: 177401054-159270896
                                      • Opcode ID: 9ff613b42bc9219ef2e8db56db5a9c6d3dd2ad359eb863364d845ad8b526220f
                                      • Instruction ID: a4b2fb31cec1eb4962681c43562a5e52825501bd8bc9c7780d6b2e9074bdb8cd
                                      • Opcode Fuzzy Hash: 9ff613b42bc9219ef2e8db56db5a9c6d3dd2ad359eb863364d845ad8b526220f
                                      • Instruction Fuzzy Hash: 89316CB06063058FDB148F59C48538ABBE1BF84398F10852CED98DBB40E3B6D845DF86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7E990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      • ASYNC_get_current_job.LIBCRYPTO-1_1 ref: 6CC7E9D6
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EA47
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7EAE5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$C_get_current_job
                                      • String ID: B
                                      • API String ID: 2484768174-1255198513
                                      • Opcode ID: 93c4b966047be65128dda26df6e47b012910c30ba8dad02fb35b8ab0605ea5e6
                                      • Instruction ID: b5f28f828d3a611455b2e3ce067fdb5f9e1efd6ddf912d6ea5d65f9136a358fe
                                      • Opcode Fuzzy Hash: 93c4b966047be65128dda26df6e47b012910c30ba8dad02fb35b8ab0605ea5e6
                                      • Instruction Fuzzy Hash: 6431F7B12097409FD720DF65D48478BFBE0FB85758F10892DE89987750E3B9D849CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC62888 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Time$System$FileO_ctrl
                                      • String ID: -
                                      • API String ID: 3793654131-2547889144
                                      • Opcode ID: 44a3163ebddd42fba968d8f64c5a900bdc57102a91f384e1a30dc3d2e22a8797
                                      • Instruction ID: da3f597ff817e887a34b6e26cfd6dcd075a696eb914db425dd719ba1af34cd12
                                      • Opcode Fuzzy Hash: 44a3163ebddd42fba968d8f64c5a900bdc57102a91f384e1a30dc3d2e22a8797
                                      • Instruction Fuzzy Hash: 8A31F2B29097019FCB40EF29D58439ABBE1FF84304F05C83DE8889B715EB3495489BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC768F3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC76955
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC769B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_pushR_put_error
                                      • String ID: D
                                      • API String ID: 349310899-2746444292
                                      • Opcode ID: fc551ec5fbe4f69af01a98ec26687f7d9a01091e355a9af16e15b7f2788239f7
                                      • Instruction ID: 1867c23574d62405cc33f34f909486b469792f5bb3175864ac6eaad0f70b389f
                                      • Opcode Fuzzy Hash: fc551ec5fbe4f69af01a98ec26687f7d9a01091e355a9af16e15b7f2788239f7
                                      • Instruction Fuzzy Hash: DC2160B11087418BEB20DF69E54576BFBE0FF80348F41882CE5D99B784E7799449CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC628B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Time$System$FileO_ctrl
                                      • String ID: -
                                      • API String ID: 3793654131-2547889144
                                      • Opcode ID: 5bdc9b0d40fbd99f616477a85b686ea86f0de45327be49556b721884914c8afd
                                      • Instruction ID: 9286229d265f7a8bafa68bcfa0bffb6f676f6b99d1e677917354c781f057809c
                                      • Opcode Fuzzy Hash: 5bdc9b0d40fbd99f616477a85b686ea86f0de45327be49556b721884914c8afd
                                      • Instruction Fuzzy Hash: F62106B29097059FCB40EF19D58439ABBE1EBC4304F05C83EEC889B715EB7491489B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248ADCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID: 40Ib$40Ib
                                      • API String ID: 4201588131-1775419244
                                      • Opcode ID: 85d1af6ceb764df5cbda5c2fb746c8ee4c6e843a3467accb50ba4995df578008
                                      • Instruction ID: e9de998c65b3f8d0724c9333e9d326e25e339d3cc772641f3eb2a764929bffc3
                                      • Opcode Fuzzy Hash: 85d1af6ceb764df5cbda5c2fb746c8ee4c6e843a3467accb50ba4995df578008
                                      • Instruction Fuzzy Hash: EF218471A057118BD705DF29C860B57BBE5BFC4728F058A2CE9985B384D778CA05CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6F8D9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_sha1.LIBCRYPTO-1_1 ref: 6CC6F615
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6F62D
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F649
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F66D
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F691
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F6B5
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6F6D9
                                      • EVP_md5.LIBCRYPTO-1_1 ref: 6CC6F6E6
                                      • EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 6CC6F6FE
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F722
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6F742
                                      • EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 6CC6F76D
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6F7EC
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC6F7F8
                                      • OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 6CC6F9AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Digest$Update$Final_exInit_exX_free$L_cleanseP_md5P_sha1R_put_error
                                      • String ID: D$P
                                      • API String ID: 1852945443-307317852
                                      • Opcode ID: 6774a31e9c859e45d96823a2ff784db14a0483f3fd9c4e6b6bb9a3de687a8bd6
                                      • Instruction ID: a6077e83cbdb4f923e2fcba604f929d88a07cf17dec370e2ab40945586ecd1a8
                                      • Opcode Fuzzy Hash: 6774a31e9c859e45d96823a2ff784db14a0483f3fd9c4e6b6bb9a3de687a8bd6
                                      • Instruction Fuzzy Hash: 2D2158711093048FE714CF6AC58475EF7E0FB81318F148AACE8989BB51E3B5D949CB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62486830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: callocsem_init
                                      • String ID: $
                                      • API String ID: 3535707587-3993045852
                                      • Opcode ID: 02fb312dc41ff3dd8e02c0147b4e07feb81209797102a1765e9f676729ec82a1
                                      • Instruction ID: aa03c5e3d0aed764b2e472a65aa8af7cc9a6eb9d76b5623a41e58625d1ba8e5d
                                      • Opcode Fuzzy Hash: 02fb312dc41ff3dd8e02c0147b4e07feb81209797102a1765e9f676729ec82a1
                                      • Instruction Fuzzy Hash: 8F11097193A356DBE7809F28C554B4A7BE4EF45744F00442EE85C8B340E779D544CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8EC9C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC8ECBB
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8ECD6
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EDB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_free$L_sk_value
                                      • String ID: D$P
                                      • API String ID: 232749291-307317852
                                      • Opcode ID: bc75390c7d475127dfa4de9a53ec71b8fe2d0847b4f14b1c13a58e9af8379c2e
                                      • Instruction ID: 789d8f49503831d13da430c5c3e0c71f7798ebc6661dde0ff4d6ee4ec6eac6cb
                                      • Opcode Fuzzy Hash: bc75390c7d475127dfa4de9a53ec71b8fe2d0847b4f14b1c13a58e9af8379c2e
                                      • Instruction Fuzzy Hash: 1E11E6B55097019BE7009F60D59525FBBE0BF80748F018C2EE5D99BB50E7B9D5488B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8EE1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC8EE3B
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EE56
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC8EF63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_free$L_sk_value
                                      • String ID: D$P
                                      • API String ID: 232749291-307317852
                                      • Opcode ID: 39fe10db2367d3b24469b00eb251c411dbea6323ed369f45814a210d6eb11b6a
                                      • Instruction ID: c60af16a9ac64cf941c86555285f48d805bcfa3dedc0fac869845db6dac69d0e
                                      • Opcode Fuzzy Hash: 39fe10db2367d3b24469b00eb251c411dbea6323ed369f45814a210d6eb11b6a
                                      • Instruction Fuzzy Hash: CD11E3B550A7018BD7009F60D99825FBBE0BF80708F118C2DE4D98BB50E7B9D949CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7CF76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC78290: OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC7829E
                                        • Part of subcall function 6CC78290: CONF_parse_list.LIBCRYPTO-1_1 ref: 6CC782D1
                                        • Part of subcall function 6CC78290: OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC782E0
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7D017
                                        • Part of subcall function 6CC78440: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC784F3
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC7CFDA
