Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AyBhhRZXPj

Overview

General Information

Sample Name:AyBhhRZXPj (renamed file extension from none to dll)
Analysis ID:595303
MD5:518cc4a9888e76bc1a916fd67a08a075
SHA1:148d6f12f12a0cae195f36f4319839f6687b7144
SHA256:57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6608 cmdline: loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6620 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6640 cmdline: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6632 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Magnify.exe (PID: 5372 cmdline: C:\Windows\system32\Magnify.exe MD5: F97BE20B374457236666607EE4BA7F7F)
        • FileHistory.exe (PID: 5788 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 7004 cmdline: C:\Users\user\AppData\Local\u70W8\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • RdpSa.exe (PID: 7028 cmdline: C:\Windows\system32\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)
        • mspaint.exe (PID: 7064 cmdline: C:\Windows\system32\mspaint.exe MD5: 99F86A0D360FD9A3FCAD6B1E7D92A90C)
        • mspaint.exe (PID: 4576 cmdline: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe MD5: 99F86A0D360FD9A3FCAD6B1E7D92A90C)
        • mmc.exe (PID: 6244 cmdline: C:\Windows\system32\mmc.exe MD5: BA80301974CC8C4FB9F3F9DDB5905C30)
        • EaseOfAccessDialog.exe (PID: 6176 cmdline: C:\Windows\system32\EaseOfAccessDialog.exe MD5: F87F2E5EBF3FFBA39DF1621B5F8689B5)
        • unregmp2.exe (PID: 4948 cmdline: C:\Windows\system32\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)
        • unregmp2.exe (PID: 4908 cmdline: C:\Users\user\AppData\Local\vVin\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)
        • omadmclient.exe (PID: 6340 cmdline: C:\Windows\system32\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)
        • omadmclient.exe (PID: 6392 cmdline: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)
        • eudcedit.exe (PID: 6164 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • GamePanel.exe (PID: 5244 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • GamePanel.exe (PID: 5832 cmdline: C:\Users\user\AppData\Local\Odp\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6868 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              35.2.unregmp2.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                21.2.FileHistory.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  37.2.omadmclient.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    5.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6620, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, ProcessId: 6640
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: AyBhhRZXPj.dllVirustotal: Detection: 70%Perma Link
                      Source: AyBhhRZXPj.dllMetadefender: Detection: 62%Perma Link
                      Source: AyBhhRZXPj.dllReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sample
                      Source: AyBhhRZXPj.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Odp\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Machine Learning detection for sample
                      Source: AyBhhRZXPj.dllJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Odp\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5C7B8 CryptDecryptMessage,GetLastError,LocalAlloc,CryptDecryptMessage,GetLastError,LocalFree,37_2_00007FF6BFA5C7B8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA43EE8 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,LocalFree,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,37_2_00007FF6BFA43EE8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA44540 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,37_2_00007FF6BFA44540
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5C5A8 memset,CryptEncryptMessage,GetLastError,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,37_2_00007FF6BFA5C5A8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA44528 CryptDestroyHash,37_2_00007FF6BFA44528
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4450C CryptReleaseContext,37_2_00007FF6BFA4450C
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5C3D8 CryptVerifyMessageSignature,GetLastError,LocalAlloc,CryptVerifyMessageSignature,GetLastError,LocalFree,37_2_00007FF6BFA5C3D8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA55260 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,LocalAlloc,CryptGenRandom,GetLastError,LocalFree,CryptReleaseContext,37_2_00007FF6BFA55260
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5C1CC memset,CryptSignMessage,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,LocalFree,37_2_00007FF6BFA5C1CC
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5BA30 CryptHashCertificate,GetLastError,37_2_00007FF6BFA5BA30
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA449A8 UnicodeToMB,CryptHashData,GetLastError,??_V@YAXPEAX@Z,37_2_00007FF6BFA449A8
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA68598 CryptAcquireContextW,CryptCreateHash,41_2_00007FF76CA68598
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA68610 CryptGetHashParam,memset,41_2_00007FF76CA68610
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA68534 CryptDestroyHash,CryptReleaseContext,41_2_00007FF76CA68534
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6874C CryptHashData,41_2_00007FF76CA6874C
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA688F8 CryptHashData,41_2_00007FF76CA688F8
                      Source: AyBhhRZXPj.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
                      Source: Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
                      Source: Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
                      Source: Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,0_2_00007FFC6711ED10
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6ED10 FindFirstFileExW,25_2_00007FFC74C6ED10
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,35_2_00007FF672546088
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,35_2_00007FF672545B4C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize,35_2_00007FF672548BFC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey,35_2_00007FF6725472E8
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,35_2_00007FF6725479C4
                      Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
                      Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
                      Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
                      Source: GamePanel.exeString found in binary or memory: https://aka.ms/ifg0es
                      Source: GamePanel.exeString found in binary or memory: https://aka.ms/imfx4k
                      Source: GamePanel.exeString found in binary or memory: https://aka.ms/imrx2o
                      Source: GamePanel.exeString found in binary or memory: https://aka.ms/v5do45
                      Source: GamePanel.exeString found in binary or memory: https://aka.ms/w5ryqn
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
                      Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://aka.ms/wk9ocd
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/%ws
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
                      Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://mixer.com/api/v1/broadcasts/current
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%d
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%ws
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/chats/%.0f
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
                      Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/users/current
                      Source: GamePanel.exeString found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
                      Source: GamePanel.exeString found in binary or memory: https://www.xboxlive.com
                      Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAA45E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task,41_2_00007FF76CAA45E0