                                      Strings
                                      • ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 6CC7CFA8
                                      • TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256, xrefs: 6CC7CF8E
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_error$F_parse_listL_sk_freeL_sk_new_nullL_sk_num
                                      • String ID: ALL:!COMPLEMENTOFDEFAULT:!eNULL$TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
                                      • API String ID: 2139041216-3982828322
                                      • Opcode ID: 28295b9071d7444f8a494d8d1ad531f94ab80d816245d4eb1ed4654de96d363c
                                      • Instruction ID: ef61ab3064189d8f0422d45a8a8e1f8901843f5923414b63bfc569ad4755e6e3
                                      • Opcode Fuzzy Hash: 28295b9071d7444f8a494d8d1ad531f94ab80d816245d4eb1ed4654de96d363c
                                      • Instruction Fuzzy Hash: FF11E2B56093019FDB10DF64C98074ABBE0EF85348F04882DE998AB755F335E948CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC80CA1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80B0B
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80CB9
                                      • RAND_priv_bytes.LIBCRYPTO-1_1 ref: 6CC80CDA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_priv_bytes
                                      • String ID:
                                      • API String ID: 1100307897-3916222277
                                      • Opcode ID: 8757ad890602115c2966ccd5b2e62c6135b5c19b76398482df4d9a76f408f419
                                      • Instruction ID: b596c98d14ff1bcd6b8d3fdd36c797ec507dedec7be41eaef6421085276a3550
                                      • Opcode Fuzzy Hash: 8757ad890602115c2966ccd5b2e62c6135b5c19b76398482df4d9a76f408f419
                                      • Instruction Fuzzy Hash: EE01E5B0106B408BEB00AF64E5D83DA7BE0AF0430CF09057CDD899F746E77984898B62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACC0B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 6CCACBB7
                                      • EVP_CipherInit_ex.LIBCRYPTO-1_1 ref: 6CCACC37
                                      • EVP_CIPHER_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCACC5F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CipherInit_exR_flagsX_ctrl
                                      • String ID: D$P
                                      • API String ID: 3413411502-307317852
                                      • Opcode ID: 97445eb19ca6cd284b4e3277ae6d1098427a7270333da5120aee31343b85d0c8
                                      • Instruction ID: 071d931bc6fa685de2700ef9cfcfa3ac5bf746ef8f114f5d44b1e7e806610604
                                      • Opcode Fuzzy Hash: 97445eb19ca6cd284b4e3277ae6d1098427a7270333da5120aee31343b85d0c8
                                      • Instruction Fuzzy Hash: 2D019EB15097019FD3009FA5D54434BBBE0BB84758F00881EE9A897650E7BAD5498F83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8E230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Virtual$Protect$Queryabortfwritememcpyvfprintf
                                      • String ID: ab
                                      • API String ID: 1199066469-1032453237
                                      • Opcode ID: 807d9bf50d9527caeb01ed81e10fe2ca7b1d171c58672be88f70f0f94e13e325
                                      • Instruction ID: 00c6001e63f5fe0c07958d44b7f81aa6befaa1e04fec57921c0a30ac6ad08cbb
                                      • Opcode Fuzzy Hash: 807d9bf50d9527caeb01ed81e10fe2ca7b1d171c58672be88f70f0f94e13e325
                                      • Instruction Fuzzy Hash: 05019AB5D04318ABCB00DF9AC59158DFBF4AB48754F51C4AEA89CA7301D7706A408B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78F74 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_snprintf.LIBCRYPTO-1_1 ref: 6CC78FC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_snprintf
                                      • String ID: %-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s$MD5$unknown
                                      • API String ID: 3142812517-3398525420
                                      • Opcode ID: 908885aec5c5612b62d69df35150724031a2131367a7ae86dc7c03cf0c694f72
                                      • Instruction ID: 09587f92ddb603c2edbb8db8d264aabf2814fcd9b784f411c92f80c5f901d543
                                      • Opcode Fuzzy Hash: 908885aec5c5612b62d69df35150724031a2131367a7ae86dc7c03cf0c694f72
                                      • Instruction Fuzzy Hash: 8B01FB76A09710CFC710CF59D48154AFBE0FF89345F41492EEAA8A7B04E330E9459B97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4FC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCA4FF4
                                      • EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 6CCA5013
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_copy_exX_new
                                      • String ID: D$P
                                      • API String ID: 1626106133-307317852
                                      • Opcode ID: 070e1bce14b2af1bd083dc55cee3bc29dc95b6e771b66a72c725825c8bf4a838
                                      • Instruction ID: 3577e10332febec04837b32d7ac716614dc33106e7ad5a34a5ab622adb0a6c1b
                                      • Opcode Fuzzy Hash: 070e1bce14b2af1bd083dc55cee3bc29dc95b6e771b66a72c725825c8bf4a838
                                      • Instruction Fuzzy Hash: 3B014BB010A7028FE700DF61C98874BB6E0AF88348F00A82CE9989BB41FB35C4959B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4FDC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 6CCA4FF4
                                      • EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 6CCA5013
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X_copy_exX_new
                                      • String ID: D$P
                                      • API String ID: 1626106133-307317852
                                      • Opcode ID: e28529c55cafb7bf4619aacb40ac5fe2c0eebb6a800437561543000c0b5dcf7b
                                      • Instruction ID: ce71dc3a99740b94288ab70997b8739a90d6c1b4d385f3be3ff45293e14a0da4
                                      • Opcode Fuzzy Hash: e28529c55cafb7bf4619aacb40ac5fe2c0eebb6a800437561543000c0b5dcf7b
                                      • Instruction Fuzzy Hash: 23F0F9B0109702DED740DF61C98834ABAE0BF88348F11D92DD9999BB41EB75C4599B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC8BDD3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_puts$O_printf$O_dump_indent
                                      • String ID: Session-ID-ctx: $%02X
                                      • API String ID: 2086350682-3408083576
                                      • Opcode ID: a2d18ed58b66d98fc3b25bc416818599eb05367b416790444b7c2e0fd02fd387
                                      • Instruction ID: 201eaf7770e21948fad507099ef81e7c1e92a233fe7e3e27e2ff7108714598b4
                                      • Opcode Fuzzy Hash: a2d18ed58b66d98fc3b25bc416818599eb05367b416790444b7c2e0fd02fd387
                                      • Instruction Fuzzy Hash: 95F0E57260AF148AC7000FB5CC6129BBBA0BF82348F10886ED98C97B25F331C4074B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC78FF7 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • BIO_snprintf.LIBCRYPTO-1_1 ref: 6CC78FC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_snprintf
                                      • String ID: %-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s$AEAD$unknown
                                      • API String ID: 3142812517-3821712381
                                      • Opcode ID: 2c6bda7226a9c820d73a6984e8015834ccd9ae9b017beade9385c4a446df5293
                                      • Instruction ID: d53a0da65ce340df291733de4a571939d3e21d075acf8caa9d2d0852b7a5cefd
                                      • Opcode Fuzzy Hash: 2c6bda7226a9c820d73a6984e8015834ccd9ae9b017beade9385c4a446df5293
                                      • Instruction Fuzzy Hash: 2AF0B2B6A093119FC340CF19D48028AFBE0BB89396F41892EE598E7700E330D9049B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC72DD7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_PKEY_keygen_init.LIBCRYPTO-1_1 ref: 6CC72D67
                                      • EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CC72DA3
                                      • EVP_PKEY_keygen.LIBCRYPTO-1_1 ref: 6CC72DBB
                                      • EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 6CC72DC7
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • EVP_PKEY_CTX_new_id.LIBCRYPTO-1_1 ref: 6CC72DE5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorX_ctrlX_freeX_new_idY_keygenY_keygen_init
                                      • String ID: A$P
                                      • API String ID: 284554209-345673399
                                      • Opcode ID: 7736fc7a39ad18589d3c3f4eaf72a98abf7c70b6b2c20950d10eeebc44caa9c9
                                      • Instruction ID: 21d7ebb6327091327c3b8ee7eb2e525757e24982580144c255f0b86298256b1e
                                      • Opcode Fuzzy Hash: 7736fc7a39ad18589d3c3f4eaf72a98abf7c70b6b2c20950d10eeebc44caa9c9
                                      • Instruction Fuzzy Hash: 0AF0F8B1108B01CFD3109FA8E09834ABBE0FF85348F004C2DE194AB750E774D5488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCAB9F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CCAB973
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CCAB983
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_pop_freeR_put_errorX509_free
                                      • String ID: A$P
                                      • API String ID: 3242308188-345673399
                                      • Opcode ID: c2fe73ba5b0b881009fa63361d8340e5424a03e531677dc25dd992a27f424c42
                                      • Instruction ID: 55a19aa7a4cad5f9eeb9ca69bf0f3445b75509aa31fba99a52d64b4c9e91522d
                                      • Opcode Fuzzy Hash: c2fe73ba5b0b881009fa63361d8340e5424a03e531677dc25dd992a27f424c42
                                      • Instruction Fuzzy Hash: 5FF0F8B2508B158FD7109FA9D44938EFBE0FF80758F018C1DE589A7B50E775A4498B86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4C38 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CCA4C21
                                      • X509_NAME_free.LIBCRYPTO-1_1 ref: 6CCA4C29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: E_freeL_sk_pop_freeR_put_errorX509_
                                      • String ID: A$P
                                      • API String ID: 1088219935-345673399
                                      • Opcode ID: 045addcaf9a88127e69f2a36b7d46cee6aa7c34dfbd1027a355d3580dea391f0
                                      • Instruction ID: 04ffd554f1efa769473c4c43f2b91b19bca0ce62cf40456fed340feb0d9a156c
                                      • Opcode Fuzzy Hash: 045addcaf9a88127e69f2a36b7d46cee6aa7c34dfbd1027a355d3580dea391f0
                                      • Instruction Fuzzy Hash: B7F01CB1508B14CFD3009FA4D44938FBBE0BB81359F00881DE59C97710E77884488B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DE30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrlO_find_typeO_next
                                      • String ID: i
                                      • API String ID: 3430737485-3865851505
                                      • Opcode ID: a94cb3593ea2ccd11ceba01480394d2f6e1981ba4f64c6e38b7063e5beb748ae
                                      • Instruction ID: 677e019dcb70ab093fcfe5d3ed78dc3189a9e502bda5bf29b7a30122f75c82f8
                                      • Opcode Fuzzy Hash: a94cb3593ea2ccd11ceba01480394d2f6e1981ba4f64c6e38b7063e5beb748ae
                                      • Instruction Fuzzy Hash: 63F0D4B4A087018FD304DF66C48461ABBE1FF84318F45C91DE8A49B740E374D449CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC94DC3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC94DCB
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC94DD7
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorX_freeY_free
                                      • String ID: A$P
                                      • API String ID: 98119932-345673399
                                      • Opcode ID: 47d8cc964c203c0ca0418323e4a744b1e76503b8b43b61925a10b711cd1f5666
                                      • Instruction ID: df6bbbbae59b0fee4ea6aecc2e5567dd903b2f5622043f86b15e3f196e65f01c
                                      • Opcode Fuzzy Hash: 47d8cc964c203c0ca0418323e4a744b1e76503b8b43b61925a10b711cd1f5666
                                      • Instruction Fuzzy Hash: C7E039B6109B10CBD3009F94E44428EFBE0EB81719F01881DE198A7740E37885488B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC94D68 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 6CC94D73
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC94D7F
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorX_freeY_free
                                      • String ID: D$P
                                      • API String ID: 98119932-307317852
                                      • Opcode ID: f25cdb80c9d5cd49cfeb591db5a4ae3b93903b8ae75434d130e57417e55d0ebf
                                      • Instruction ID: 32fc9e0e90f4bdbbdebeb625d3119932eeba511a852e53cc79bf787053de333f
                                      • Opcode Fuzzy Hash: f25cdb80c9d5cd49cfeb591db5a4ae3b93903b8ae75434d130e57417e55d0ebf
                                      • Instruction Fuzzy Hash: 25E065B2209B10CFE7009FA0E44838EFBE0EB81719F01881CE198A7740E37989088F83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8123C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: __deregister_frame_info$libgcc_s_dw2-1.dll
                                      • API String ID: 1646373207-2468945734
                                      • Opcode ID: 2af05dc328b16632f5a276b4284edcc08d59bebb02df066ef000efd0ac755beb
                                      • Instruction ID: d19c67d781cfa977b0abff07f7ff6a4127c1c942feba612d96e57728910d831c
                                      • Opcode Fuzzy Hash: 2af05dc328b16632f5a276b4284edcc08d59bebb02df066ef000efd0ac755beb
                                      • Instruction Fuzzy Hash: 68E0ECB0D4C30186DB007BB84A3231AB6945F41649FA0C97DD8ECDA240EA34C550DBA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62481210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: __deregister_frame_info$libgcc_s_dw2-1.dll
                                      • API String ID: 1646373207-2468945734
                                      • Opcode ID: 60ec1ff93264b5cb21374382ed051ee1b8ee46deab1b5e1f4b00cfef9ff05276
                                      • Instruction ID: d967d2725b550c3576d6391534d3f75e778204873df279c466e6d53fa62730c8
                                      • Opcode Fuzzy Hash: 60ec1ff93264b5cb21374382ed051ee1b8ee46deab1b5e1f4b00cfef9ff05276
                                      • Instruction Fuzzy Hash: CEE0127052930196D7043BB98A32F1E7AE45F5270DF41456DCCACDA641DA3CD550CEA3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC85E46 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC85E2F
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC85E37
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC85E77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_free$R_put_error
                                      • String ID: A
                                      • API String ID: 2686429951-3554254475
                                      • Opcode ID: dc07bd2de882bd3050adeb2fcddfcbfca72b5683ad7bdae93e861693d8a962ee
                                      • Instruction ID: 7ec74d456bc4d103ab934c4de3f5e233bc49f0ec403caa2318338b3d602ea820
                                      • Opcode Fuzzy Hash: dc07bd2de882bd3050adeb2fcddfcbfca72b5683ad7bdae93e861693d8a962ee
                                      • Instruction Fuzzy Hash: B9E01AF25087059ED704AFA0D84039EBBE0FF8031CF05881DD5D997B10E37960498B83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6EE81 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: A512_Init
                                      • String ID: ($@$s
                                      • API String ID: 1479187199-1354622801
                                      • Opcode ID: 798babfe75ac798cf6fa13a8d4b4a4a7bd9aef5ec557497e10be592696641fcf
                                      • Instruction ID: 789fb97f9b5c130b8ae560870de97893384f761a98f4046d6fcca661f75b2da8
                                      • Opcode Fuzzy Hash: 798babfe75ac798cf6fa13a8d4b4a4a7bd9aef5ec557497e10be592696641fcf
                                      • Instruction Fuzzy Hash: 5CF0DAB040C7418AE7108F51C08834BBBE0BB80348F004D1DE5C8AB750E7BA9448CF87
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC90D80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: /$D
                                      • API String ID: 1475443563-1275706592
                                      • Opcode ID: 97e3aecdb20567afa2f45bb32811eac646bab42718120fceb7768acee3debf46
                                      • Instruction ID: a9d084fb34a2d1c75c23833fae1e8eb1c5b49a9b08699d3e7639372e7d280521
                                      • Opcode Fuzzy Hash: 97e3aecdb20567afa2f45bb32811eac646bab42718120fceb7768acee3debf46
                                      • Instruction Fuzzy Hash: 064103B52097468FD310DF69D58475BFBE4FB88358F10892DE99887B40E3B5E948CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCBCE70 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsDBCSLeadByteEx.KERNEL32 ref: 6CCBCEC2
                                      • MultiByteToWideChar.KERNEL32 ref: 6CCBCF05
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Byte$CharLeadMultiWide
                                      • String ID:
                                      • API String ID: 2561704868-0
                                      • Opcode ID: d522acf97196527330f12cf8d70c0595cdef75852363adc9242bb5503b852904
                                      • Instruction ID: 988da1ac9cc5a5b9934eac8366524fb8bb645e8f53f95adddb2a882802ce5101
                                      • Opcode Fuzzy Hash: d522acf97196527330f12cf8d70c0595cdef75852363adc9242bb5503b852904
                                      • Instruction Fuzzy Hash: 824108715093418FD700EF69D48425ABBF0BF86318F14895EF89497690E7B6D849CB93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E91F90 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32 ref: 62E9201D
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 626452242-0
                                      • Opcode ID: be64d06f747a94108f9c39fd63644a07c2cf84a0a53d75ed5f629bff19d13eda
                                      • Instruction ID: b9ba0388fa14da6dad618d5988fd3d01a2f40129fb213af227550b61a41b63b6
                                      • Opcode Fuzzy Hash: be64d06f747a94108f9c39fd63644a07c2cf84a0a53d75ed5f629bff19d13eda
                                      • Instruction Fuzzy Hash: EB3106B09083419FD7009F29C05431AFBE1AF8A318F64C96EE4E88B791D7BAD585CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62482FA0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CreateEventcalloc
                                      • String ID:
                                      • API String ID: 2382962142-0