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.unregmp2.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.FileHistory.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 37.2.omadmclient.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.2.GamePanel.exe.7ffc678e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.mspaint.exe.7ffc74c10000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D00_2_00007FFC671097D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F50200_2_00007FFC670F5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC00_2_00007FFC6711DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671276500_2_00007FFC67127650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D5200_2_00007FFC6712D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710A2C00_2_00007FFC6710A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F59F00_2_00007FFC670F59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FAA700_2_00007FFC670FAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710CA500_2_00007FFC6710CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E78800_2_00007FFC670E7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671131500_2_00007FFC67113150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713B7A00_2_00007FFC6713B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C67900_2_00007FFC670C6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712C7800_2_00007FFC6712C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713EF800_2_00007FFC6713EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE7B00_2_00007FFC670EE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DA7D00_2_00007FFC670DA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67134FF00_2_00007FFC67134FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8FC00_2_00007FFC670D8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E6FE00_2_00007FFC670E6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C10100_2_00007FFC670C1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E48000_2_00007FFC670E4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EC0300_2_00007FFC670EC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F00200_2_00007FFC670F0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E50500_2_00007FFC670E5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710F8700_2_00007FFC6710F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671158400_2_00007FFC67115840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FF8700_2_00007FFC670FF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6E900_2_00007FFC670C6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A6B00_2_00007FFC6712A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7E800_2_00007FFC670C7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF6B00_2_00007FFC670EF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F06A00_2_00007FFC670F06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127EC00_2_00007FFC67127EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120F300_2_00007FFC67120F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E872B0_2_00007FFC670E872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671257600_2_00007FFC67125760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E2F500_2_00007FFC670E2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713BF6F0_2_00007FFC6713BF6F
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671207700_2_00007FFC67120770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE7700_2_00007FFC670DE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CC5A00_2_00007FFC670CC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D95C00_2_00007FFC670D95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F25C00_2_00007FFC670F25C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D65E00_2_00007FFC670D65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E36100_2_00007FFC670E3610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F2E100_2_00007FFC670F2E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CDE200_2_00007FFC670CDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C16200_2_00007FFC670C1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D86700_2_00007FFC670D8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671106500_2_00007FFC67110650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E49D0_2_00007FFC6712E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122CA00_2_00007FFC67122CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4A60_2_00007FFC6712E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4AD0_2_00007FFC6712E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4B60_2_00007FFC6712E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EAC800_2_00007FFC670EAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E48B0_2_00007FFC6712E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A4900_2_00007FFC6712A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4940_2_00007FFC6712E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D3CD00_2_00007FFC670D3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5CD00_2_00007FFC670F5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F3CF00_2_00007FFC670F3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0D100_2_00007FFC670F0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1D300_2_00007FFC670F1D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3D500_2_00007FFC670E3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670ED5500_2_00007FFC670ED550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D9D700_2_00007FFC670D9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671243900_2_00007FFC67124390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67114BC00_2_00007FFC67114BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D23F00_2_00007FFC670D23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D74100_2_00007FFC670D7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4000_2_00007FFC6712E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671294100_2_00007FFC67129410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D54200_2_00007FFC670D5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5C200_2_00007FFC670C5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671282A00_2_00007FFC671282A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712AAA00_2_00007FFC6712AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EDAA00_2_00007FFC670EDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122AE00_2_00007FFC67122AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127AF00_2_00007FFC67127AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E92C00_2_00007FFC670E92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711F2C00_2_00007FFC6711F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E82E00_2_00007FFC670E82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FBAE00_2_00007FFC670FBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EA3100_2_00007FFC670EA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F03000_2_00007FFC670F0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1B300_2_00007FFC670F1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CBB200_2_00007FFC670CBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C53500_2_00007FFC670C5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E33400_2_00007FFC670E3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D83400_2_00007FFC670D8340
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C55CD021_2_00007FFC74C55CD0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C7DDC021_2_00007FFC74C7DDC0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5502021_2_00007FFC74C55020
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C6CA5021_2_00007FFC74C6CA50
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5AA7021_2_00007FFC74C5AA70
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C6A2C021_2_00007FFC74C6A2C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4D55021_2_00007FFC74C4D550
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C43D5021_2_00007FFC74C43D50
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C39D7021_2_00007FFC74C39D70
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C50D1021_2_00007FFC74C50D10
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C51D3021_2_00007FFC74C51D30
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8D52021_2_00007FFC74C8D520
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C33CD021_2_00007FFC74C33CD0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C53CF021_2_00007FFC74C53CF0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4AC8021_2_00007FFC74C4AC80
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C82CA021_2_00007FFC74C82CA0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C7065021_2_00007FFC74C70650
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8765021_2_00007FFC74C87650
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3867021_2_00007FFC74C38670
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C52E1021_2_00007FFC74C52E10
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4361021_2_00007FFC74C43610
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2162021_2_00007FFC74C21620
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2DE2021_2_00007FFC74C2DE20
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C525C021_2_00007FFC74C525C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C395C021_2_00007FFC74C395C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C365E021_2_00007FFC74C365E0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2C5A021_2_00007FFC74C2C5A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C42F5021_2_00007FFC74C42F50
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8077021_2_00007FFC74C80770
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3E77021_2_00007FFC74C3E770
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8576021_2_00007FFC74C85760
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C80F3021_2_00007FFC74C80F30
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4872B21_2_00007FFC74C4872B
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C87EC021_2_00007FFC74C87EC0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C26E9021_2_00007FFC74C26E90
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C27E8021_2_00007FFC74C27E80
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4F6B021_2_00007FFC74C4F6B0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C506A021_2_00007FFC74C506A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4505021_2_00007FFC74C45050
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C7584021_2_00007FFC74C75840
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5F87021_2_00007FFC74C5F870
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2101021_2_00007FFC74C21010
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4480021_2_00007FFC74C44800
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4C03021_2_00007FFC74C4C030
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5002021_2_00007FFC74C50020
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C697D021_2_00007FFC74C697D0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3A7D021_2_00007FFC74C3A7D0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C38FC021_2_00007FFC74C38FC0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C94FF021_2_00007FFC74C94FF0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C46FE021_2_00007FFC74C46FE0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2679021_2_00007FFC74C26790
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C9EF8021_2_00007FFC74C9EF80
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4E7B021_2_00007FFC74C4E7B0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C9B7A021_2_00007FFC74C9B7A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C7315021_2_00007FFC74C73150
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8695021_2_00007FFC74C86950
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4414021_2_00007FFC74C44140
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8B96021_2_00007FFC74C8B960
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3E11021_2_00007FFC74C3E110
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4391021_2_00007FFC74C43910
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2B10021_2_00007FFC74C2B100
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5613021_2_00007FFC74C56130
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C218D021_2_00007FFC74C218D0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3D89021_2_00007FFC74C3D890
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4788021_2_00007FFC74C47880
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C308B021_2_00007FFC74C308B0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5B25021_2_00007FFC74C5B250
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C27A4021_2_00007FFC74C27A40
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8B26021_2_00007FFC74C8B260
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C521D021_2_00007FFC74C521D0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C469C021_2_00007FFC74C469C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C559F021_2_00007FFC74C559F0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4F1F021_2_00007FFC74C4F1F0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C591F021_2_00007FFC74C591F0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C589F021_2_00007FFC74C589F0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5999021_2_00007FFC74C59990
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2298021_2_00007FFC74C22980
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3E9B021_2_00007FFC74C3E9B0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C411B021_2_00007FFC74C411B0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4E9A021_2_00007FFC74C4E9A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C85B5021_2_00007FFC74C85B50
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2535021_2_00007FFC74C25350
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4334021_2_00007FFC74C43340
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3834021_2_00007FFC74C38340
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5436021_2_00007FFC74C54360
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4A31021_2_00007FFC74C4A310
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5030021_2_00007FFC74C50300
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C51B3021_2_00007FFC74C51B30
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C2BB2021_2_00007FFC74C2BB20
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C492C021_2_00007FFC74C492C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C7F2C021_2_00007FFC74C7F2C0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C482E021_2_00007FFC74C482E0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C5BAE021_2_00007FFC74C5BAE0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C82AE021_2_00007FFC74C82AE0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C4DAA021_2_00007FFC74C4DAA0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C882A021_2_00007FFC74C882A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8AAA021_2_00007FFC74C8AAA0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3741021_2_00007FFC74C37410
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8941021_2_00007FFC74C89410
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8E40021_2_00007FFC74C8E400
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C25C2021_2_00007FFC74C25C20
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C3542021_2_00007FFC74C35420
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C74BC021_2_00007FFC74C74BC0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C323F021_2_00007FFC74C323F0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C8439021_2_00007FFC74C84390
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7D52025_2_00007FFC74C7D520
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C45CD025_2_00007FFC74C45CD0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7765025_2_00007FFC74C77650
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6DDC025_2_00007FFC74C6DDC0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4502025_2_00007FFC74C45020
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C597D025_2_00007FFC74C597D0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6315025_2_00007FFC74C63150
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3788025_2_00007FFC74C37880
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C5CA5025_2_00007FFC74C5CA50
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4AA7025_2_00007FFC74C4AA70
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C459F025_2_00007FFC74C459F0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C5A2C025_2_00007FFC74C5A2C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4BAE025_2_00007FFC74C4BAE0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C33D5025_2_00007FFC74C33D50
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3D55025_2_00007FFC74C3D550
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C29D7025_2_00007FFC74C29D70
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C40D1025_2_00007FFC74C40D10
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C41D3025_2_00007FFC74C41D30
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C23CD025_2_00007FFC74C23CD0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C43CF025_2_00007FFC74C43CF0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7A49025_2_00007FFC74C7A490
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E49425_2_00007FFC74C7E494
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3AC8025_2_00007FFC74C3AC80
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E48B25_2_00007FFC74C7E48B
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E4AD25_2_00007FFC74C7E4AD
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E4B625_2_00007FFC74C7E4B6
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C72CA025_2_00007FFC74C72CA0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E49D25_2_00007FFC74C7E49D
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E4A625_2_00007FFC74C7E4A6
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6065025_2_00007FFC74C60650
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2867025_2_00007FFC74C28670
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3361025_2_00007FFC74C33610
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C42E1025_2_00007FFC74C42E10
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1162025_2_00007FFC74C11620
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1DE2025_2_00007FFC74C1DE20
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C295C025_2_00007FFC74C295C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C425C025_2_00007FFC74C425C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C265E025_2_00007FFC74C265E0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1C5A025_2_00007FFC74C1C5A0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C32F5025_2_00007FFC74C32F50
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7077025_2_00007FFC74C70770
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2E77025_2_00007FFC74C2E770
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C8BF6F25_2_00007FFC74C8BF6F
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7576025_2_00007FFC74C75760
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C70F3025_2_00007FFC74C70F30
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3872B25_2_00007FFC74C3872B
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C77EC025_2_00007FFC74C77EC0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C16E9025_2_00007FFC74C16E90
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C17E8025_2_00007FFC74C17E80
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7A6B025_2_00007FFC74C7A6B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3F6B025_2_00007FFC74C3F6B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C406A025_2_00007FFC74C406A0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3505025_2_00007FFC74C35050
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6584025_2_00007FFC74C65840
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4F87025_2_00007FFC74C4F870
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C5F87025_2_00007FFC74C5F870
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1101025_2_00007FFC74C11010
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3480025_2_00007FFC74C34800
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3C03025_2_00007FFC74C3C030
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4002025_2_00007FFC74C40020
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2A7D025_2_00007FFC74C2A7D0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C28FC025_2_00007FFC74C28FC0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C84FF025_2_00007FFC74C84FF0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C36FE025_2_00007FFC74C36FE0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1679025_2_00007FFC74C16790
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7C78025_2_00007FFC74C7C780
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C8EF8025_2_00007FFC74C8EF80
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3E7B025_2_00007FFC74C3E7B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C8B7A025_2_00007FFC74C8B7A0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7695025_2_00007FFC74C76950
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3414025_2_00007FFC74C34140
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7B96025_2_00007FFC74C7B960
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2E11025_2_00007FFC74C2E110
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3391025_2_00007FFC74C33910
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1B10025_2_00007FFC74C1B100
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4613025_2_00007FFC74C46130
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C118D025_2_00007FFC74C118D0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2D89025_2_00007FFC74C2D890
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C208B025_2_00007FFC74C208B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4B25025_2_00007FFC74C4B250
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C17A4025_2_00007FFC74C17A40
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7B26025_2_00007FFC74C7B260
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C421D025_2_00007FFC74C421D0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C369C025_2_00007FFC74C369C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C491F025_2_00007FFC74C491F0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C489F025_2_00007FFC74C489F0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3F1F025_2_00007FFC74C3F1F0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4999025_2_00007FFC74C49990
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1298025_2_00007FFC74C12980
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2E9B025_2_00007FFC74C2E9B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C311B025_2_00007FFC74C311B0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3E9A025_2_00007FFC74C3E9A0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C75B5025_2_00007FFC74C75B50
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1535025_2_00007FFC74C15350
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3334025_2_00007FFC74C33340
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2834025_2_00007FFC74C28340
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4436025_2_00007FFC74C44360
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3A31025_2_00007FFC74C3A310
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4030025_2_00007FFC74C40300
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C41B3025_2_00007FFC74C41B30
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C1BB2025_2_00007FFC74C1BB20
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6F2C025_2_00007FFC74C6F2C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C392C025_2_00007FFC74C392C0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C77AF025_2_00007FFC74C77AF0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C72AE025_2_00007FFC74C72AE0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C382E025_2_00007FFC74C382E0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C782A025_2_00007FFC74C782A0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7AAA025_2_00007FFC74C7AAA0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C3DAA025_2_00007FFC74C3DAA0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7941025_2_00007FFC74C79410
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2741025_2_00007FFC74C27410
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7E40025_2_00007FFC74C7E400
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C15C2025_2_00007FFC74C15C20
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C2542025_2_00007FFC74C25420
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C64BC025_2_00007FFC74C64BC0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C223F025_2_00007FFC74C223F0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7439025_2_00007FFC74C74390
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255089835_2_00007FF672550898
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254E99835_2_00007FF67254E998
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254EF8435_2_00007FF67254EF84
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254608835_2_00007FF672546088
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672543A5C35_2_00007FF672543A5C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672544B5C35_2_00007FF672544B5C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254426035_2_00007FF672544260
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254CF6435_2_00007FF67254CF64
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255564435_2_00007FF672555644
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254674435_2_00007FF672546744
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254E04C35_2_00007FF67254E04C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672545B4C35_2_00007FF672545B4C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255935435_2_00007FF672559354
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255755035_2_00007FF672557550
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255151C35_2_00007FF67255151C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672558E1C35_2_00007FF672558E1C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254BE2435_2_00007FF67254BE24
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254AD2035_2_00007FF67254AD20
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254292C35_2_00007FF67254292C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254E33035_2_00007FF67254E330
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254DAFC35_2_00007FF67254DAFC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254C1FC35_2_00007FF67254C1FC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672548BFC35_2_00007FF672548BFC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254530035_2_00007FF672545300
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672544F0835_2_00007FF672544F08
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255780C35_2_00007FF67255780C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672554D0C35_2_00007FF672554D0C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254FC1435_2_00007FF67254FC14
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672541B1435_2_00007FF672541B14
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254C71035_2_00007FF67254C710
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725533DC35_2_00007FF6725533DC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725413E435_2_00007FF6725413E4
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725472E835_2_00007FF6725472E8
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725529E835_2_00007FF6725529E8
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725586E835_2_00007FF6725586E8
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725479C435_2_00007FF6725479C4
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672550AC035_2_00007FF672550AC0
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672547ED035_2_00007FF672547ED0
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725510D435_2_00007FF6725510D4
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA580D037_2_00007FF6BFA580D0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA3F93037_2_00007FF6BFA3F930
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5B13037_2_00007FF6BFA5B130
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4306037_2_00007FF6BFA43060
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5909037_2_00007FF6BFA59090
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5281037_2_00007FF6BFA52810
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4FF8037_2_00007FF6BFA4FF80
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA43EE837_2_00007FF6BFA43EE8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4E63837_2_00007FF6BFA4E638
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA3753C37_2_00007FF6BFA3753C
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4454037_2_00007FF6BFA44540
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA33D9437_2_00007FF6BFA33D94
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5D4D037_2_00007FF6BFA5D4D0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA3DC4C37_2_00007FF6BFA3DC4C
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA49CA037_2_00007FF6BFA49CA0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5A42037_2_00007FF6BFA5A420
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA343AC37_2_00007FF6BFA343AC
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4EBA837_2_00007FF6BFA4EBA8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA4533037_2_00007FF6BFA45330
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA3D2F837_2_00007FF6BFA3D2F8
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5626037_2_00007FF6BFA56260
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA58AA037_2_00007FF6BFA58AA0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5195037_2_00007FF6BFA51950
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA5F99437_2_00007FF6BFA5F994
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA84DD041_2_00007FF76CA84DD0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA8ED9041_2_00007FF76CA8ED90
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA58F1441_2_00007FF76CA58F14
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA9EE4041_2_00007FF76CA9EE40
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA9D01041_2_00007FF76CA9D010
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6AFF041_2_00007FF76CA6AFF0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA9A99841_2_00007FF76CA9A998
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA689F441_2_00007FF76CA689F4
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA5694841_2_00007FF76CA56948
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6CCFC41_2_00007FF76CA6CCFC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA3ED0041_2_00007FF76CA3ED00
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA24CDC41_2_00007FF76CA24CDC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA90C4441_2_00007FF76CA90C44
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6A5D041_2_00007FF76CA6A5D0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAA45E041_2_00007FF76CAA45E0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA5253C41_2_00007FF76CA5253C
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA3E56041_2_00007FF76CA3E560
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA7064441_2_00007FF76CA70644
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6062041_2_00007FF76CA60620
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA0E7FC41_2_00007FF76CA0E7FC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA19AF041_2_00007FF76CA19AF0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA0A7EC41_2_00007FF76CA0A7EC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAB47E541_2_00007FF76CAB47E5
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAA072841_2_00007FF76CAA0728
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA648C041_2_00007FF76CA648C0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA821AC41_2_00007FF76CA821AC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA421AC41_2_00007FF76CA421AC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA8419841_2_00007FF76CA84198
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA8C2D841_2_00007FF76CA8C2D8
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA4A25041_2_00007FF76CA4A250
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA2E22441_2_00007FF76CA2E224
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA343B841_2_00007FF76CA343B8
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA03D3841_2_00007FF76CA03D38
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA75F0841_2_00007FF76CA75F08
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6BE5841_2_00007FF76CA6BE58
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAABFEC41_2_00007FF76CAABFEC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA9BF8841_2_00007FF76CA9BF88
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA0A05841_2_00007FF76CA0A058
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA77A0041_2_00007FF76CA77A00
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA0B92841_2_00007FF76CA0B928
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA8F92041_2_00007FF76CA8F920
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA71AD441_2_00007FF76CA71AD4
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA97A2041_2_00007FF76CA97A20
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAADB6C41_2_00007FF76CAADB6C
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA8BD1441_2_00007FF76CA8BD14
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA3DC4441_2_00007FF76CA3DC44
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAAFC5941_2_00007FF76CAAFC59
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA6D6B041_2_00007FF76CA6D6B0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAAD7A241_2_00007FF76CAAD7A2
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA9D78841_2_00007FF76CA9D788
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: String function: 00007FF76CA032F8 appears 319 times
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: String function: 00007FF76CA04D68 appears 156 times
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: String function: 00007FF76CA06894 appears 44 times
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: String function: 00007FF76CA162E4 appears 55 times
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: String function: 00007FF76CAA6AD8 appears 183 times
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: String function: 00007FF67254114C appears 40 times
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: String function: 00007FF6725412F0 appears 44 times
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: String function: 00007FF6BFA32AE8 appears 152 times
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67107770 NtClose,0_2_00007FFC67107770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D520 NtQuerySystemInformation,RtlAllocateHeap,0_2_00007FFC6712D520
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,21_2_00007FFC74C55CD0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FFC74C67770 NtClose,21_2_00007FFC74C67770
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C7D520 NtQuerySystemInformation,25_2_00007FFC74C7D520
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,25_2_00007FFC74C4C4D0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C45CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,25_2_00007FFC74C45CD0
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C35F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,25_2_00007FFC74C35F40
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C57770 NtClose,25_2_00007FFC74C57770
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,25_2_00007FFC74C4AA70
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4BAE0 NtReadVirtualMemory,25_2_00007FFC74C4BAE0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA63030 memset,AlpcInitializeMessageAttribute,AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcSendWaitReceivePort,AlpcGetMessageAttribute,ZwAlpcCancelMessage,ReleaseSRWLockShared,RtlWakeAddressAll,37_2_00007FF6BFA63030
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA62F2C AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcDisconnectPort,ZwAlpcQueryInformation,ReleaseSRWLockShared,RtlWaitOnAddress,AcquireSRWLockExclusive,GetCurrentThreadId,ReleaseSRWLockExclusive,CloseHandle,TpWaitForAlpcCompletion,37_2_00007FF6BFA62F2C
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA643C0 memset,GetCurrentProcess,QueryFullProcessImageNameW,NtPowerInformation,37_2_00007FF6BFA643C0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA62C30 HeapAlloc,memset,InitializeSRWLock,RtlInitUnicodeString,memset,memset,ZwAlpcConnectPort,CreateThreadpool,TpAllocAlpcCompletion,37_2_00007FF6BFA62C30
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA63284 AcquireSRWLockExclusive,GetCurrentThreadId,ZwClose,ReleaseSRWLockExclusive,ZwAlpcCancelMessage,37_2_00007FF6BFA63284
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA631E0 AcquireSRWLockShared,memset,ZwAlpcSendWaitReceivePort,ReleaseSRWLockShared,37_2_00007FF6BFA631E0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAAA9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,41_2_00007FF76CAAA9CC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA76C44 RtlInitUnicodeString,NtQueryLicenseValue,41_2_00007FF76CA76C44
                      Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationHost.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeSection loaded: kernel34.dll
                      Source: dwmapi.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: AyBhhRZXPj.dllStatic PE information: Number of sections : 57 > 10
                      Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: DUI70.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: VERSION.dll0.4.drStatic PE information: Number of sections : 58 > 10
                      Source: XmlLite.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: VERSION.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: UxTheme.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: MFC42u.dll.4.drStatic PE information: Number of sections : 58 > 10
                      Source: AyBhhRZXPj.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dwmapi.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: MFC42u.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: AyBhhRZXPj.dllVirustotal: Detection: 70%
                      Source: AyBhhRZXPj.dllMetadefender: Detection: 62%
                      Source: AyBhhRZXPj.dllReversingLabs: Detection: 88%
                      Source: AyBhhRZXPj.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirkingJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatStringJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValueJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@49/18@0/0
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672545AA0 SHCreateItemFromParsingName,SetFileAttributesW,DeleteFileW,CoCreateInstance,35_2_00007FF672545AA0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA580D0 CreateStreamOnHGlobal,CreateXmlWriterOutputWithEncodingName,memset,memset,GetLastError,LocalFree,SetLastError,LocalFree,memset,FormatMessageW,GetLastError,GetProcessHeap,HeapAlloc,BigStrcat,GetLastError,LocalFree,SetLastError,??3@YAXPEAX@Z,LocalFree,LocalFree,LocalFree,??3@YAXPEAX@Z,LocalFree,LocalFree,37_2_00007FF6BFA580D0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672543720 RegDeleteKeyW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetFileAttributesW,ShellExecuteW,OpenSCManagerW,OpenServiceW,QueryServiceConfigW,ChangeServiceConfigW,QueryServiceStatus,ControlService,CloseServiceHandle,CloseServiceHandle,35_2_00007FF672543720
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C4CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,25_2_00007FFC74C4CB00
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{7f288414-5cf0-ae42-7066-c8e415a6409f}
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{ca68fc37-cbed-19a4-8710-155280dc7f30}
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672543A5C CoInitialize,SHGetFolderPathW,LoadStringW,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetLastError,CoUninitialize,GetUserDefaultLCID,LCIDToLocaleName,PathAddBackslashW,CreateDirectoryW,GetTickCount,CreateDirectoryW,GetLastError,GetLastError,FindResourceW,LoadResource,CreateFileW,SizeofResource,WriteFile,CloseHandle,RegCreateKeyExW,RegSetValueExW,GetLastError,RegCloseKey,35_2_00007FF672543A5C
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
                      Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
                      Source: AyBhhRZXPj.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: AyBhhRZXPj.dllStatic file information: File size 1351680 > 1048576
                      Source: AyBhhRZXPj.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
                      Source: Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
                      Source: Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
                      Source: Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vxl
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .qwubgr
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .eer
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .xwwauf
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .pkc
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .npkda
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vhs
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .iaywj
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .nasi
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .zhvprh
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .yatdsp
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .njso
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .lgliat
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .ntqjh
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .sucsek
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .qsxjui
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .twctcm
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .nms
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .ogj
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vrkgb
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .gikfw
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .ktl
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .crcn
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .wtfr
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .hep
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .ywg
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .sqsp
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .gzb
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .fatlss
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .plqa
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vzt
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .dsbyd
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .cdelc
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .qkhkj
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .mnzegr
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .krw
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .jvsmn
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .bygpq
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .kzdbu
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .mwxorn
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .raf
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .zcyw
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .zeczh
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .pvv
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .lug
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .ski
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .japjd
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .mwtzml
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vgssf
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .qqb
                      Source: AyBhhRZXPj.dllStatic PE information: section name: .vje
                      Source: omadmclient.exe.4.drStatic PE information: section name: .didat
                      Source: GamePanel.exe.4.drStatic PE information: section name: .imrsiv
                      Source: GamePanel.exe.4.drStatic PE information: section name: .didat
                      Source: FileHistory.exe.4.drStatic PE information: section name: .nep
                      Source: wlrmdr.exe.4.drStatic PE information: section name: .imrsiv
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vxl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qwubgr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .eer
                      Source: dwmapi.dll.4.drStatic PE information: section name: .xwwauf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pkc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .npkda
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vhs
                      Source: dwmapi.dll.4.drStatic PE information: section name: .iaywj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nasi
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zhvprh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .yatdsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .njso
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lgliat
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ntqjh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sucsek
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qsxjui
                      Source: dwmapi.dll.4.drStatic PE information: section name: .twctcm
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nms
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ogj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vrkgb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gikfw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ktl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .crcn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .wtfr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .hep
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ywg
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sqsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gzb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .fatlss
                      Source: dwmapi.dll.4.drStatic PE information: section name: .plqa
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vzt
                      Source: dwmapi.dll.4.drStatic PE information: section name: .dsbyd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .cdelc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qkhkj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mnzegr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .krw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .jvsmn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .bygpq
                      Source: dwmapi.dll.4.drStatic PE information: section name: .kzdbu
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwxorn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .raf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zcyw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zeczh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pvv
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lug
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ski
                      Source: dwmapi.dll.4.drStatic PE information: section name: .japjd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwtzml
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vgssf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qqb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vje
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ksr
                      Source: VERSION.dll.4.drStatic PE information: section name: .vxl
                      Source: VERSION.dll.4.drStatic PE information: section name: .qwubgr
                      Source: VERSION.dll.4.drStatic PE information: section name: .eer
                      Source: VERSION.dll.4.drStatic PE information: section name: .xwwauf
                      Source: VERSION.dll.4.drStatic PE information: section name: .pkc
                      Source: VERSION.dll.4.drStatic PE information: section name: .npkda
                      Source: VERSION.dll.4.drStatic PE information: section name: .vhs
                      Source: VERSION.dll.4.drStatic PE information: section name: .iaywj
                      Source: VERSION.dll.4.drStatic PE information: section name: .nasi
                      Source: VERSION.dll.4.drStatic PE information: section name: .zhvprh
                      Source: VERSION.dll.4.drStatic PE information: section name: .yatdsp
                      Source: VERSION.dll.4.drStatic PE information: section name: .njso
                      Source: VERSION.dll.4.drStatic PE information: section name: .lgliat
                      Source: VERSION.dll.4.drStatic PE information: section name: .ntqjh
                      Source: VERSION.dll.4.drStatic PE information: section name: .sucsek
                      Source: VERSION.dll.4.drStatic PE information: section name: .qsxjui
                      Source: VERSION.dll.4.drStatic PE information: section name: .twctcm
                      Source: VERSION.dll.4.drStatic PE information: section name: .nms
                      Source: VERSION.dll.4.drStatic PE information: section name: .ogj
                      Source: VERSION.dll.4.drStatic PE information: section name: .vrkgb
                      Source: VERSION.dll.4.drStatic PE information: section name: .gikfw
                      Source: VERSION.dll.4.drStatic PE information: section name: .ktl
                      Source: VERSION.dll.4.drStatic PE information: section name: .crcn
                      Source: VERSION.dll.4.drStatic PE information: section name: .wtfr
                      Source: VERSION.dll.4.drStatic PE information: section name: .hep
                      Source: VERSION.dll.4.drStatic PE information: section name: .ywg
                      Source: VERSION.dll.4.drStatic PE information: section name: .sqsp
                      Source: VERSION.dll.4.drStatic PE information: section name: .gzb
                      Source: VERSION.dll.4.drStatic PE information: section name: .fatlss
                      Source: VERSION.dll.4.drStatic PE information: section name: .plqa
                      Source: VERSION.dll.4.drStatic PE information: section name: .vzt
                      Source: VERSION.dll.4.drStatic PE information: section name: .dsbyd
                      Source: VERSION.dll.4.drStatic PE information: section name: .cdelc
                      Source: VERSION.dll.4.drStatic PE information: section name: .qkhkj
                      Source: VERSION.dll.4.drStatic PE information: section name: .mnzegr
                      Source: VERSION.dll.4.drStatic PE information: section name: .krw
                      Source: VERSION.dll.4.drStatic PE information: section name: .jvsmn
                      Source: VERSION.dll.4.drStatic PE information: section name: .bygpq
                      Source: VERSION.dll.4.drStatic PE information: section name: .kzdbu
                      Source: VERSION.dll.4.drStatic PE information: section name: .mwxorn
                      Source: VERSION.dll.4.drStatic PE information: section name: .raf
                      Source: VERSION.dll.4.drStatic PE information: section name: .zcyw
                      Source: VERSION.dll.4.drStatic PE information: section name: .zeczh
                      Source: VERSION.dll.4.drStatic PE information: section name: .pvv
                      Source: VERSION.dll.4.drStatic PE information: section name: .lug
                      Source: VERSION.dll.4.drStatic PE information: section name: .ski
                      Source: VERSION.dll.4.drStatic PE information: section name: .japjd
                      Source: VERSION.dll.4.drStatic PE information: section name: .mwtzml
                      Source: VERSION.dll.4.drStatic PE information: section name: .vgssf
                      Source: VERSION.dll.4.drStatic PE information: section name: .qqb
                      Source: VERSION.dll.4.drStatic PE information: section name: .vje
                      Source: VERSION.dll.4.drStatic PE information: section name: .iol
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vxl
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qwubgr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .eer
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .xwwauf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .pkc
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .npkda
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vhs
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .iaywj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .nasi
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zhvprh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .yatdsp
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .njso
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .lgliat
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ntqjh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .sucsek
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qsxjui
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .twctcm
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .nms
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ogj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vrkgb
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gikfw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ktl
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .crcn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .wtfr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .hep
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ywg
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .sqsp
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gzb
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .fatlss
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .plqa
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vzt
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .dsbyd
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .cdelc
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qkhkj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mnzegr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .krw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .jvsmn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .bygpq
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .kzdbu
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mwxorn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .raf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zcyw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zeczh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .pvv
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .lug
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ski
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .japjd
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mwtzml
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vgssf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qqb
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vje
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gec
                      Source: DUI70.dll.4.drStatic PE information: section name: .vxl
                      Source: DUI70.dll.4.drStatic PE information: section name: .qwubgr
                      Source: DUI70.dll.4.drStatic PE information: section name: .eer
                      Source: DUI70.dll.4.drStatic PE information: section name: .xwwauf
                      Source: DUI70.dll.4.drStatic PE information: section name: .pkc
                      Source: DUI70.dll.4.drStatic PE information: section name: .npkda
                      Source: DUI70.dll.4.drStatic PE information: section name: .vhs
                      Source: DUI70.dll.4.drStatic PE information: section name: .iaywj
                      Source: DUI70.dll.4.drStatic PE information: section name: .nasi
                      Source: DUI70.dll.4.drStatic PE information: section name: .zhvprh
                      Source: DUI70.dll.4.drStatic PE information: section name: .yatdsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .njso
                      Source: DUI70.dll.4.drStatic PE information: section name: .lgliat
                      Source: DUI70.dll.4.drStatic PE information: section name: .ntqjh
                      Source: DUI70.dll.4.drStatic PE information: section name: .sucsek
                      Source: DUI70.dll.4.drStatic PE information: section name: .qsxjui
                      Source: DUI70.dll.4.drStatic PE information: section name: .twctcm
                      Source: DUI70.dll.4.drStatic PE information: section name: .nms
                      Source: DUI70.dll.4.drStatic PE information: section name: .ogj
                      Source: DUI70.dll.4.drStatic PE information: section name: .vrkgb
                      Source: DUI70.dll.4.drStatic PE information: section name: .gikfw
                      Source: DUI70.dll.4.drStatic PE information: section name: .ktl
                      Source: DUI70.dll.4.drStatic PE information: section name: .crcn
                      Source: DUI70.dll.4.drStatic PE information: section name: .wtfr
                      Source: DUI70.dll.4.drStatic PE information: section name: .hep
                      Source: DUI70.dll.4.drStatic PE information: section name: .ywg
                      Source: DUI70.dll.4.drStatic PE information: section name: .sqsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .gzb
                      Source: DUI70.dll.4.drStatic PE information: section name: .fatlss
                      Source: DUI70.dll.4.drStatic PE information: section name: .plqa
                      Source: DUI70.dll.4.drStatic PE information: section name: .vzt
                      Source: DUI70.dll.4.drStatic PE information: section name: .dsbyd
                      Source: DUI70.dll.4.drStatic PE information: section name: .cdelc
                      Source: DUI70.dll.4.drStatic PE information: section name: .qkhkj
                      Source: DUI70.dll.4.drStatic PE information: section name: .mnzegr
                      Source: DUI70.dll.4.drStatic PE information: section name: .krw
                      Source: DUI70.dll.4.drStatic PE information: section name: .jvsmn
                      Source: DUI70.dll.4.drStatic PE information: section name: .bygpq
                      Source: DUI70.dll.4.drStatic PE information: section name: .kzdbu
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwxorn
                      Source: DUI70.dll.4.drStatic PE information: section name: .raf
                      Source: DUI70.dll.4.drStatic PE information: section name: .zcyw
                      Source: DUI70.dll.4.drStatic PE information: section name: .zeczh
                      Source: DUI70.dll.4.drStatic PE information: section name: .pvv
                      Source: DUI70.dll.4.drStatic PE information: section name: .lug
                      Source: DUI70.dll.4.drStatic PE information: section name: .ski
                      Source: DUI70.dll.4.drStatic PE information: section name: .japjd
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwtzml
                      Source: DUI70.dll.4.drStatic PE information: section name: .vgssf
                      Source: DUI70.dll.4.drStatic PE information: section name: .qqb
                      Source: DUI70.dll.4.drStatic PE information: section name: .vje
                      Source: DUI70.dll.4.drStatic PE information: section name: .bue
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vxl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qwubgr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .eer
                      Source: UxTheme.dll.4.drStatic PE information: section name: .xwwauf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pkc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .npkda
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vhs
                      Source: UxTheme.dll.4.drStatic PE information: section name: .iaywj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nasi
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zhvprh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .yatdsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .njso
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lgliat
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ntqjh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sucsek
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qsxjui
                      Source: UxTheme.dll.4.drStatic PE information: section name: .twctcm
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nms
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ogj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vrkgb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gikfw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ktl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .crcn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .wtfr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .hep
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ywg
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sqsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gzb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .fatlss
                      Source: UxTheme.dll.4.drStatic PE information: section name: .plqa
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vzt
                      Source: UxTheme.dll.4.drStatic PE information: section name: .dsbyd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .cdelc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qkhkj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mnzegr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .krw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .jvsmn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .bygpq
                      Source: UxTheme.dll.4.drStatic PE information: section name: .kzdbu
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwxorn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .raf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zcyw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zeczh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pvv
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lug
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ski
                      Source: UxTheme.dll.4.drStatic PE information: section name: .japjd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwtzml
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vgssf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qqb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vje
                      Source: UxTheme.dll.4.drStatic PE information: section name: .npi
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vxl
                      Source: MFC42u.dll.4.drStatic PE information: section name: .qwubgr
                      Source: MFC42u.dll.4.drStatic PE information: section name: .eer
                      Source: MFC42u.dll.4.drStatic PE information: section name: .xwwauf
                      Source: MFC42u.dll.4.drStatic PE information: section name: .pkc
                      Source: MFC42u.dll.4.drStatic PE information: section name: .npkda
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vhs
                      Source: MFC42u.dll.4.drStatic PE information: section name: .iaywj
                      Source: MFC42u.dll.4.drStatic PE information: section name: .nasi
                      Source: MFC42u.dll.4.drStatic PE information: section name: .zhvprh
                      Source: MFC42u.dll.4.drStatic PE information: section name: .yatdsp
                      Source: MFC42u.dll.4.drStatic PE information: section name: .njso
                      Source: MFC42u.dll.4.drStatic PE information: section name: .lgliat
                      Source: MFC42u.dll.4.drStatic PE information: section name: .ntqjh
                      Source: MFC42u.dll.4.drStatic PE information: section name: .sucsek
                      Source: MFC42u.dll.4.drStatic PE information: section name: .qsxjui
                      Source: MFC42u.dll.4.drStatic PE information: section name: .twctcm
                      Source: MFC42u.dll.4.drStatic PE information: section name: .nms
                      Source: MFC42u.dll.4.drStatic PE information: section name: .ogj
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vrkgb
                      Source: MFC42u.dll.4.drStatic PE information: section name: .gikfw
                      Source: MFC42u.dll.4.drStatic PE information: section name: .ktl
                      Source: MFC42u.dll.4.drStatic PE information: section name: .crcn
                      Source: MFC42u.dll.4.drStatic PE information: section name: .wtfr
                      Source: MFC42u.dll.4.drStatic PE information: section name: .hep
                      Source: MFC42u.dll.4.drStatic PE information: section name: .ywg
                      Source: MFC42u.dll.4.drStatic PE information: section name: .sqsp
                      Source: MFC42u.dll.4.drStatic PE information: section name: .gzb
                      Source: MFC42u.dll.4.drStatic PE information: section name: .fatlss
                      Source: MFC42u.dll.4.drStatic PE information: section name: .plqa
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vzt
                      Source: MFC42u.dll.4.drStatic PE information: section name: .dsbyd
                      Source: MFC42u.dll.4.drStatic PE information: section name: .cdelc
                      Source: MFC42u.dll.4.drStatic PE information: section name: .qkhkj
                      Source: MFC42u.dll.4.drStatic PE information: section name: .mnzegr
                      Source: MFC42u.dll.4.drStatic PE information: section name: .krw
                      Source: MFC42u.dll.4.drStatic PE information: section name: .jvsmn
                      Source: MFC42u.dll.4.drStatic PE information: section name: .bygpq
                      Source: MFC42u.dll.4.drStatic PE information: section name: .kzdbu
                      Source: MFC42u.dll.4.drStatic PE information: section name: .mwxorn
                      Source: MFC42u.dll.4.drStatic PE information: section name: .raf
                      Source: MFC42u.dll.4.drStatic PE information: section name: .zcyw
                      Source: MFC42u.dll.4.drStatic PE information: section name: .zeczh
                      Source: MFC42u.dll.4.drStatic PE information: section name: .pvv
                      Source: MFC42u.dll.4.drStatic PE information: section name: .lug
                      Source: MFC42u.dll.4.drStatic PE information: section name: .ski
                      Source: MFC42u.dll.4.drStatic PE information: section name: .japjd
                      Source: MFC42u.dll.4.drStatic PE information: section name: .mwtzml
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vgssf
                      Source: MFC42u.dll.4.drStatic PE information: section name: .qqb
                      Source: MFC42u.dll.4.drStatic PE information: section name: .vje
                      Source: MFC42u.dll.4.drStatic PE information: section name: .tfhhe
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vxl
                      Source: VERSION.dll0.4.drStatic PE information: section name: .qwubgr
                      Source: VERSION.dll0.4.drStatic PE information: section name: .eer
                      Source: VERSION.dll0.4.drStatic PE information: section name: .xwwauf
                      Source: VERSION.dll0.4.drStatic PE information: section name: .pkc
                      Source: VERSION.dll0.4.drStatic PE information: section name: .npkda
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vhs
                      Source: VERSION.dll0.4.drStatic PE information: section name: .iaywj
                      Source: VERSION.dll0.4.drStatic PE information: section name: .nasi
                      Source: VERSION.dll0.4.drStatic PE information: section name: .zhvprh
                      Source: VERSION.dll0.4.drStatic PE information: section name: .yatdsp
                      Source: VERSION.dll0.4.drStatic PE information: section name: .njso
                      Source: VERSION.dll0.4.drStatic PE information: section name: .lgliat
                      Source: VERSION.dll0.4.drStatic PE information: section name: .ntqjh
                      Source: VERSION.dll0.4.drStatic PE information: section name: .sucsek
                      Source: VERSION.dll0.4.drStatic PE information: section name: .qsxjui
                      Source: VERSION.dll0.4.drStatic PE information: section name: .twctcm
                      Source: VERSION.dll0.4.drStatic PE information: section name: .nms
                      Source: VERSION.dll0.4.drStatic PE information: section name: .ogj
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vrkgb
                      Source: VERSION.dll0.4.drStatic PE information: section name: .gikfw
                      Source: VERSION.dll0.4.drStatic PE information: section name: .ktl
                      Source: VERSION.dll0.4.drStatic PE information: section name: .crcn
                      Source: VERSION.dll0.4.drStatic PE information: section name: .wtfr
                      Source: VERSION.dll0.4.drStatic PE information: section name: .hep
                      Source: VERSION.dll0.4.drStatic PE information: section name: .ywg
                      Source: VERSION.dll0.4.drStatic PE information: section name: .sqsp
                      Source: VERSION.dll0.4.drStatic PE information: section name: .gzb
                      Source: VERSION.dll0.4.drStatic PE information: section name: .fatlss
                      Source: VERSION.dll0.4.drStatic PE information: section name: .plqa
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vzt
                      Source: VERSION.dll0.4.drStatic PE information: section name: .dsbyd
                      Source: VERSION.dll0.4.drStatic PE information: section name: .cdelc
                      Source: VERSION.dll0.4.drStatic PE information: section name: .qkhkj
                      Source: VERSION.dll0.4.drStatic PE information: section name: .mnzegr
                      Source: VERSION.dll0.4.drStatic PE information: section name: .krw
                      Source: VERSION.dll0.4.drStatic PE information: section name: .jvsmn
                      Source: VERSION.dll0.4.drStatic PE information: section name: .bygpq
                      Source: VERSION.dll0.4.drStatic PE information: section name: .kzdbu
                      Source: VERSION.dll0.4.drStatic PE information: section name: .mwxorn
                      Source: VERSION.dll0.4.drStatic PE information: section name: .raf
                      Source: VERSION.dll0.4.drStatic PE information: section name: .zcyw
                      Source: VERSION.dll0.4.drStatic PE information: section name: .zeczh
                      Source: VERSION.dll0.4.drStatic PE information: section name: .pvv
                      Source: VERSION.dll0.4.drStatic PE information: section name: .lug
                      Source: VERSION.dll0.4.drStatic PE information: section name: .ski
                      Source: VERSION.dll0.4.drStatic PE information: section name: .japjd
                      Source: VERSION.dll0.4.drStatic PE information: section name: .mwtzml
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vgssf
                      Source: VERSION.dll0.4.drStatic PE information: section name: .qqb
                      Source: VERSION.dll0.4.drStatic PE information: section name: .vje
                      Source: VERSION.dll0.4.drStatic PE information: section name: .rlzfvj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .eer
                      Source: XmlLite.dll.4.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll.4.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .njso
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll.4.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nms
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .hep
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll.4.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll.4.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .krw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll.4.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .raf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lug
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ski
                      Source: XmlLite.dll.4.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qqb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vje
                      Source: XmlLite.dll.4.drStatic PE information: section name: .kvmwo
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary,35_2_00007FF672558AD0
                      Source: FileHistory.exe.4.drStatic PE information: 0xFAD0FCA2 [Mon May 7 16:56:02 2103 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\u70W8\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\u70W8\FileHistory.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Odp\GamePanel.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Odp\dwmapi.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vVin\unregmp2.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vVin\VERSION.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254FC14 GetWindowsDirectoryW,_wcsicmp,GetPrivateProfileStringW,wcsstr,_wcsicmp,_wcsicmp,_wcsicmp,WritePrivateProfileStringW,GetProfileStringW,_wcsicmp,_wcsicmp,WriteProfileStringW,WriteProfileStringW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,_wcsicmp,RegSetValueExW,RegOpenKeyExW,RegQueryValueExW,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,_wcsicmp,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,35_2_00007FF67254FC14
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exe TID: 408Thread sleep count: 48 > 30Jump to behavior
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_21-58072
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-77015
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-57519
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeAPI coverage: 0.3 %
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeAPI coverage: 0.2 %
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeAPI coverage: 0.2 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC0 GetSystemInfo,0_2_00007FFC6711DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,0_2_00007FFC6711ED10
                      Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exeCode function: 25_2_00007FFC74C6ED10 FindFirstFileExW,25_2_00007FFC74C6ED10
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,35_2_00007FF672546088
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,35_2_00007FF672545B4C
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize,35_2_00007FF672548BFC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey,35_2_00007FF6725472E8
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,35_2_00007FF6725479C4
                      Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
                      Source: explorer.exe, 00000004.00000000.294834055.000000000831D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
                      Source: explorer.exe, 00000004.00000000.274320160.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
                      Source: explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
                      Source: explorer.exe, 00000004.00000000.331966593.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.279138421.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                      Source: explorer.exe, 00000004.00000000.294398322.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
                      Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA32580 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,37_2_00007FF6BFA32580
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary,35_2_00007FF672558AD0
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA580D0 CreateStreamOnHGlobal,CreateXmlWriterOutputWithEncodingName,memset,memset,GetLastError,LocalFree,SetLastError,LocalFree,memset,FormatMessageW,GetLastError,GetProcessHeap,HeapAlloc,BigStrcat,GetLastError,LocalFree,SetLastError,??3@YAXPEAX@Z,LocalFree,LocalFree,LocalFree,??3@YAXPEAX@Z,LocalFree,LocalFree,37_2_00007FF6BFA580D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose,0_2_00007FFC671097D0
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CA3F0A0 BlockInput,SendInput,41_2_00007FF76CA3F0A0
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FF6811E7570 SetUnhandledExceptionFilter,21_2_00007FF6811E7570
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FF6811E77EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00007FF6811E77EC
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF672559D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00007FF672559D60
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67255A060 SetUnhandledExceptionFilter,35_2_00007FF67255A060
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA65060 SetUnhandledExceptionFilter,37_2_00007FF6BFA65060
                      Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exeCode function: 37_2_00007FF6BFA64D80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,37_2_00007FF6BFA64D80
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAABD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_00007FF76CAABD44
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAABF20 SetUnhandledExceptionFilter,41_2_00007FF76CAABF20