                                      • Opcode ID: ea929adbe4b1c41e304ae6f016207ebf15113b2966d59e2ad6f9e5955fcbc166
                                      • Instruction ID: 8d8438d77b22b45abeceb773f761cbafb17b6cafe787b34b5a1d2613cc2ecaf0
                                      • Opcode Fuzzy Hash: ea929adbe4b1c41e304ae6f016207ebf15113b2966d59e2ad6f9e5955fcbc166
                                      • Instruction Fuzzy Hash: 65213971915300CEE7009F28D4A4B56BBE0EF41718F1585ADD8588F39AD77EC984DF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E84C80 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,62E8534F), ref: 62E84CA2
                                      • malloc.MSVCRT ref: 62E84CD8
                                      • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,62E8534F), ref: 62E84CEE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: freemallocstrcpy
                                      • String ID: out of memory
                                      • API String ID: 3657993821-2599737071
                                      • Opcode ID: a6788211505ed41240f3cc180a98e73de7ebd5873fbbbe4eb788649ddfafb583
                                      • Instruction ID: cc4a44eeca078f3f5c00fa488ea11859dbe9b26f4b5dca285a50a591e43a1707
                                      • Opcode Fuzzy Hash: a6788211505ed41240f3cc180a98e73de7ebd5873fbbbe4eb788649ddfafb583
                                      • Instruction Fuzzy Hash: A4218E75A002508BCB149F3DC49054A7BA5EF81278B25C7AAEC688F3DAE735D901CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62483AF8 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_kill.PTHREADGC2 ref: 62483B1A
                                        • Part of subcall function 62482540: SetEvent.KERNEL32 ref: 6248259C
                                        • Part of subcall function 62482540: SetEvent.KERNEL32(00000000), ref: 624825F0
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event$pthread_kill
                                      • String ID:
                                      • API String ID: 1525206388-0
                                      • Opcode ID: cca885924b5ae6e422f33d72afe8e60ae0c738d96302968453513f15b071addc
                                      • Instruction ID: 9344bf7d3d3f45a76108e8ae8e02f19abc5ae749bc44e44966a7a780464d8b43
                                      • Opcode Fuzzy Hash: cca885924b5ae6e422f33d72afe8e60ae0c738d96302968453513f15b071addc
                                      • Instruction Fuzzy Hash: 492150B16187048BC310AF68D4A0B8EFBE1EF84354F00492FE89887711E77DE949CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCADEB0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_set_mark.LIBCRYPTO-1_1 ref: 6CCADEBD
                                      • EVP_PKEY_get_default_digest_nid.LIBCRYPTO-1_1 ref: 6CCADED1
                                      • ERR_pop_to_mark.LIBCRYPTO-1_1 ref: 6CCADEEA
                                      • X509_get_signature_info.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CCAE1E4), ref: 6CCADF54
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_pop_to_markR_set_markX509_get_signature_infoY_get_default_digest_nid
                                      • String ID:
                                      • API String ID: 429152899-0
                                      • Opcode ID: 66a1b5f6923ab6a085d1d58078a0bcb7bf5fcc57d4d362a8b9b7c7ea7aca885d
                                      • Instruction ID: 2da44592e8eac99e69dfcab56638b731100fd50b25d4111c6e0bead4965c4967
                                      • Opcode Fuzzy Hash: 66a1b5f6923ab6a085d1d58078a0bcb7bf5fcc57d4d362a8b9b7c7ea7aca885d
                                      • Instruction Fuzzy Hash: C72153306083028BD714DFA5C8886ABB3F5EB88348F14896EEC588BB04F731D947CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC71F73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_find.LIBCRYPTO-1_1 ref: 6CC71EE1
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC71EFE
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC71F12
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC71FD0
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC7204B
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_value$L_sk_findL_sk_num
                                      • String ID:
                                      • API String ID: 2454052373-0
                                      • Opcode ID: e9ff58d7645d5f40b6ecbbbb84f763a43a23dfa43b4fe5f33c3131916c4474c2
                                      • Instruction ID: 89d17af9f4010183599621786303472979487bcc882c5d17f56027fd4f209b98
                                      • Opcode Fuzzy Hash: e9ff58d7645d5f40b6ecbbbb84f763a43a23dfa43b4fe5f33c3131916c4474c2
                                      • Instruction Fuzzy Hash: 0A31D470609B018FC764DF29C194A5ABBE0FF89348F54891DE8D8E7B50E734E985CB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 624812A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000016,?,?,62483BCC), ref: 624812D4
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID:
                                      • API String ID: 4201588131-0
                                      • Opcode ID: 1cb04a85dd655daaec69490169899d9918cd4867747e3c8c0427672940556042
                                      • Instruction ID: 84949fac7fc8a36b0714193aee40776c256820cfe6d3d29deb4c626d6a1e3a5e
                                      • Opcode Fuzzy Hash: 1cb04a85dd655daaec69490169899d9918cd4867747e3c8c0427672940556042
                                      • Instruction Fuzzy Hash: 6C1142705153028FE704AF39C864B27B7E1AF85324F15C92DD4A88B284DB39D586CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62481400 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Event
                                      • String ID:
                                      • API String ID: 4201588131-0
                                      • Opcode ID: 5d1cc87b1f2619927d9f60c97b80fdb450b3eebf96142e7e5a163d2f2b17b9c4
                                      • Instruction ID: 2ca1326a880d9e1a5486ca75b1f177029b01c7706cfccee94dd1b4bb81b54b17
                                      • Opcode Fuzzy Hash: 5d1cc87b1f2619927d9f60c97b80fdb450b3eebf96142e7e5a163d2f2b17b9c4
                                      • Instruction Fuzzy Hash: EC1130715153118BD701AF38D9A4B2BBBE0EF81B28F05865DD8AC4B385DB39C545CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC878D7 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • d2i_X509.LIBCRYPTO-1_1 ref: 6CC87900
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC879B1
                                        • Part of subcall function 6CCB2180: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CCB21CD
                                        • Part of subcall function 6CCB2180: EVP_PKEY_security_bits.LIBCRYPTO-1_1 ref: 6CCB21DE
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC87946
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC8797D
                                        • Part of subcall function 6CC86890: X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC8689D
                                        • Part of subcall function 6CC86890: EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 6CC868E3
                                        • Part of subcall function 6CC86890: ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC868E8
                                        • Part of subcall function 6CC86890: X509_check_private_key.LIBCRYPTO-1_1 ref: 6CC868FF
                                        • Part of subcall function 6CC86890: X509_free.LIBCRYPTO-1_1 ref: 6CC86916
                                        • Part of subcall function 6CC86890: X509_up_ref.LIBCRYPTO-1_1 ref: 6CC8691E
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorX509_freeX509_get0_pubkey$R_clear_errorX509X509_check_private_keyX509_up_refY_copy_parametersY_security_bitsd2i_
                                      • String ID:
                                      • API String ID: 4122985623-0
                                      • Opcode ID: 0f86388f0d62d26701c25aa048e6efd4a65115a66405ff00b9dc334e5cafef02
                                      • Instruction ID: e284ae28b41dec343e92c422dddf87c4e4de5e94a719e19da573aaa0301836a6
                                      • Opcode Fuzzy Hash: 0f86388f0d62d26701c25aa048e6efd4a65115a66405ff00b9dc334e5cafef02
                                      • Instruction Fuzzy Hash: 161104B1A0A3519FD750DF64D58438BBBE0EB84358F018D1DE4D89B740E7B9D888CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA4DC3 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC8C568), ref: 6CCA4DD3
                                      • i2d_X509_NAME.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC8C568), ref: 6CCA4DE9
                                        • Part of subcall function 6CC644F0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64521
                                      • i2d_X509_NAME.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC8C568), ref: 6CCA4E1B
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00000000,?,?,?,6CC8C568), ref: 6CCA4E2E
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_i2d_$L_sk_numL_sk_valueO_zalloc
                                      • String ID:
                                      • API String ID: 1323314405-0
                                      • Opcode ID: f331d150881ac77d8fe6d5119a429ab8a992b35ef4e70029d3de8142601a28bb
                                      • Instruction ID: 555a270c6eb387d81dcf2f39e136e8981246954265a0e22d20f092d05717be66
                                      • Opcode Fuzzy Hash: f331d150881ac77d8fe6d5119a429ab8a992b35ef4e70029d3de8142601a28bb