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: omadmclient.exe.4.drJump to dropped file
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and writeJump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                      Uses Atom Bombing / ProGate to inject into other processes
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1Jump to behavior
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAA8CAC mouse_event,SetForegroundWindow,41_2_00007FF76CAA8CAC
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: 41_2_00007FF76CAA6418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle,41_2_00007FF76CAA6418
                      Source: explorer.exe, 00000004.00000000.257921423.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274335367.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301355437.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
                      Source: explorer.exe, 00000004.00000000.294181422.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.289310856.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.310394256.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000004.00000000.317889504.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274743246.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
                      Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeQueries volume information: C:\Users\user\AppData\Local\u70W8\FileHistory.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,41_2_00007FF76CA9CE28
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,41_2_00007FF76CA90A3C
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,41_2_00007FF76CA9A840
                      Source: C:\Users\user\AppData\Local\Odp\GamePanel.exeCode function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,41_2_00007FF76CA16068
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exeCode function: 21_2_00007FF6811E7704 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,21_2_00007FF6811E7704
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254CF64 GetModuleFileNameW,GetFileVersionInfoSizeW,CreateFileW,GetFileTime,FileTimeToSystemTime,memset,GetTimeZoneInformation,SystemTimeToVariantTime,VariantTimeToSystemTime,CloseHandle,GetFileVersionInfoW,VerQueryValueW,35_2_00007FF67254CF64
                      Source: C:\Users\user\AppData\Local\vVin\unregmp2.exeCode function: 35_2_00007FF67254BABC GetVersionExW,RegOpenKeyExW,RegQueryValueExW,_wtol,RegOpenKeyExW,RegQueryValueExW,wcschr,_wtoi,wcschr,_wtoi,swscanf,swscanf,swscanf,RegCloseKey,35_2_00007FF67254BABC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67109400 GetUserNameW,0_2_00007FFC67109400

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		11
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Exploitation for Client Execution                      		1
                      Windows Service                      		1
                      Windows Service                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol11
                      Input Capture                      		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Command and Scripting Interpreter                      		Logon Script (Windows)312
                      Process Injection                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local Accounts1
                      Service Execution                      		Logon Script (Mac)Logon Script (Mac)2
                      Software Packing                      		NTDS35
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      DLL Side-Loading                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Masquerading                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Virtualization/Sandbox Evasion                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Rundll32                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 595303 Sample: AyBhhRZXPj Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 3 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->37 dropped 39 13 other files (4 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 omadmclient.exe 19->25         started        27 unregmp2.exe 19->27         started        29 mspaint.exe 19->29         started        31 13 other processes 19->31 signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      AyBhhRZXPj.dll70%VirustotalBrowse
                      AyBhhRZXPj.dll62%MetadefenderBrowse
                      AyBhhRZXPj.dll88%ReversingLabsWin64.Trojan.Occamy
                      AyBhhRZXPj.dll100%AviraTR/Crypt.XPACK.Gen7
                      AyBhhRZXPj.dll100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Odp\dwmapi.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\u70W8\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\Odp\dwmapi.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\u70W8\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Odp\GamePanel.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Odp\GamePanel.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Odp\GamePanel.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      41.2.GamePanel.exe.2470ec10000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      21.2.FileHistory.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      35.2.unregmp2.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.2.omadmclient.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.FileHistory.exe.216cde30000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      41.2.GamePanel.exe.7ffc678e0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.1ff796f0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.mspaint.exe.7ffc74c10000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll64.exe.228311a0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      2.2.rundll32.exe.1b4136b0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      0.2.loaddll64.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      25.2.mspaint.exe.214ad6f0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      35.2.unregmp2.exe.292a12f0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.2a99d010000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.1a65a440000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      37.2.omadmclient.exe.2684a170000.0.unpack100%AviraHEUR/AGEN.1215493Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://mixer.com/api/v1/oauth/xbl/loginGamePanel.exefalse
                        		high
                        https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRawGamePanel.exefalse
                          		high
                          https://aka.ms/imrx2oGamePanel.exefalse
                            		high
                            https://mixer.com/_latest/assets/emoticons/%ls.pngGamePanel.exefalse
                              		high
                              https://mixer.com/api/v1/users/currentGamePanel.exefalse
                                		high
                                https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimediaGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                  		high
                                  https://mixer.com/api/v1/broadcasts/currentGamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                    		high
                                    https://mixer.com/%wsWindows.System.LauncherGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                      		high
                                      https://aka.ms/v5do45GamePanel.exefalse
                                        		high
                                        https://mixer.com/api/v1/types/lookup%wsGamePanel.exefalse
                                          		high
                                          https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/AugmenthGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                            		high
                                            https://aka.ms/wk9ocdGamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                              		high
                                              https://MediaData.XboxLive.com/broadcasts/AugmentGamePanel.exefalse
                                                		high
                                                https://aka.ms/imfx4kGamePanel.exefalse
                                                  		high
                                                  https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameDGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  https://MediaData.XboxLive.com/gameclips/AugmentGamePanel.exefalse
                                                    		high
                                                    https://www.xboxlive.comGamePanel.exefalse
                                                      		high
                                                      https://mixer.com/api/v1/channels/%dGamePanel.exefalse
                                                        		high
                                                        https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/vGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                                          		high
                                                          https://mixer.com/api/v1/channels/%wsGamePanel.exefalse
                                                            		high
                                                            https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamCGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                                              		high
                                                              https://MediaData.XboxLive.com/screenshots/AugmentGamePanel.exefalse
                                                                		high
                                                                https://mixer.com/api/v1/chats/%.0fGamePanel.exefalse
                                                                  		high
                                                                  https://aka.ms/ifg0esGamePanel.exefalse
                                                                    		high
                                                                    https://mixer.com/%wsGamePanel.exefalse
                                                                      		high
                                                                      https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTINGGamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/w5ryqnGamePanel.exefalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          No contacted IP infos