                                      • Instruction Fuzzy Hash: B6010CB1A097428BD700DFB5C58425EFBE0AF85748F02882DE898D7B00FB75D8498B03
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62487A80 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_mutex_lock.PTHREADGC2 ref: 62487AA7
                                        • Part of subcall function 624872FC: WaitForSingleObject.KERNEL32 ref: 6248734E
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487AC1
                                      • pthread_mutex_unlock.PTHREADGC2 ref: 62487AD6
                                      • _errno.MSVCRT ref: 62487ADC
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: pthread_mutex_unlock$ObjectSingleWait_errnopthread_mutex_lock
                                      • String ID:
                                      • API String ID: 215466170-0
                                      • Opcode ID: 6cecc9a5d7bced40b67a93a305527345e7b2ab13807582126a7517349632aba6
                                      • Instruction ID: 4814f442e33adf94ce8d312c1e1185aa42f4c75f55570ca3394199fd13036c9d
                                      • Opcode Fuzzy Hash: 6cecc9a5d7bced40b67a93a305527345e7b2ab13807582126a7517349632aba6
                                      • Instruction Fuzzy Hash: 75018B392293058FD704DF6988E0E6B7BE4EFC6354F05892CD8A84F340C779DA008B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7FC1B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC7FC27
                                      • OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 6CC7FC3A
                                      • OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 6CC7FC4A
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC7FC79
                                      • OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 6CC7FCB3
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_freeL_sk_new_nullL_sk_numL_sk_pushL_sk_value
                                      • String ID:
                                      • API String ID: 546788154-0
                                      • Opcode ID: fef23286ea8b94fa8250b566ced73e8b3b153e3c5c469d7e2d3bb4e6ab5b12e6
                                      • Instruction ID: 90b1b008c59db6e4aac8719ba84fafeb061e2a7435178640b0cae6d8510abfdf
                                      • Opcode Fuzzy Hash: fef23286ea8b94fa8250b566ced73e8b3b153e3c5c469d7e2d3bb4e6ab5b12e6
                                      • Instruction Fuzzy Hash: BCF01DB1A09B019FD3216FAAD98425EBBE0EF8479CF05882DED88D7B00F775D4458B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8FEB3 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: strlenwcslen
                                      • String ID: (null)$(null)
                                      • API String ID: 803329031-1601437019
                                      • Opcode ID: 4913ce2f320ebb0549890763b8fa6489269299a8b9d71eb9ea2c852bf4ecbde1
                                      • Instruction ID: 635195b0ada917927a36bfc059720cfaac79592eabb7390625485e81ea74c318
                                      • Opcode Fuzzy Hash: 4913ce2f320ebb0549890763b8fa6489269299a8b9d71eb9ea2c852bf4ecbde1
                                      • Instruction Fuzzy Hash: 43F03675E485504BC7219A2890B022A77925EC2314BB9D83EECE90B344EB3ED843DB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E85010 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: freemallocsprintf
                                      • String ID: <fd:%d>
                                      • API String ID: 887708770-558891604
                                      • Opcode ID: 4bded4b9b3875408d02228b130eaedb50823f9ee2c60baa8a696f78d842d05ff
                                      • Instruction ID: 5c4feb52ea3f02cf216a44b082b1f74230004a51ba4a59a00141a3649e306bc8
                                      • Opcode Fuzzy Hash: 4bded4b9b3875408d02228b130eaedb50823f9ee2c60baa8a696f78d842d05ff
                                      • Instruction Fuzzy Hash: C5F05470E143056BDB006FB9D4A019EBBE4AF45364F61D97EE8ED97380DB78D9408781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248AAD8 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • pthread_getspecific.PTHREADGC2(?,?,?,?,?,?,?,?,?,00000000), ref: 6248AAE8
                                        • Part of subcall function 62484FD8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FE5
                                        • Part of subcall function 62484FD8: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,62485041), ref: 62484FF1
                                        • Part of subcall function 62484FD8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,62485041), ref: 62484FFE
                                      • exit.MSVCRT ref: 6248AB03
                                      • _endthreadex.MSVCRT ref: 6248AB23
                                      • longjmp.MSVCRT ref: 6248AB4A
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ErrorLast$Value_endthreadexexitlongjmppthread_getspecific
                                      • String ID:
                                      • API String ID: 396027996-0
                                      • Opcode ID: 9fb777ef3ce833196eddc44ebfa98496b922aef84efd352003a00c9ed8a328c5
                                      • Instruction ID: 99688872579fabfb7fc20515069e84be96d638804d98358316ab959e85379aab
                                      • Opcode Fuzzy Hash: 9fb777ef3ce833196eddc44ebfa98496b922aef84efd352003a00c9ed8a328c5
                                      • Instruction Fuzzy Hash: B5F0F6B08193008FC700EF35C494A1DBBE1AF46308F41591DD9944B395C3B9D489CF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC86943 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC86916
                                      • X509_up_ref.LIBCRYPTO-1_1 ref: 6CC8691E
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC86952
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC86966
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_clear_errorX509_freeX509_up_refY_free
                                      • String ID:
                                      • API String ID: 2354384206-0
                                      • Opcode ID: e95855c47d8822578c5cf2bc55d4fef1faa56c51f47e51a824ffc436afcd7a07
                                      • Instruction ID: 3ab954f1c24cf0508741da9a4a75c5816b517df08bb3ac38ffeca48132b116fe
                                      • Opcode Fuzzy Hash: e95855c47d8822578c5cf2bc55d4fef1faa56c51f47e51a824ffc436afcd7a07
                                      • Instruction Fuzzy Hash: 2401ECB0508605CFCB60DF9CD0C49A877F4FF45304F8648A9E541DB355E776E6598B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC838C9 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_LOOKUP_file.LIBCRYPTO-1_1 ref: 6CC838D3
                                      • X509_STORE_add_lookup.LIBCRYPTO-1_1 ref: 6CC838E6
                                      • X509_LOOKUP_ctrl.LIBCRYPTO-1_1 ref: 6CC83914
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC83919
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$E_add_lookupP_ctrlP_fileR_clear_error
                                      • String ID:
                                      • API String ID: 1070512093-0
                                      • Opcode ID: 38c2534594eb3ed0784c0758f8bb710e4a742b89930e435c92aa36e1803f2de2
                                      • Instruction ID: 2b09999e53e801f51704082a4085ddc9d8abb6a47d57e36ff2c0ef19d6f3cab6
                                      • Opcode Fuzzy Hash: 38c2534594eb3ed0784c0758f8bb710e4a742b89930e435c92aa36e1803f2de2
                                      • Instruction Fuzzy Hash: 4EF0C0B0909B419BD7449FB9C45435FBAE0BF84308F45882CE898DB741E7BAD5488B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC83870 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_LOOKUP_hash_dir.LIBCRYPTO-1_1 ref: 6CC83873
                                      • X509_STORE_add_lookup.LIBCRYPTO-1_1 ref: 6CC83886
                                      • X509_LOOKUP_ctrl.LIBCRYPTO-1_1 ref: 6CC838B4
                                      • ERR_clear_error.LIBCRYPTO-1_1 ref: 6CC838B9
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_$E_add_lookupP_ctrlP_hash_dirR_clear_error
                                      • String ID:
                                      • API String ID: 3443524944-0
                                      • Opcode ID: f8582706bf2a9d97305ede5b213f512926da584fa5f1427469c386203d370a24
                                      • Instruction ID: 2dc74820b3a853ad3b8d8b7559099821b4147b25c68ee84d2190c7d4647ce6eb
                                      • Opcode Fuzzy Hash: f8582706bf2a9d97305ede5b213f512926da584fa5f1427469c386203d370a24
                                      • Instruction Fuzzy Hash: 77E0EDB0909B019BE7489FB5C44474EBAE0BF84308F85882CE498DB741E7BAC5498B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E89C9F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • too many length or distance symbols, xrefs: 62E8A9B1
                                      • invalid code lengths set, xrefs: 62E8AB72
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: invalid code lengths set$too many length or distance symbols
                                      • API String ID: 2947273566-2975660856
                                      • Opcode ID: c2e9089ffb6f315c9d30aa2cd025f19a67555420b5fbd0b031a28bcd39b5b65f
                                      • Instruction ID: 311207fce6e88cc2a1db5c06ead795eab4917e121b3dc5cf4d6ed19da708d3eb
                                      • Opcode Fuzzy Hash: c2e9089ffb6f315c9d30aa2cd025f19a67555420b5fbd0b031a28bcd39b5b65f
                                      • Instruction Fuzzy Hash: 54A13775E042199BDB04CFA9D49069DF7F1FF89318F24C16AE888AB355D378A981CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8905D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: invalid block type