                                                                          General Information

                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                          Analysis ID:595303
                                                                          Start date and time:2022-03-23 14:40:41 +01:00
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 17m 21s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Sample file name:AyBhhRZXPj (renamed file extension from none to dll)
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:41
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winDLL@49/18@0/0
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HDC Information:
                                                                          • Successful, ratio: 23.6% (good quality ratio 16.4%)
                                                                          • Quality average: 43.9%
                                                                          • Quality standard deviation: 37%
                                                                          HCA Information:
                                                                          • Successful, ratio: 98%
                                                                          • Number of executed functions: 96
                                                                          • Number of non-executed functions: 105
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Override analysis time to 240s for rundll32

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          No simulations

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\u70W8\FileHistory.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                          C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1380352
                                                                          Entropy (8bit):5.14522678065983
                                                                          Encrypted:false
                                                                          SSDEEP:12288:3ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw8Ib:3ZK6F7n5eRmDFJivohZFV8W
                                                                          MD5:EF4106DB513D825B821B6BAE9E504D27
                                                                          SHA1:383AA64894D212196C899AF3F850C9B189E1EC60
                                                                          SHA-256:08AFB768749C8F06C7FB5CD2B0FA3DF90EBD19A30244E19840DC434B5C2435B6
                                                                          SHA-512:199F4A0F739DAE81B46CAF24D7ADD13CAAFBFEBA7A558C004220D2F6B669BF15732D415D323EDB08576E22A229CCBA8064AF83813C8F54BCA962E83DF2243E56
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`..............................................l..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):6780928
                                                                          Entropy (8bit):6.184072371216434
                                                                          Encrypted:false
                                                                          SSDEEP:98304:ez2u7InCOgQwyRPM1mlawYL260GBGrGrGWAub7jPhivQ:ez6n/gQw4MIlawYVb7jP8v
                                                                          MD5:99F86A0D360FD9A3FCAD6B1E7D92A90C
                                                                          SHA1:65F36247C0FFBB881947F68B352128C0C9CFCBE5
                                                                          SHA-256:D46519B76D09DFF8BC5C7B34A4E73AD8E7CF6E4C40BDAD6C769E34A099ECE017
                                                                          SHA-512:5071487AA218712FBA3A1FCEA6A810C3B27D26A145BC728315CA8078B6A88E51989038CAE4F5EE494B1FEE7515C6E86742D280D1A763B044BDBE7D2E360124A9
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................;...............................o............W..........Rich............PE..d.....S..........."......j...<^.....0..........@..............................g......_h...`.......... ......................................X........p..`BY......f............g..*...,..T....................9..(... ................:..("......@....................text....i.......j.................. ..`.rdata...............n..............@..@.data........`...P...L..............@....pdata...f.......h..................@..@.didat..h....`......................@....rsrc...`BY..p...DY.................@..@.reloc...*....g..,...Lg.............@..B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Odp\GamePanel.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1292288
                                                                          Entropy (8bit):6.159394598062476
                                                                          Encrypted:false
                                                                          SSDEEP:24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
                                                                          MD5:4EF330EFAE954723B1F2800C15FDA7EB
                                                                          SHA1:3E152C0B10E107926D6A213C882C161D80B836C9
                                                                          SHA-256:0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
                                                                          SHA-512:C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...|..............@..B................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Odp\dwmapi.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.1221876396248325
                                                                          Encrypted:false
                                                                          SSDEEP:12288:zZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:zZK6F7n5eRmDFJivohZFV
                                                                          MD5:921B46AEA923BE300B1D6EF4E7C1CC5F
                                                                          SHA1:40CBBD90B7F456E05C533C1066DD2D8F5601FA90
                                                                          SHA-256:F7DCD2DCAF06B60C5DAEA5E89C60030F2571B662C2383FC876742E96F52B3C76
                                                                          SHA-512:22C21A6A7F802DBAB287513D47E8DBADFBAD215258D43D8A5F0B3292836B8EA58F1B0C94F3ACF3AACAEC6BEE87DCC68BCF269BE712B3A78C4F9099AFF9B0133D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................&...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1638400
                                                                          Entropy (8bit):5.548556004393981
                                                                          Encrypted:false
                                                                          SSDEEP:12288:6ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwujCTy+:6ZK6F7n5eRmDFJivohZFVujCG
                                                                          MD5:DB436F220DAA0C2AF20E59BCE6EEC8B5
                                                                          SHA1:26DB68E5B14525B216760A40C474477014543776
                                                                          SHA-256:4D70CB2101B735E522F8EB0B3DF0E11D1DCCBF3828AEA07B94D19ACFE9EC3AA6
                                                                          SHA-512:7F86D71ED7833493A82845BDE6C53CA0CD19F474891D8397FFC0AF7E3750402DBCFB66B2BA6B2D208D9518597439DB21C40C39EA8C52070667F9FC9756CE0F9F
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):65704
                                                                          Entropy (8bit):5.834154867756865
                                                                          Encrypted:false
                                                                          SSDEEP:1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
                                                                          MD5:4849E997AF1274DD145672A2F9BC0827
                                                                          SHA1:D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
                                                                          SHA-256:B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
                                                                          SHA-512:FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.1147607814329605
                                                                          Encrypted:false
                                                                          SSDEEP:12288:hZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:hZK6F7n5eRmDFJivohZFV
                                                                          MD5:44295A0E00ADDDD50261D8F890897B4D
                                                                          SHA1:856508331E1867C99519588A25DE434090D05FA5
                                                                          SHA-256:973CDBB17CDCE9C019AAE83347912CCE7955D1D8DB1B8DC80082B15EDC28206B
                                                                          SHA-512:B8A99ADEF9BFA3BB5D3D7BFEC9489405EF5D3381E4B7723CABB84113C6E073F2D96371ACE74988F7953FBF722121E0F78B89A9621D89A9C5D82BE2051CF5A30E
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):315904
                                                                          Entropy (8bit):6.1346795928867035
                                                                          Encrypted:false
                                                                          SSDEEP:6144:uwqIVaD9RkjUYNBDXEDBdcA1gBnbC03j0xjGKEgsQOQ25te8lG:XqIVaDrn6BD0NOA1gBnfj01QW
                                                                          MD5:AD7C6CD7A8EEC95808AA77C5D7987941
                                                                          SHA1:96985DDF5C2C30918F69CA4405D955BDD0C7E44E
                                                                          SHA-256:D7EED58A955ED6ADEF429FA78F82776BBC905C507E1ABE6D5CFCD5C8AC1B0AC9
                                                                          SHA-512:047EA8C542774045450B51BF367C75B4ED11E883553842BCACD9E6DFC4C27CDC8BE86A9BADFD5345DA068B4A881BC8522525BF9CEC72FEE1856E365E7CD2015E
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`2.K$S~.$S~.$S~.-+..nS~.K7}.'S~.K7z.1S~.$S...R~.K7..=S~.K7{.)S~.K7w..S~.K7..%S~.K7|.%S~.Rich$S~.........................PE..d...H..-.........."......d...x.......J.........@.............................@............`.......... .............................................. ........... ...........0..........T.......................(...................8...8...........................text....b.......d.................. ..`.rdata..~4.......6...h..............@..@.data...l...........................@....pdata... ......."..................@..@.didat..............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):259072
                                                                          Entropy (8bit):6.5074250085194665
                                                                          Encrypted:false
                                                                          SSDEEP:6144:8kfs4/kfxzJTbHfyH5KNXwy3Odjp19k5KNXf:fs4ixzJTbHmKVwy3OdLaKV
                                                                          MD5:E3053C73EA240F4C2F7971B3905A91CF
                                                                          SHA1:1848AD66BD55E5484616FB85E80BA58BE1D5BA4B
                                                                          SHA-256:0BACCDB2B5ACB7B3C2E9085655457532964CAFFF1AE250016CE1A80E839B820C
                                                                          SHA-512:167BCC3E2552286F7D985A65674DA2FF0D0AA6A7F0C4C3B43193943B606E0133C06EEB33656EFBB8B827AC9221FB1BA00A49ADCC2489BD4F38DF62A015806DE3
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3/.]|.]|.]|...|.]|...|..]|..^}.]|..Y}.]|.\|..]|..\}.]|..T}..]|..X}.]|..|.]|.._}.]|Rich.]|........................PE..d..../............"..........&.................@.............................0............`.......... .......................................p..,........j......l............ ..,....d..T............................#...............$...............................text...o........................... ..`.rdata..............................@..@.data................r..............@....pdata..l............t..............@..@.rsrc....j.......l...~..............@..@.reloc..,.... ......................@..B................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.115920691070016
                                                                          Encrypted:false
                                                                          SSDEEP:12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
                                                                          MD5:4F53DEE2F65AEDCF002B0D96E136EA3E
                                                                          SHA1:E6B72A1016718C24DF891B7A7A4A2B389E2E8F32
                                                                          SHA-256:68E5BFBFFA535A346A0203DB796A87168AB0D81619AC2E0B688E1120B6E71253
                                                                          SHA-512:401FAE3B8A52F7ED45078DB29E0D33B31878F7D78F8C9C23DD898121118A4BAD13A23313249648BC2A5ED468813CA1843610B9640C982E40832D34FBA9AC77A6
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):52736
                                                                          Entropy (8bit):5.7946530792580475
                                                                          Encrypted:false
                                                                          SSDEEP:768:NS51B2sZMD1mYu/Lr7p0dHkf9abpWnGjTopPjZdWC2bNrHuOKAh/4J99j4ktPUww:J/Yn/Lr7qwYb7/oRjeJh2991t8Yte
                                                                          MD5:25D86BC656025F38D6E626B606F1D39D
                                                                          SHA1:673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D
                                                                          SHA-256:202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
                                                                          SHA-512:D4B4BC411B122499E611E1F9A45FD40EC2ABA23354F261D4668BF0578D30AEC5419568489261FC773ABBB350CC77C1E00F8E7C0B135A1FD4A9B6500825FA6E06
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..hw.;w.;w.;~.";u.;...:t.;...:`.;...:q.;...:d.;w.;..;...:..;..N;v.;...:v.;Richw.;................PE..d...X............."......v...\......0y.........@............................. ......Db....`.......... ......................................p...................................x......T............................................................................text...At.......v.................. ..`.rdata...3.......4...z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.124725524561735
                                                                          Encrypted:false
                                                                          SSDEEP:12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
                                                                          MD5:50047C3C2FDDB29A6170BF9FB64D658F
                                                                          SHA1:E7FD6768FA2840B0AE0665705B1D17845E11D949
                                                                          SHA-256:B90283A2A83F8711C82411C783A2194C3F2A5C197021E3D3F8B7D1CCB185C763
                                                                          SHA-512:0AAE4C226EE7B4710993E52C36D042FB255B13D554A1068D008596E713F02E8EAB9631742322697F799CFF5C2854754C749DD96BE1590F3253E15C001E082722
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\u70W8\FileHistory.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):246784
                                                                          Entropy (8bit):6.054877934071265
                                                                          Encrypted:false
                                                                          SSDEEP:3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
                                                                          MD5:989B5BDB2BEAC9F894BBC236F1B67967
                                                                          SHA1:7B964642FEE2D6508E66C615AA6CF7FD95D6196E
                                                                          SHA-256:FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
                                                                          SHA-512:0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\u70W8\UxTheme.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.12781164219402
                                                                          Encrypted:false
                                                                          SSDEEP:12288:mZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:mZK6F7n5eRmDFJivohZFV
                                                                          MD5:76A91627D3EEA2BEF8EE5C34AACAE4CA
                                                                          SHA1:6588DF88F6E323D1A50D7072FD06FD988CF46813
                                                                          SHA-256:B39F61630D4E6D5480F9753656363D95BB70B013C9AD6744A04B0625EB7B406A
                                                                          SHA-512:9AA9E3F80148D341C6ED163F6B50692E8C06685492EF8F5E24796E15E139E0102F7BF0C190E6C6D02496E7896210FED17EF64068F2B8F04513D83E3633ABC2B8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\vVin\VERSION.dll