                                      • API String ID: 2947273566-1830746294
                                      • Opcode ID: 59bdd6ca45b0aa0090bcfbfe41ff55f98eaf94bb4b542a4efc0b63bb8b378044
                                      • Instruction ID: 3295062f5dde310f5636d65f1ec35b96ed74629fd08cf1f79eab2ec8271d30eb
                                      • Opcode Fuzzy Hash: 59bdd6ca45b0aa0090bcfbfe41ff55f98eaf94bb4b542a4efc0b63bb8b378044
                                      • Instruction Fuzzy Hash: 1C810675A44209DBCB04CFA9C4A069DB7B1FF49358B24C16AD898AB345D339E982CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8A118 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: header crc mismatch
                                      • API String ID: 2947273566-1313727592
                                      • Opcode ID: 018e59e15aa6e2336e0997ff4f64e40f70860181e566562edfc7115f02e88393
                                      • Instruction ID: a01bd160c1fb0f939d7810cc6d1330e15664bc33bee7a95c6d5572cb854eeb17
                                      • Opcode Fuzzy Hash: 018e59e15aa6e2336e0997ff4f64e40f70860181e566562edfc7115f02e88393
                                      • Instruction Fuzzy Hash: 14714C75E442058FDB04CF68D49069DF7B2BF49358F34C16AE898AB345D339E982CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9CE90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: Calc_D_priv_bytesL_cleanseN_bin2bn
                                      • String ID: ($A
                                      • API String ID: 4178199679-959209194
                                      • Opcode ID: a3fa382eda2f02ceda4a02af7d426eca473d65ccd44bf5c54a3a3caf6cdd79c3
                                      • Instruction ID: 48d08d9e703d9b083824bd7dc28665a4dede73805d3088138a80f82ffec94e15
                                      • Opcode Fuzzy Hash: a3fa382eda2f02ceda4a02af7d426eca473d65ccd44bf5c54a3a3caf6cdd79c3
                                      • Instruction Fuzzy Hash: 6A7149B121A701CFE300DF25D58835BBBE0FF80358F05896DE8A99BB51E779C5098B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8A098 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: crc32
                                      • String ID: header crc mismatch
                                      • API String ID: 2947273566-1313727592
                                      • Opcode ID: c3565ef74f0b3bee6c75b2001dac9d3bcdbd94bb8e8f9689cec14ec29bbcd97a
                                      • Instruction ID: beca173bf11b9b78fbdf1b730865f436c2408ec299ace271a8524671360df65b
                                      • Opcode Fuzzy Hash: c3565ef74f0b3bee6c75b2001dac9d3bcdbd94bb8e8f9689cec14ec29bbcd97a
                                      • Instruction Fuzzy Hash: E2611875E002099FDB04CF69D49069DB7F2BF88358F24C16AE858AB345D379E982CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9CC10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC9CCA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_get0_pubkey
                                      • String ID: A$P
                                      • API String ID: 2698272274-345673399
                                      • Opcode ID: e9702bfeec66f6ce3cc9cb294237c163dc0e9f3165ffab51d6d9bbe297e8a432
                                      • Instruction ID: be530b1218f76b460c582f5c32fa33e5179a44989bba03dd03673740a4df045f
                                      • Opcode Fuzzy Hash: e9702bfeec66f6ce3cc9cb294237c163dc0e9f3165ffab51d6d9bbe297e8a432
                                      • Instruction Fuzzy Hash: 4C5107B1609701CFE700EF29D58475BBBE0BF85348F44896DE8A89B751E778C948CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8290C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8dPb$dPb
                                      • API String ID: 0-2040359314
                                      • Opcode ID: 71242c0eba6a71534164effd7f2a4a62ee84c3301eec19164f18f91740489dcc
                                      • Instruction ID: 5660c40a58727b4baae394a332ff00dbc969ee4e0c8cdfb865c9e24968efdd64
                                      • Opcode Fuzzy Hash: 71242c0eba6a71534164effd7f2a4a62ee84c3301eec19164f18f91740489dcc
                                      • Instruction Fuzzy Hash: 865109B4504B429FDB10CF28C598385BBE0FF18328F258669D89C8BB95D779E494CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC67E50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: ErrorLastO_write
                                      • String ID: P
                                      • API String ID: 186964608-3110715001
                                      • Opcode ID: bda58944d62c5c6abeca1df98df192dfaa0f0ab1ee3ce73bd029ee72b9d2dd85
                                      • Instruction ID: 0e36044543bde0423e36dc15a89422d85dff86ddde9aaea453c600124df3164e
                                      • Opcode Fuzzy Hash: bda58944d62c5c6abeca1df98df192dfaa0f0ab1ee3ce73bd029ee72b9d2dd85
                                      • Instruction Fuzzy Hash: ED516B706057068FD704CF25D1C4B9AB7F1FF81358F108A2CE8688BA44E776E959DB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9D9C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC9DA02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_get0_pubkey
                                      • String ID: ($D
                                      • API String ID: 2698272274-1229367909
                                      • Opcode ID: de51625d16a3b73e894b04c4b547ebde13c733e6d033a776311fd99b275a2e59
                                      • Instruction ID: 0c0decdcec071347d9a4764a61d154d76961c21b73483764b7a6ee6ede5d6b84
                                      • Opcode Fuzzy Hash: de51625d16a3b73e894b04c4b547ebde13c733e6d033a776311fd99b275a2e59
                                      • Instruction Fuzzy Hash: A03107B16197018FD300DF29D18975BBBE0BF84348F06896DE8D89B755E7B4C8488B92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC97E48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • BUF_MEM_free.LIBCRYPTO-1_1 ref: 6CC973BF
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC978E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: M_freeR_put_error
                                      • String ID: P
                                      • API String ID: 177401054-3110715001
                                      • Opcode ID: 81da6debfa65b0bb9ebb55eb80a70a3031461be7cbeca79917a290bd8f3bc0e9
                                      • Instruction ID: f9dbe2d46110b44a22e4fe0e912ebe4ff1574fd5c9f8bb3d9bb683bb64c40a8b
                                      • Opcode Fuzzy Hash: 81da6debfa65b0bb9ebb55eb80a70a3031461be7cbeca79917a290bd8f3bc0e9
                                      • Instruction Fuzzy Hash: EF111F7010A3058FEB149F59C48579EBBE0FF8135CF11891DE9989BB40E376D889DB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC97D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • BUF_MEM_free.LIBCRYPTO-1_1 ref: 6CC973BF
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC978E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: M_freeR_put_error
                                      • String ID: P
                                      • API String ID: 177401054-3110715001
                                      • Opcode ID: fca2c9964a99e58c446f15a76a124e0b80f1a859d167c0525b1350f02630fe88
                                      • Instruction ID: aa547e24a844fc4f7f027bb20f059b6a509ff175acdfcc38562abdb334036693
                                      • Opcode Fuzzy Hash: fca2c9964a99e58c446f15a76a124e0b80f1a859d167c0525b1350f02630fe88
                                      • Instruction Fuzzy Hash: E411FB7020A7058BEB049F59C48439A7BE0FF44358F10851DE99897B50E3B6D489DF86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9CF44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • X509_get0_pubkey.LIBCRYPTO-1_1 ref: 6CC9CF57
                                        • Part of subcall function 6CC763B0: EVP_PKEY_id.LIBCRYPTO-1_1(?,?,?,?,?,?,6CCB1784), ref: 6CC763BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: X509_get0_pubkeyY_id
                                      • String ID: D$P
                                      • API String ID: 2716974155-307317852
                                      • Opcode ID: f54e21c98bf7af24be0d1e003fcde3c12a80196d59681a749c48f61e4ffd3428
                                      • Instruction ID: 5ff5cc97262ae585d7229068562357106a640c7b5c7c29c2fc8938c428160ea8
                                      • Opcode Fuzzy Hash: f54e21c98bf7af24be0d1e003fcde3c12a80196d59681a749c48f61e4ffd3428
                                      • Instruction Fuzzy Hash: 050188B16097008FD700DF25C584B9AB7E0BF84348F14896EE9AD9BB10FB74D406CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC639D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrl
                                      • String ID: 1
                                      • API String ID: 3605655398-2212294583
                                      • Opcode ID: 1fe0b7bece3180fb2c1242a99531363d3aaafdc97e73207ff766846018d717eb
                                      • Instruction ID: 2a862c570f15055df35e82b20712afe7f3be4feb0a44eb3685e94818a28908a3
                                      • Opcode Fuzzy Hash: 1fe0b7bece3180fb2c1242a99531363d3aaafdc97e73207ff766846018d717eb
                                      • Instruction Fuzzy Hash: F5014FB16087008FD3009F79C58839EBBE0FF84358F55C86DD0889B795E77984898F96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC93CB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 6CC93CC0
                                      • d2i_OCSP_RESPID.LIBCRYPTO-1_1 ref: 6CC93D03
                                      • OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 6CC93D25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_new_nullL_sk_pushd2i_
                                      • String ID: 2$n
                                      • API String ID: 2521948183-2202813717
                                      • Opcode ID: e99b0b4656ff4032469d1d750d61b71846b6980367cc4142c50e75a4c2e580b4
                                      • Instruction ID: ac0109ca876e976ed55f6e8765df993d3cf382d682b2e2471ea4a63306bf573e
                                      • Opcode Fuzzy Hash: e99b0b4656ff4032469d1d750d61b71846b6980367cc4142c50e75a4c2e580b4
                                      • Instruction Fuzzy Hash: 56F090B66057118EE3109F55D45436EBBD0FB8134CF144C1DE49C9B740E775C4488F52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC908BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_MD_size.LIBCRYPTO-1_1 ref: 6CC908C3
                                        • Part of subcall function 6CC64FD0: CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 6CC64FFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: D_sizeO_zalloc
                                      • String ID: D$P
                                      • API String ID: 95341914-307317852
                                      • Opcode ID: e739c6548fd7818302fcee833bc06cdf99a3a173a26922e97c22a0a70fda09be
                                      • Instruction ID: fdea5903db37c0b07e66e23a5208f5966af80ae2b8856f6e3031d5ba5aa589eb
                                      • Opcode Fuzzy Hash: e739c6548fd7818302fcee833bc06cdf99a3a173a26922e97c22a0a70fda09be
                                      • Instruction Fuzzy Hash: C3F0CFB1109B01DAE3009F61D68935ABBE0BB80758F11892CE5D88BB40E7B9C8488B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC6FD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 6CC6FD38
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: DigestR_put_errorUpdate
                                      • String ID: D$P
                                      • API String ID: 1495512078-307317852
                                      • Opcode ID: 2f2c81f27a74740f1f873b01fe407b5569dbab02a86f2b6e2732ca438f0b57c9
                                      • Instruction ID: e2aa187c64af9fa184ac03321e307e238737145dc15567a8d318ea8f0dbbb430
                                      • Opcode Fuzzy Hash: 2f2c81f27a74740f1f873b01fe407b5569dbab02a86f2b6e2732ca438f0b57c9
                                      • Instruction Fuzzy Hash: 6BF0F8B1608710DFD750DF69E58434AFBE0BF84758F01891EE89897710E77499488F92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCACD39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • EVP_CIPHER_CTX_ctrl.LIBCRYPTO-1_1 ref: 6CCACD5B
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorX_ctrl
                                      • String ID: D$P
                                      • API String ID: 1273720121-307317852
                                      • Opcode ID: 7364eeeb52ee2d01358b0b53ba61fd4da7cda092fd21a8c821c2c7c281f26118
                                      • Instruction ID: fb6e472e5d3b47a26f4e680634737433e63c548b3a4eefaa5b9c3f13f24d798a
                                      • Opcode Fuzzy Hash: 7364eeeb52ee2d01358b0b53ba61fd4da7cda092fd21a8c821c2c7c281f26118
                                      • Instruction Fuzzy Hash: D6F0D4B1109701DED3009FA5D44838BFBE0EF84318F00881EE8AC97610E7BAD4498F43
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC73F54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • ASN1_item_free.LIBCRYPTO-1_1 ref: 6CC73A7A
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC73F7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: N1_item_freeR_put_error
                                      • String ID: g
                                      • API String ID: 4156053322-30677878
                                      • Opcode ID: c3af1bcfa3d0fe337ac59f38a7127254baa7f3bc81002c77b314bb061b6a63f2
                                      • Instruction ID: 010e0301637bdfc390efc7ecfaa9bd921e39e78f080a57d993a220cb7eab9a2c
                                      • Opcode Fuzzy Hash: c3af1bcfa3d0fe337ac59f38a7127254baa7f3bc81002c77b314bb061b6a63f2
                                      • Instruction Fuzzy Hash: ECF039B26097018FDB109F94E88139AFBA0FB8075CF25882DD5D817B10E37A91888B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC9BCAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • X509_free.LIBCRYPTO-1_1 ref: 6CC9B93D
                                      • OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 6CC9B94D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: L_sk_pop_freeR_put_errorX509_free
                                      • String ID: 2
                                      • API String ID: 3242308188-450215437
                                      • Opcode ID: a8f1a407423f02376474d0a850538de6555eb432f56da97a4ad6dfb2d6d2a906
                                      • Instruction ID: f6e3397cfe8de075822a83dcf1bed20d39bc534c33afab45d4fb3535b2538ef3
                                      • Opcode Fuzzy Hash: a8f1a407423f02376474d0a850538de6555eb432f56da97a4ad6dfb2d6d2a906
                                      • Instruction Fuzzy Hash: 0FF0F2B220DB049FD310AFA9E48524EFBE0BB80358F018C2DE08897B40E7B595099B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCA2D06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • BUF_MEM_free.LIBCRYPTO-1_1 ref: 6CCA2D16
                                        • Part of subcall function 6CC83610: BIO_pop.LIBCRYPTO-1_1 ref: 6CC83625
                                        • Part of subcall function 6CC83610: BIO_free.LIBCRYPTO-1_1 ref: 6CC83633
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: M_freeO_freeO_popR_put_error
                                      • String ID: D$P
                                      • API String ID: 1238787653-307317852
                                      • Opcode ID: c990e9d1d2feea55bb48d1f6086a5a9ce0e0be0bf3d6677e051cdc0173729798
                                      • Instruction ID: 29508d47af13342b362a4027ea2e7e389b11c5f79929ec0a4ddee8b2bdf38895
                                      • Opcode Fuzzy Hash: c990e9d1d2feea55bb48d1f6086a5a9ce0e0be0bf3d6677e051cdc0173729798
                                      • Instruction Fuzzy Hash: DEF092B1409B118BEB40AF61D89834BBBE0BF44308F01881DD9999B740E779D4898F82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DD89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrlO_find_type
                                      • String ID: i
                                      • API String ID: 4054788809-3865851505
                                      • Opcode ID: dae5080ee7dff4d5a775ff9775bca0de79505863f7833cb20155a15b5558d893
                                      • Instruction ID: c8a284a2ef9dcde8214c676176a43e40fe23e1303b31147d5a5fcebc0b4421eb
                                      • Opcode Fuzzy Hash: dae5080ee7dff4d5a775ff9775bca0de79505863f7833cb20155a15b5558d893
                                      • Instruction Fuzzy Hash: A6F0A5705097019FD704DF69C58475ABBE0BF84314F40891CE8E497390E374E449CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7AD41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1 ref: 6CC7AD6F
                                      • ERR_add_error_data.LIBCRYPTO-1_1 ref: 6CC7AD87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_add_error_dataR_put_error
                                      • String ID: cmd=
                                      • API String ID: 1829008518-287391024
                                      • Opcode ID: 663a6251c2395ab42bf81f758d9b6224fd2c9b46f4c6b61faa7825b64a781671
                                      • Instruction ID: 635c55a01dd1b0f4d713a6c2fc72fec00d5394bbb644c3e8b4f444db28fb9ab8
                                      • Opcode Fuzzy Hash: 663a6251c2395ab42bf81f758d9b6224fd2c9b46f4c6b61faa7825b64a781671
                                      • Instruction Fuzzy Hash: B6E01AB2508710AED3009F58D90239AFBE0FB80368F00891DE1D89B7A0D37A85488B93
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC7DDE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_ctrlO_find_type
                                      • String ID: i
                                      • API String ID: 4054788809-3865851505
                                      • Opcode ID: fd35fa0e57afc0c1d70c1b4cc8f8699d28b7dcccbc0c598083f89b5ae909108b
                                      • Instruction ID: a5d278fc2b9a0e4a0b47c70d6fbdf93c8b362e5a1f5f6082ed9aa8636dd2e157
                                      • Opcode Fuzzy Hash: fd35fa0e57afc0c1d70c1b4cc8f8699d28b7dcccbc0c598083f89b5ae909108b
                                      • Instruction Fuzzy Hash: ECE0E5B05097019FD704DF69C48461ABBE0EF84314F40CA1CE8E48B390E374D448CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC87F23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F51
                                      • BIO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FED), ref: 6CC87F59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_error
                                      • String ID: |
                                      • API String ID: 3735976985-2343686810
                                      • Opcode ID: dc94c01275e9fdd698a825f014bc1a3cb17ee518dbb28e35f660aceb9556cb92
                                      • Instruction ID: b82de167449058faec7b88103b26b27c951817de55c73a1a16b8cf6379d5f92c
                                      • Opcode Fuzzy Hash: dc94c01275e9fdd698a825f014bc1a3cb17ee518dbb28e35f660aceb9556cb92
                                      • Instruction Fuzzy Hash: 76E0ECB29097108FE7049F94E44534AFBE0EB85355F018D1DD19867750D779A4498B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC889C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC889F1