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1355776
                                                                          Entropy (8bit):5.115947255580537
                                                                          Encrypted:false
                                                                          SSDEEP:12288:pZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:pZK6F7n5eRmDFJivohZFV
                                                                          MD5:8E1EDE32BC38B1366D17603AD093B828
                                                                          SHA1:558B6C1219EF5E58A0386A13DF8C451BD0135BB3
                                                                          SHA-256:B0093BAA1CE69EF63A7CF2A8C59D6EF94FBDEE8C05AF26B04D6BB029205E2AF2
                                                                          SHA-512:0E4F519D25B16643540E0CB8053AAFB97EC938E93879B51AF92C7031D13E92A28AC2695D6AAB39E0C4468465B0FC885190E0F2A812C6BAED12E186C1EDABD05D
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                          C:\Users\user\AppData\Local\vVin\unregmp2.exe

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):254976
                                                                          Entropy (8bit):5.093220071075157
                                                                          Encrypted:false
                                                                          SSDEEP:3072:1t+/6BNqqNRhdutq4jCoNhdxtYEbvyIwYKO8/+9vAwk4OdamabJ9:3Bhhd+7QKb
                                                                          MD5:9B517303C58CA8A450B97B0D71594CBB
                                                                          SHA1:BE75E3F10E17400DA7C0FAF70BF16EE7D0AA93A8
                                                                          SHA-256:2A38BFC3813D7E845F455B31DF099C8A6E657EF4556BFF681315F86A883A3314
                                                                          SHA-512:6A47EC7800E1F1FCDBB44A018147CE4A87FF0F5B94597B182AAE4E8545D9B18FAAAA07379BA1086D8F7785F0F66C36E4B6C68FCF49130333B8A9DC3A9E9E08E8
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.R.............y.......y.......y.......y..........w....y.......yf......y......Rich....................PE..d....Q&..........."..........^................@.............................0.......A....`.......... ..........................................................0.......................T....................V..(....U...............V...............................text...w........................... ..`.rdata..4...........................@..@.data....8.......&..................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                                          Download File
                                                                          Process:C:\Windows\explorer.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1450
                                                                          Entropy (8bit):7.361727904797889
                                                                          Encrypted:false
                                                                          SSDEEP:24:UKUUXqUcSodCyBlrAEKWs6/hAnL4XdQc2aBtHX:U7U6Uc625AnL4XdQcht3
                                                                          MD5:5F02ECE7D1EB5FADDDFDEBE2D3475E9A
                                                                          SHA1:4D62C892CCC31C9079E2F22D909AF2CB3AAD74C1
                                                                          SHA-256:B1C472B75EF62235374FF8CF1B83E53D52971FA9A755F7C60C9BBA2951133A3F
                                                                          SHA-512:1ED4B6120EE533D907084AE9999A257517EAFC30A8CE25F6E88EACB556D907A91B03FF5B2DC4F90F5F2A448913C25F80D100314EB1519F8EED9ECB21707E4360
                                                                          Malicious:false
                                                                          Reputation:unknown
                                                                          Preview:........................................user.....................RSA1.................8.".Mc.j....3.........}...7.<..M..D9..Z..#x.>JFs.`.vJ..y9+.$...n(ck.G!IS.@.@k..}..Mb...^X.t..6......L.E.q]/A..Z....<.W.....................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....A .U...c..e...2.>B....PE..#............. ...).GX.v.Y.X.8..@..EK.6.[h8.q.j\.)......#....d*i.Q.."n.!6'oj..g..R.[..RS....&.G..H^(O..WP......(...i0.1.=T......8L.L]...o.*U.DA......a.t..R..U*.Ob...@....8..V&1...6. ...2V.G.....4#=:NnN..;.H..Gz...F....@...w....l^V0q.r.%<.k#.1c..H.BR.....o.*E.L....<..X...S5........RZv,q#=6..>.W.:.a.f.6\..6.......Dj&!B=..i..Hi.6.9~.Y6O...P.2.C..g.>.J....Z..o...,.vO$@..Y.GY..zd.Yuy..1...z..1U2..c.={...P&.VW..BL..x..m...^H......"..5.L.Y...D..]...\.}.Jhg..K...n.4%.t....w..g2..#2.4gI.2.Y.y.<l.8.... .?.C]...[...U..t..~7......K..+.a.c.@.^_^;....I.w.d/9..Fi..9...+,.Blc.+..`..0HU.f.}.....?..8k1Y\{6l.I.#.1..f.`.?8A....r.x.m.o.

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Entropy (8bit):5.128940497635626
                                                                          TrID:
                                                                          • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                          • Win64 Executable (generic) (12005/4) 10.17%
                                                                          • Generic Win/DOS Executable (2004/3) 1.70%
                                                                          • DOS Executable Generic (2002/1) 1.70%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                          File name:AyBhhRZXPj.dll
                                                                          File size:1351680
                                                                          MD5:518cc4a9888e76bc1a916fd67a08a075
                                                                          SHA1:148d6f12f12a0cae195f36f4319839f6687b7144
                                                                          SHA256:57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
                                                                          SHA512:b14a3bcbfa68e5cf71ccfdd68ff5da696ca1e44073dbf6cd4d15dfab2a9ff29f56855c828ae7ac0dc346dfab93679f7d1ae52cb24ccc2976e6d4ba1fb5f6221e
                                                                          SSDEEP:12288:aZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:aZK6F7n5eRmDFJivohZFV
                                                                          File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                                                                          File Icon

                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x1400424b0
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x140000000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                          Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:0
                                                                          File Version Major:5
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          dec eax
                                                                          mov dword ptr [00070639h], ecx
                                                                          dec eax
                                                                          lea ecx, dword ptr [FFFFF2F2h]
                                                                          dec esp
                                                                          mov dword ptr [0007064Bh], eax
                                                                          dec esp
                                                                          mov dword ptr [00070654h], edi
                                                                          dec esp
                                                                          mov dword ptr [00070655h], esi
                                                                          dec eax
                                                                          xor eax, eax
                                                                          dec eax
                                                                          inc eax
                                                                          dec eax
                                                                          add ecx, eax
                                                                          dec esp
                                                                          mov dword ptr [00070655h], esp
                                                                          dec eax
                                                                          dec ecx
                                                                          dec eax
                                                                          mov dword ptr [00070653h], esi
                                                                          dec eax
                                                                          test eax, eax
                                                                          je 00007F93DCE90D1Dh
                                                                          dec eax
                                                                          mov dword ptr [0007060Fh], esp
                                                                          dec eax
                                                                          mov dword ptr [00070600h], ebp
                                                                          dec eax
                                                                          mov dword ptr [00070649h], ebx
                                                                          dec eax
                                                                          mov dword ptr [0007063Ah], edi
                                                                          dec eax
                                                                          test eax, eax
                                                                          je 00007F93DCE90CFCh
                                                                          dec esp
                                                                          mov dword ptr [000705FEh], ecx
                                                                          dec esp
                                                                          mov dword ptr [0007060Fh], ebp
                                                                          dec eax
                                                                          mov dword ptr [000705D0h], edx
                                                                          jmp ecx
                                                                          dec eax
                                                                          add edi, ecx
                                                                          retn 0008h
                                                                          ud2
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          int3
                                                                          push esi
                                                                          dec eax
                                                                          sub esp, 00000080h
                                                                          dec eax
                                                                          mov dword ptr [esp+78h], 58225FC8h
                                                                          mov dword ptr [esp+60h], 2DFAE652h
                                                                          mov al, byte ptr [esp+77h]
                                                                          mov dl, al
                                                                          add dl, FFFFFF85h
                                                                          mov byte ptr [esp+77h], dl
                                                                          mov word ptr [esp+5Eh], 3327h
                                                                          dec esp
                                                                          mov eax, dword ptr [esp+78h]
                                                                          inc esp
                                                                          mov ecx, dword ptr [esp+64h]

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x1490100x2ca.vje
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x430000x66f430x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                          .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .qqb0x1480000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .vje0x1490000x2da0x1000False0.119873046875data1.44574959876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                                                                          RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                          Imports

                                                                          DLLImport
                                                                          ADVAPI32.dllGetServiceDisplayNameW
                                                                          KERNEL32.dllLoadLibraryA, HeapUnlock

                                                                          Exports

                                                                          NameOrdinalAddress
                                                                          ApplyCompatResolutionQuirking10x14000c1b4
                                                                          CompatString20x140012180
                                                                          CompatValue30x140011544
                                                                          CreateDXGIFactory110x14002123c
                                                                          CreateDXGIFactory1120x14001b1e4
                                                                          CreateDXGIFactory2130x140023a64
                                                                          DXGID3D10CreateDevice140x14003a46c
                                                                          DXGID3D10CreateLayeredDevice150x14003ad28
                                                                          DXGID3D10ETWRundown160x140037ae0
                                                                          DXGID3D10GetLayeredDeviceSize170x140038fac
                                                                          DXGID3D10RegisterLayers180x140007b90
                                                                          DXGIDeclareAdapterRemovalSupport190x140022980
                                                                          DXGIDumpJournal40x1400072e4
                                                                          DXGIGetDebugInterface1200x1400323d0
                                                                          DXGIReportAdapterConfiguration210x140023758
                                                                          DXGIRevertToSxS50x1400170f8
                                                                          PIXBeginCapture60x14001cd84
                                                                          PIXEndCapture70x140003058
                                                                          PIXGetCaptureState80x140022ba4
                                                                          SetAppCompatStringPointer90x140019d84
                                                                          UpdateHMDEmulationStatus100x14003fb08

                                                                          Version Infos

                                                                          DescriptionData
                                                                          LegalCopyright Microsoft Corporation. All rights
                                                                          InternalNamedpnhup
                                                                          FileVersion1.56
                                                                          CompanyNameMicrosoft C
                                                                          ProductNameSysinternals Streams
                                                                          ProductVersion6.1
                                                                          FileDescriptionThai K
                                                                          OriginalFilenamedpnhupnp.d
                                                                          Translation0x0409 0x04b0

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          No network behavior found

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:15:41:44
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\loaddll64.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll"
                                                                          Imagebase:0x7ff7ac2b0000
                                                                          File size:140288 bytes
                                                                          MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:moderate

                                                                          General

                                                                          Target ID:1
                                                                          Start time:15:41:45
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
                                                                          Imagebase:0x7ff6f9620000
                                                                          File size:273920 bytes
                                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:2
                                                                          Start time:15:41:45
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
                                                                          Imagebase:0x7ff7d29d0000
                                                                          File size:69632 bytes
                                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:3
                                                                          Start time:15:41:45
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
                                                                          Imagebase:0x7ff7d29d0000
                                                                          File size:69632 bytes
                                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:4
                                                                          Start time:15:41:48
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                          Imagebase:0x7ff6b8cf0000
                                                                          File size:3933184 bytes
                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:5
                                                                          Start time:15:41:49
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
                                                                          Imagebase:0x7ff7d29d0000
                                                                          File size:69632 bytes
                                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:8
                                                                          Start time:15:41:52
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
                                                                          Imagebase:0x7ff7d29d0000
                                                                          File size:69632 bytes
                                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:19
                                                                          Start time:15:42:42
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\Magnify.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\Magnify.exe
                                                                          Imagebase:0x7ff7f33c0000
                                                                          File size:809472 bytes
                                                                          MD5 hash:F97BE20B374457236666607EE4BA7F7F
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          General

                                                                          Target ID:20
                                                                          Start time:15:42:43
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\FileHistory.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\FileHistory.exe
                                                                          Imagebase:0x7ff6d53b0000
                                                                          File size:246784 bytes
                                                                          MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:21
                                                                          Start time:15:42:44
                                                                          Start date:23/03/2022
                                                                          Path:C:\Users\user\AppData\Local\u70W8\FileHistory.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\u70W8\FileHistory.exe
                                                                          Imagebase:0x7ff6811e0000
                                                                          File size:246784 bytes
                                                                          MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

                                                                          General

                                                                          Target ID:23
                                                                          Start time:15:42:48
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\RdpSa.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\RdpSa.exe
                                                                          Imagebase:0x7ff683750000
                                                                          File size:43008 bytes
                                                                          MD5 hash:0795B6F790F8E52D55F39E593E9C5BBA
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:24
                                                                          Start time:15:42:49
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\mspaint.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\mspaint.exe
                                                                          Imagebase:0x7ff77f500000
                                                                          File size:6780928 bytes
                                                                          MD5 hash:99F86A0D360FD9A3FCAD6B1E7D92A90C
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:25
                                                                          Start time:15:43:04
                                                                          Start date:23/03/2022
                                                                          Path:C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
                                                                          Imagebase:0x7ff6efae0000
                                                                          File size:6780928 bytes
                                                                          MD5 hash:99F86A0D360FD9A3FCAD6B1E7D92A90C
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs

                                                                          General

                                                                          Target ID:32
                                                                          Start time:15:43:23
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\mmc.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\mmc.exe
                                                                          Imagebase:0x7ff617390000
                                                                          File size:1859584 bytes
                                                                          MD5 hash:BA80301974CC8C4FB9F3F9DDB5905C30
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:33
                                                                          Start time:15:43:23
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\EaseOfAccessDialog.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\EaseOfAccessDialog.exe
                                                                          Imagebase:0x7ff6664e0000
                                                                          File size:304640 bytes
                                                                          MD5 hash:F87F2E5EBF3FFBA39DF1621B5F8689B5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:34
                                                                          Start time:15:43:24
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\unregmp2.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\unregmp2.exe
                                                                          Imagebase:0x7ff69f7d0000
                                                                          File size:254976 bytes
                                                                          MD5 hash:9B517303C58CA8A450B97B0D71594CBB
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:35
                                                                          Start time:15:43:25
                                                                          Start date:23/03/2022
                                                                          Path:C:\Users\user\AppData\Local\vVin\unregmp2.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\vVin\unregmp2.exe
                                                                          Imagebase:0x7ff672540000
                                                                          File size:254976 bytes
                                                                          MD5 hash:9B517303C58CA8A450B97B0D71594CBB
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security

                                                                          General

                                                                          Target ID:36
                                                                          Start time:15:43:41
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\omadmclient.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\omadmclient.exe
                                                                          Imagebase:0x7ff7bc730000
                                                                          File size:315904 bytes
                                                                          MD5 hash:AD7C6CD7A8EEC95808AA77C5D7987941
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:37
                                                                          Start time:15:43:43
                                                                          Start date:23/03/2022
                                                                          Path:C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
                                                                          Imagebase:0x7ff6bfa30000
                                                                          File size:315904 bytes
                                                                          MD5 hash:AD7C6CD7A8EEC95808AA77C5D7987941
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp, Author: Joe Security

                                                                          General

                                                                          Target ID:38
                                                                          Start time:15:43:56
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\SystemPropertiesPerformance.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\SystemPropertiesPerformance.exe
                                                                          Imagebase:0x7ff71c990000
                                                                          File size:83968 bytes
                                                                          MD5 hash:F325976CDC0F7E9C680B51B35D24D23A
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:39
                                                                          Start time:15:43:58
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\eudcedit.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\eudcedit.exe
                                                                          Imagebase:0x7ff7f4400000
                                                                          File size:353280 bytes
                                                                          MD5 hash:0ED10F2F98B80FF9F95EED2B04CFA076
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:40
                                                                          Start time:15:44:00
                                                                          Start date:23/03/2022
                                                                          Path:C:\Windows\System32\GamePanel.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\GamePanel.exe
                                                                          Imagebase:0x7ff7b7e60000
                                                                          File size:1292288 bytes
                                                                          MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language

                                                                          General

                                                                          Target ID:41
                                                                          Start time:15:44:01
                                                                          Start date:23/03/2022
                                                                          Path:C:\Users\user\AppData\Local\Odp\GamePanel.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\Odp\GamePanel.exe
                                                                          Imagebase:0x7ff76ca00000
                                                                          File size:1292288 bytes
                                                                          MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 0%, Virustotal, Browse
                                                                          • Detection: 0%, Metadefender, Browse
                                                                          • Detection: 0%, ReversingLabs