                                      • BIO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,6CC79FD2), ref: 6CC889F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: O_freeR_put_error
                                      • String ID: |
                                      • API String ID: 3735976985-2343686810
                                      • Opcode ID: 8fa53c8bd6cd93ac02b33f263a5ec797591da47890d13b449bdabace3d799d4b
                                      • Instruction ID: befb451ca46f8e64cc8a4cb42d55a4a1806448aeaba4a6fb1dade0da8bfcef7e
                                      • Opcode Fuzzy Hash: 8fa53c8bd6cd93ac02b33f263a5ec797591da47890d13b449bdabace3d799d4b
                                      • Instruction Fuzzy Hash: 4BE0ECB29087108FE7049F94E44534AFBE0EB85355F018D1DD19867750D779A4488BC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CC999D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 6CC97200: ERR_put_error.LIBCRYPTO-1_1 ref: 6CC97234
                                      • EVP_PKEY_free.LIBCRYPTO-1_1 ref: 6CC997DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: R_put_errorY_free
                                      • String ID: D$P
                                      • API String ID: 3485142574-307317852
                                      • Opcode ID: 467e4b651432f0dd4153aa88a4e83dcc65812f3f725834a59f2bb84b8423aa8f
                                      • Instruction ID: 9bda075b49a3dad383198908a298fcd59fdc36cffba79e0bb6b44352b5b82310
                                      • Opcode Fuzzy Hash: 467e4b651432f0dd4153aa88a4e83dcc65812f3f725834a59f2bb84b8423aa8f
                                      • Instruction Fuzzy Hash: F1E042B0059B41DED700DF11C45534EBBE0BF41708F018C0DE59816A50E7B99549CF97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6CCBBFA0 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(?,?,?,?,6CCBC0D1,?,?,?,?,?,?,00000000,6CCBA474), ref: 6CCBBFC7
                                      • InitializeCriticalSection.KERNEL32(?,?,?,?,6CCBC0D1,?,?,?,?,?,?,00000000,6CCBA474), ref: 6CCBC004
                                      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CCBC0D1,?,?,?,?,?,?,00000000,6CCBA474), ref: 6CCBC010
                                      • EnterCriticalSection.KERNEL32(?,?,?,?,6CCBC0D1,?,?,?,?,?,?,00000000,6CCBA474), ref: 6CCBC038
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089768551.000000006CC61000.00000020.00000001.01000000.00000014.sdmp, Offset: 6CC60000, based on PE: true
                                      • Associated: 00000013.00000002.2089753819.000000006CC60000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089806226.000000006CCBE000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089821480.000000006CCBF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089839176.000000006CCC0000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089856063.000000006CCC1000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089875477.000000006CCD4000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089891215.000000006CCD9000.00000004.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDA000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089905863.000000006CCDF000.00000008.00000001.01000000.00000014.sdmpDownload File
                                      • Associated: 00000013.00000002.2089938237.000000006CCE0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_6cc60000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Initialize$EnterSleep
                                      • String ID:
                                      • API String ID: 1117354567-0
                                      • Opcode ID: 7f238ddae89869ec7509a4f422fc9f989a538e84d0d788d0d30c784767a1f95e
                                      • Instruction ID: ed4959e0cd1e9f21faf49fb31b5b591c8869d93ba75458fa889f5c22cd51df58
                                      • Opcode Fuzzy Hash: 7f238ddae89869ec7509a4f422fc9f989a538e84d0d788d0d30c784767a1f95e
                                      • Instruction Fuzzy Hash: 4111A1B5605701ABDB00BBA8E0D625A3BB0FB03348F150529D482D7A50FB35F9C5CB97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248D1D0 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterLeavefree
                                      • String ID:
                                      • API String ID: 4020351045-0
                                      • Opcode ID: b19effc21153126c41d13688b4af2623874b2ad4fc79623f004b4549b5b8e445
                                      • Instruction ID: f1ec7cb7deadbef1e17ecafad7cdce0f9c1ebfb260ccd2c869b979e3727b9da6
                                      • Opcode Fuzzy Hash: b19effc21153126c41d13688b4af2623874b2ad4fc79623f004b4549b5b8e445
                                      • Instruction Fuzzy Hash: A5014070B25205DF8B04EFB8D4A1E1ABBF5AF46308B14896E984CCB305E734DD81CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8E6E0 Relevance: 5.0, APIs: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterLeavefree
                                      • String ID:
                                      • API String ID: 4020351045-0
                                      • Opcode ID: 11746a6a527303b8efd60029336c3dda17896735f817a7a2687bf2ce6ac027eb
                                      • Instruction ID: 0155175c9fb7cb9bea99746a20f5fe7cb1130d1ef3ace2207ec1e516fce1448c
                                      • Opcode Fuzzy Hash: 11746a6a527303b8efd60029336c3dda17896735f817a7a2687bf2ce6ac027eb
                                      • Instruction Fuzzy Hash: C6015B74B04304CF8B00EF78C2A694EB7E1AB81348B38C47EE59D87314E631E885C752
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 6248D0F0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D10F
                                      • TlsGetValue.KERNEL32(?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D125
                                      • GetLastError.KERNEL32(?,?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D12D
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,6248D285,?,?,?,?,?,6248CCC0), ref: 6248D150
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089477069.0000000062481000.00000020.00000001.01000000.00000004.sdmp, Offset: 62480000, based on PE: true
                                      • Associated: 00000013.00000002.2089463591.0000000062480000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089493987.000000006248F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089509205.0000000062494000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089524056.0000000062495000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089540512.0000000062498000.00000008.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.0000000062499000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000013.00000002.2089555821.000000006249B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62480000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                      • String ID:
                                      • API String ID: 682475483-0
                                      • Opcode ID: 98b6f7aa4ac330f3e5b19130bfacf9953b8a43b77346e6f2206bbd47adee2663
                                      • Instruction ID: d9e5e088027a723fef4f9c1f46e7f733cbd0434417b6046f22189faa1ab97506
                                      • Opcode Fuzzy Hash: 98b6f7aa4ac330f3e5b19130bfacf9953b8a43b77346e6f2206bbd47adee2663
                                      • Instruction Fuzzy Hash: 1EF0AF71A16210DB8F00BFB9D8E1EAABBE8EE4971CF00045EDD4897205E734D9408AE2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 62E8E5D0 Relevance: 5.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E5EF
                                      • TlsGetValue.KERNEL32(?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E606
                                      • GetLastError.KERNEL32(?,?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E610
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,62E8E676,?,?,?,?,?,62E8E093), ref: 62E8E633
                                      Memory Dump Source
                                      • Source File: 00000013.00000002.2089604062.0000000062E81000.00000020.00000001.01000000.00000006.sdmp, Offset: 62E80000, based on PE: true
                                      • Associated: 00000013.00000002.2089589408.0000000062E80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089632392.0000000062E95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089649416.0000000062E9C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089663354.0000000062E9D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089711488.0000000062EA0000.00000008.00000001.01000000.00000006.sdmpDownload File
                                      • Associated: 00000013.00000002.2089731495.0000000062EA1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_2_62e80000_BackupExtractor.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                      • String ID:
                                      • API String ID: 682475483-0
                                      • Opcode ID: 44abea60224ae81af183f1106712b24b10f5ffda6adc061e4308eaf9403e578a
                                      • Instruction ID: d4502ed7beb07bd4002f05f736ff239b097c20329b2b311a15df780a750e76bc
                                      • Opcode Fuzzy Hash: 44abea60224ae81af183f1106712b24b10f5ffda6adc061e4308eaf9403e578a
                                      • Instruction Fuzzy Hash: 85F06271D047108B9B10FFB895A269EB7A4AE4035CF24847EEDAC87605EB30E558C693
                                      Uniqueness

                                      Uniqueness Score: -1.00%