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:2.9%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:44%
                                                                            Total number of Nodes:375
                                                                            Total number of Limit Nodes:45
                                                                            execution_graph 57392 7ffc6711ed10 57406 7ffc6711ddc0 57392->57406 57397 7ffc6711ed53 FindFirstFileExW 57398 7ffc6711ed78 57397->57398 57399 7ffc6711ed95 57397->57399 57398->57399 57401 7ffc67109ad0 _RunAllParam 2 API calls 57398->57401 57405 7ffc6711edea 57399->57405 57455 7ffc6710d730 57399->57455 57400 7ffc6711eda4 57400->57399 57402 7ffc67109ad0 _RunAllParam 2 API calls 57400->57402 57401->57399 57402->57399 57407 7ffc6711ddeb 57406->57407 57408 7ffc6711eb83 57407->57408 57469 7ffc67106d10 57407->57469 57445 7ffc67109ad0 57408->57445 57411 7ffc6711de4c 57414 7ffc6711e47a 57411->57414 57423 7ffc6711e027 _RunAllParam 57411->57423 57427 7ffc6711e016 _RunAllParam 57411->57427 57618 7ffc67125760 57411->57618 57473 7ffc67109540 57414->57473 57416 7ffc6711e4e0 57515 7ffc6710ca50 57416->57515 57419 7ffc6711e54c 57543 7ffc6710a2c0 57419->57543 57420 7ffc6711e51f 57643 7ffc67119410 NtClose LdrLoadDll FindNextFileW _RunAllParam 57420->57643 57422 7ffc67125760 _RunAllParam 2 API calls 57425 7ffc6711e1ab 57422->57425 57426 7ffc67109ad0 _RunAllParam 2 API calls 57423->57426 57423->57427 57425->57414 57425->57422 57429 7ffc6711e2f7 _RunAllParam 57425->57429 57436 7ffc6711e2e6 _RunAllParam 57425->57436 57426->57427 57427->57436 57622 7ffc671097d0 57427->57622 57428 7ffc6711eb7c GetSystemInfo 57428->57408 57431 7ffc67109ad0 _RunAllParam 2 API calls 57429->57431 57429->57436 57430 7ffc67125760 _RunAllParam 2 API calls 57432 7ffc6711e524 57430->57432 57431->57436 57432->57428 57432->57430 57438 7ffc6711e727 _RunAllParam 57432->57438 57442 7ffc6711e716 _RunAllParam 57432->57442 57433 7ffc67108a60 _RunAllParam 2 API calls 57435 7ffc6711eb70 57433->57435 57434 7ffc671097d0 _RunAllParam 2 API calls 57440 7ffc6711e8ab 57434->57440 57435->57408 57435->57428 57436->57414 57637 7ffc67108a60 57436->57637 57437 7ffc67125760 _RunAllParam 2 API calls 57437->57440 57439 7ffc67109ad0 _RunAllParam 2 API calls 57438->57439 57438->57442 57439->57442 57440->57408 57440->57437 57441 7ffc6711e9f4 _RunAllParam 57440->57441 57444 7ffc6711e9e3 _RunAllParam 57440->57444 57441->57408 57443 7ffc67109ad0 _RunAllParam 2 API calls 57441->57443 57441->57444 57442->57434 57442->57444 57443->57444 57444->57408 57444->57433 57447 7ffc67109ae5 _RunAllParam 57445->57447 57446 7ffc67109af2 57446->57397 57446->57400 57447->57446 57767 7ffc671086f0 57447->57767 57449 7ffc67109b06 57450 7ffc671097d0 _RunAllParam 2 API calls 57449->57450 57454 7ffc67109b1d 57449->57454 57452 7ffc67109b12 57450->57452 57451 7ffc67108a60 _RunAllParam 2 API calls 57451->57446 57452->57446 57453 7ffc671086f0 _RunAllParam 2 API calls 57452->57453 57453->57454 57454->57446 57454->57451 57457 7ffc6710d771 57455->57457 57456 7ffc6710dd82 57457->57456 57458 7ffc67125760 _RunAllParam 2 API calls 57457->57458 57462 7ffc6710d928 _RunAllParam 57457->57462 57465 7ffc6710d917 _RunAllParam 57457->57465 57458->57457 57459 7ffc67108a60 _RunAllParam 2 API calls 57459->57456 57460 7ffc671097d0 _RunAllParam 2 API calls 57463 7ffc6710daba 57460->57463 57461 7ffc67125760 _RunAllParam 2 API calls 57461->57463 57464 7ffc67109ad0 _RunAllParam 2 API calls 57462->57464 57462->57465 57463->57456 57463->57461 57466 7ffc6710dbf4 _RunAllParam 57463->57466 57467 7ffc6710dc05 _RunAllParam 57463->57467 57464->57465 57465->57460 57465->57466 57466->57456 57466->57459 57467->57456 57467->57466 57468 7ffc67109ad0 _RunAllParam 2 API calls 57467->57468 57468->57466 57470 7ffc67106d41 57469->57470 57471 7ffc67106d2d 57469->57471 57470->57411 57471->57470 57472 7ffc67109ad0 _RunAllParam 2 API calls 57471->57472 57472->57470 57474 7ffc6711ddc0 14 API calls 57473->57474 57475 7ffc67109553 57474->57475 57476 7ffc67109558 57475->57476 57644 7ffc67100150 57475->57644 57476->57416 57478 7ffc671095a3 _RunAllParam 57480 7ffc671095de 57478->57480 57647 7ffc67100280 57478->57647 57650 7ffc671235d0 57480->57650 57482 7ffc671095f5 _RunAllParam 57654 7ffc67122750 57482->57654 57484 7ffc67109611 57657 7ffc67122a70 57484->57657 57486 7ffc6710961d _RunAllParam 57487 7ffc67109664 57486->57487 57491 7ffc6710962c _RunAllParam 57486->57491 57488 7ffc67122750 3 API calls 57487->57488 57489 7ffc6710967f 57488->57489 57492 7ffc67122a70 4 API calls 57489->57492 57490 7ffc6710964e 57490->57416 57491->57490 57494 7ffc670ed410 _RunAllParam 2 API calls 57491->57494 57493 7ffc6710968b _RunAllParam 57492->57493 57495 7ffc67122750 3 API calls 57493->57495 57494->57490 57496 7ffc671096a9 57495->57496 57497 7ffc67122a70 4 API calls 57496->57497 57498 7ffc671096b5 _RunAllParam 57497->57498 57499 7ffc671096c4 57498->57499 57500 7ffc671096f8 57498->57500 57505 7ffc671096cc _RunAllParam 57499->57505 57506 7ffc67109790 _RunAllParam 57499->57506 57501 7ffc6710975c 57500->57501 57502 7ffc671096fd 57500->57502 57501->57506 57508 7ffc67109766 _RunAllParam 57501->57508 57503 7ffc6710972d 57502->57503 57507 7ffc67109701 _RunAllParam 57502->57507 57503->57506 57509 7ffc67109732 _RunAllParam 57503->57509 57504 7ffc671096ee 57504->57416 57505->57504 57664 7ffc670ed410 57505->57664 57506->57504 57510 7ffc670ed410 _RunAllParam 2 API calls 57506->57510 57507->57504 57512 7ffc670ed410 _RunAllParam 2 API calls 57507->57512 57508->57504 57514 7ffc670ed410 _RunAllParam 2 API calls 57508->57514 57509->57504 57513 7ffc670ed410 _RunAllParam 2 API calls 57509->57513 57510->57504 57512->57504 57513->57504 57514->57504 57518 7ffc6710cab0 57515->57518 57516 7ffc67125760 _RunAllParam 2 API calls 57516->57518 57517 7ffc6710d700 57517->57419 57517->57420 57518->57516 57523 7ffc6710d099 57518->57523 57524 7ffc6710cc37 _RunAllParam 57518->57524 57526 7ffc6710ccc3 _RunAllParam 57518->57526 57519 7ffc6710d6d6 GetTokenInformation 57519->57517 57520 7ffc671097d0 _RunAllParam 2 API calls 57531 7ffc6710cdba 57520->57531 57521 7ffc67108a60 _RunAllParam 2 API calls 57521->57523 57522 7ffc67125760 _RunAllParam 2 API calls 57522->57523 57523->57517 57523->57519 57523->57522 57532 7ffc6710d277 _RunAllParam 57523->57532 57534 7ffc6710d303 _RunAllParam 57523->57534 57525 7ffc67109ad0 _RunAllParam 2 API calls 57524->57525 57524->57526 57525->57526 57526->57520 57539 7ffc6710cef6 _RunAllParam 57526->57539 57527 7ffc67108a60 _RunAllParam 2 API calls 57530 7ffc6710d6d1 57527->57530 57528 7ffc671097d0 _RunAllParam 2 API calls 57536 7ffc6710d403 57528->57536 57529 7ffc67125760 _RunAllParam 2 API calls 57529->57531 57530->57517 57530->57519 57531->57517 57531->57529 57537 7ffc6710cf07 _RunAllParam 57531->57537 57531->57539 57533 7ffc67109ad0 _RunAllParam 2 API calls 57532->57533 57532->57534 57533->57534 57534->57528 57542 7ffc6710d544 _RunAllParam 57534->57542 57535 7ffc67125760 _RunAllParam 2 API calls 57535->57536 57536->57517 57536->57535 57540 7ffc6710d555 _RunAllParam 57536->57540 57536->57542 57538 7ffc67109ad0 _RunAllParam 2 API calls 57537->57538 57537->57539 57538->57539 57539->57517 57539->57521 57540->57517 57541 7ffc67109ad0 _RunAllParam 2 API calls 57540->57541 57540->57542 57541->57542 57542->57517 57542->57527 57546 7ffc6710a31e 57543->57546 57544 7ffc6710a8fa 57743 7ffc671075b0 57544->57743 57545 7ffc67125760 _RunAllParam 2 API calls 57545->57546 57546->57544 57546->57545 57554 7ffc6710a4a7 _RunAllParam 57546->57554 57562 7ffc6710a533 _RunAllParam 57546->57562 57548 7ffc6710c326 _RunAllParam 57549 7ffc6710c321 57548->57549 57551 7ffc67107770 _RunAllParam 3 API calls 57548->57551 57549->57432 57550 7ffc671097d0 _RunAllParam 2 API calls 57565 7ffc6710a62b 57550->57565 57551->57549 57552 7ffc67108a60 _RunAllParam 2 API calls 57552->57544 57553 7ffc6710aaeb 57558 7ffc6710af9c 57553->57558 57559 7ffc6710af7f GetTokenInformation 57553->57559 57556 7ffc67109ad0 _RunAllParam 2 API calls 57554->57556 57554->57562 57555 7ffc67125760 _RunAllParam 2 API calls 57557 7ffc6710a92b 57555->57557 57556->57562 57557->57548 57557->57553 57557->57555 57567 7ffc6710ab0d _RunAllParam 57557->57567 57575 7ffc6710aaf6 _RunAllParam 57557->57575 57558->57548 57564 7ffc67100150 _RunAllParam 2 API calls 57558->57564 57559->57558 57560 7ffc67108a60 _RunAllParam 2 API calls 57560->57553 57561 7ffc671097d0 _RunAllParam 2 API calls 57568 7ffc6710aca3 57561->57568 57562->57550 57576 7ffc6710a766 _RunAllParam 57562->57576 57563 7ffc67125760 _RunAllParam 2 API calls 57563->57565 57573 7ffc6710afb9 _RunAllParam 57564->57573 57565->57544 57565->57563 57572 7ffc6710a777 _RunAllParam 57565->57572 57565->57576 57566 7ffc67125760 _RunAllParam 2 API calls 57566->57568 57569 7ffc67109ad0 _RunAllParam 2 API calls 57567->57569 57567->57575 57568->57558 57568->57566 57579 7ffc6710adf7 _RunAllParam 57568->57579 57586 7ffc6710ade6 _RunAllParam 57568->57586 57569->57575 57570 7ffc6710b608 GetTokenInformation 57570->57548 57581 7ffc6710b632 57570->57581 57571 7ffc67125760 _RunAllParam 2 API calls 57571->57573 57574 7ffc67109ad0 _RunAllParam 2 API calls 57572->57574 57572->57576 57573->57570 57573->57571 57584 7ffc6710b197 _RunAllParam 57573->57584 57587 7ffc6710b223 _RunAllParam 57573->57587 57574->57576 57575->57561 57575->57586 57576->57544 57576->57552 57577 7ffc671097d0 _RunAllParam 2 API calls 57593 7ffc6710b31b 57577->57593 57578 7ffc67125760 _RunAllParam 2 API calls 57578->57581 57582 7ffc67109ad0 _RunAllParam 2 API calls 57579->57582 57579->57586 57580 7ffc67108a60 _RunAllParam 2 API calls 57583 7ffc6710b5ee 57580->57583 57581->57578 57592 7ffc6710bc3e 57581->57592 57595 7ffc6710b7e7 _RunAllParam 57581->57595 57599 7ffc6710b873 _RunAllParam 57581->57599 57582->57586 57583->57548 57583->57570 57585 7ffc67109ad0 _RunAllParam 2 API calls 57584->57585 57584->57587 57585->57587 57586->57558 57586->57560 57587->57577 57610 7ffc6710b456 _RunAllParam 57587->57610 57588 7ffc671097d0 _RunAllParam 2 API calls 57601 7ffc6710b96b 57588->57601 57589 7ffc67108a60 _RunAllParam 2 API calls 57589->57592 57590 7ffc67125760 _RunAllParam 2 API calls 57590->57593 57591 7ffc6710c27a 57591->57548 57602 7ffc6710c29e _RunAllParam 57591->57602 57592->57548 57592->57591 57594 7ffc67125760 _RunAllParam 2 API calls 57592->57594 57606 7ffc6710be25 _RunAllParam 57592->57606 57611 7ffc6710be14 _RunAllParam 57592->57611 57593->57548 57593->57590 57603 7ffc6710b467 _RunAllParam 57593->57603 57593->57610 57594->57592 57596 7ffc67109ad0 _RunAllParam 2 API calls 57595->57596 57595->57599 57596->57599 57597 7ffc67108a60 _RunAllParam 2 API calls 57597->57591 57598 7ffc671097d0 _RunAllParam 2 API calls 57609 7ffc6710bfab 57598->57609 57599->57588 57615 7ffc6710baa6 _RunAllParam 57599->57615 57600 7ffc67125760 _RunAllParam 2 API calls 57600->57601 57601->57548 57601->57600 57612 7ffc6710bab7 _RunAllParam 57601->57612 57601->57615 57602->57549 57751 7ffc67107770 57602->57751 57605 7ffc67109ad0 _RunAllParam 2 API calls 57603->57605 57603->57610 57605->57610 57608 7ffc67109ad0 _RunAllParam 2 API calls 57606->57608 57606->57611 57607 7ffc67125760 _RunAllParam 2 API calls 57607->57609 57608->57611 57609->57548 57609->57607 57614 7ffc6710c0f7 _RunAllParam 57609->57614 57617 7ffc6710c0e6 _RunAllParam 57609->57617 57610->57548 57610->57580 57611->57598 57611->57617 57613 7ffc67109ad0 _RunAllParam 2 API calls 57612->57613 57612->57615 57613->57615 57614->57548 57616 7ffc67109ad0 _RunAllParam 2 API calls 57614->57616 57614->57617 57615->57548 57615->57589 57616->57617 57617->57548 57617->57597 57620 7ffc6712580c 57618->57620 57621 7ffc67125792 57618->57621 57619 7ffc67109ad0 _RunAllParam 2 API calls 57619->57621 57620->57411 57621->57619 57621->57620 57624 7ffc671097f6 _RunAllParam 57622->57624 57623 7ffc6711ec40 _RunAllParam FindNextFileW 57635 7ffc67109a43 _RunAllParam 57623->57635 57626 7ffc67109917 _RunAllParam 57624->57626 57633 7ffc67109912 _RunAllParam 57624->57633 57758 7ffc6711ec70 57624->57758 57627 7ffc67100150 _RunAllParam FindNextFileW 57626->57627 57628 7ffc67109960 _RunAllParam 57627->57628 57629 7ffc67109ad0 _RunAllParam FindNextFileW 57628->57629 57630 7ffc671099c4 _RunAllParam 57629->57630 57631 7ffc671099f2 57630->57631 57632 7ffc671099e0 LdrLoadDll 57630->57632 57631->57633 57634 7ffc67109a02 _RunAllParam 57631->57634 57632->57631 57633->57623 57633->57635 57634->57635 57764 7ffc6711ec40 57634->57764 57635->57425 57638 7ffc67108a78 _RunAllParam 57637->57638 57639 7ffc67108b72 _RunAllParam 57638->57639 57640 7ffc67125760 _RunAllParam 2 API calls 57638->57640 57642 7ffc67108a8b _RunAllParam 57638->57642 57641 7ffc67109ad0 _RunAllParam 2 API calls 57639->57641 57639->57642 57640->57638 57641->57642 57642->57414 57643->57432 57667 7ffc671000b0 57644->57667 57646 7ffc67100170 57646->57478 57648 7ffc671000b0 _RunAllParam 2 API calls 57647->57648 57649 7ffc67100294 57648->57649 57649->57478 57651 7ffc67123607 _RunAllParam 57650->57651 57678 7ffc67122e60 57651->57678 57653 7ffc67123618 57653->57482 57715 7ffc671226a0 57654->57715 57656 7ffc6712277a _RunAllParam 57656->57484 57658 7ffc67100150 _RunAllParam 2 API calls 57657->57658 57659 7ffc67122a94 57658->57659 57728 7ffc67122810 57659->57728 57661 7ffc67122aa4 57663 7ffc67122abb _RunAllParam 57661->57663 57742 7ffc67100330 LdrLoadDll FindNextFileW _RunAllParam 57661->57742 57663->57486 57665 7ffc67109ad0 _RunAllParam 2 API calls 57664->57665 57666 7ffc670ed428 57665->57666 57666->57504 57668 7ffc671000ce 57667->57668 57670 7ffc671000de 57667->57670 57673 7ffc67106d80 LdrLoadDll FindNextFileW _RunAllParam 57668->57673 57672 7ffc67100123 57670->57672 57674 7ffc67106df0 57670->57674 57672->57646 57673->57670 57675 7ffc67106e0d 57674->57675 57677 7ffc67106e26 57674->57677 57676 7ffc67109ad0 _RunAllParam 2 API calls 57675->57676 57675->57677 57676->57677 57677->57672 57679 7ffc67122e8b _RunAllParam 57678->57679 57680 7ffc67109ad0 _RunAllParam 2 API calls 57679->57680 57683 7ffc67122ed7 57680->57683 57681 7ffc6712312e 57682 7ffc6710d730 _RunAllParam 2 API calls 57681->57682 57684 7ffc67123136 _RunAllParam 57682->57684 57683->57681 57706 7ffc67122f00 _RunAllParam 57683->57706 57685 7ffc67109ad0 _RunAllParam 2 API calls 57684->57685 57696 7ffc67123166 _RunAllParam 57684->57696 57694 7ffc67123124 57685->57694 57686 7ffc671232b9 57686->57653 57687 7ffc671230b0 57689 7ffc671230e1 _RunAllParam 57687->57689 57690 7ffc67109ad0 _RunAllParam 2 API calls 57687->57690 57688 7ffc67123164 RegCloseKey 57688->57696 57692 7ffc67109ad0 _RunAllParam 2 API calls 57689->57692 57689->57696 57690->57689 57691 7ffc67122f56 RegCloseKey 57691->57706 57692->57694 57693 7ffc6711ddc0 10 API calls 57697 7ffc671231ff 57693->57697 57694->57688 57694->57696 57695 7ffc67122fa4 RegEnumKeyW 57695->57687 57695->57706 57696->57686 57696->57693 57697->57686 57709 7ffc67100180 57697->57709 57699 7ffc67123216 57700 7ffc67100280 2 API calls 57699->57700 57704 7ffc6712322f _RunAllParam 57700->57704 57701 7ffc67109ad0 LdrLoadDll FindNextFileW _RunAllParam 57701->57706 57702 7ffc67123268 _RunAllParam 57705 7ffc67122e60 10 API calls 57702->57705 57703 7ffc67123013 RegOpenKeyExW 57703->57706 57704->57702 57714 7ffc67106d80 LdrLoadDll FindNextFileW _RunAllParam 57704->57714 57707 7ffc6712329f _RunAllParam 57705->57707 57706->57687 57706->57691 57706->57695 57706->57701 57706->57703 57707->57653 57710 7ffc671000b0 _RunAllParam 2 API calls 57709->57710 57711 7ffc671001a3 57710->57711 57712 7ffc67106df0 _RunAllParam 2 API calls 57711->57712 57713 7ffc671001b7 57712->57713 57713->57699 57714->57702 57717 7ffc671226d0 57715->57717 57716 7ffc67109ad0 _RunAllParam 2 API calls 57716->57717 57717->57716 57718 7ffc671226ef RegEnumValueA 57717->57718 57721 7ffc67104310 57717->57721 57718->57717 57719 7ffc67122730 57718->57719 57719->57656 57722 7ffc67104385 57721->57722 57724 7ffc6710434b 57721->57724 57726 7ffc671043b9 _RunAllParam 57722->57726 57727 7ffc67106d80 LdrLoadDll FindNextFileW _RunAllParam 57722->57727 57725 7ffc67106df0 _RunAllParam 2 API calls 57724->57725 57725->57722 57726->57717 57727->57726 57729 7ffc6712283a 57728->57729 57730 7ffc6712282a 57728->57730 57729->57661 57730->57729 57731 7ffc67109ad0 _RunAllParam 2 API calls 57730->57731 57732 7ffc67122862 57731->57732 57733 7ffc67122887 57732->57733 57734 7ffc67122867 RegQueryValueExA 57732->57734 57735 7ffc6712288f 57733->57735 57736 7ffc67100280 2 API calls 57733->57736 57734->57733 57735->57661 57737 7ffc671228a6 57736->57737 57738 7ffc67109ad0 _RunAllParam 2 API calls 57737->57738 57739 7ffc671228b5 _RunAllParam 57738->57739 57740 7ffc671228ea 57739->57740 57741 7ffc671228cb RegQueryValueExA 57739->57741 57740->57661 57741->57740 57742->57663 57744 7ffc6710762c 57743->57744 57745 7ffc671075c1 57743->57745 57744->57557 57745->57744 57746 7ffc67109ad0 _RunAllParam 2 API calls 57745->57746 57748 7ffc671075db 57746->57748 57747 7ffc671075f0 57747->57557 57748->57747 57749 7ffc6710d730 _RunAllParam 2 API calls 57748->57749 57750 7ffc67107607 57749->57750 57750->57557 57752 7ffc671075b0 _RunAllParam 2 API calls 57751->57752 57753 7ffc6710777e 57752->57753 57754 7ffc6710779b 57753->57754 57755 7ffc67109ad0 _RunAllParam 2 API calls 57753->57755 57754->57549 57756 7ffc67107791 57755->57756 57756->57754 57757 7ffc67107796 NtClose 57756->57757 57757->57754 57763 7ffc6711ec80 57758->57763 57759 7ffc67109ad0 _RunAllParam LdrLoadDll 57759->57763 57760 7ffc6711ece4 57760->57624 57761 7ffc6711ec94 FindNextFileW 57761->57763 57762 7ffc6710d730 _RunAllParam LdrLoadDll 57762->57763 57763->57759 57763->57760 57763->57761 57763->57762 57765 7ffc67109ad0 _RunAllParam 2 API calls 57764->57765 57766 7ffc6711ec58 57765->57766 57766->57635 57770 7ffc67108728 57767->57770 57768 7ffc67108796 _RunAllParam 57768->57449 57769 7ffc67125760 _RunAllParam 2 API calls 57769->57770 57770->57768 57770->57769 57771 7ffc671088a3 _RunAllParam 57770->57771 57771->57768 57772 7ffc67109ad0 _RunAllParam 2 API calls 57771->57772 57772->57768 57773 228311a2978 57774 228311a2986 57773->57774 57779 228311a2060 VirtualAlloc 57774->57779 57776 228311a29a2 57781 228311a2264 57776->57781 57778 228311a29ba 57780 228311a20c4 57779->57780 57780->57776 57782 228311a230f 57781->57782 57783 228311a238c VirtualProtect 57781->57783 57782->57783 57784 228311a23ee 57783->57784 57785 228311a244d VirtualProtect 57784->57785 57786 228311a2507 VirtualProtect 57785->57786 57787 228311a2544 57785->57787 57786->57787 57789 228311a25c5 57787->57789 57790 228311a258c RtlAvlRemoveNode 57787->57790 57789->57778 57790->57789 57791 7ffc67107190 57792 7ffc67107195 57791->57792 57793 7ffc671071ee 57791->57793 57792->57793 57794 7ffc67109ad0 _RunAllParam 2 API calls 57792->57794 57795 7ffc671071b5 57794->57795 57795->57793 57796 7ffc67109ad0 _RunAllParam 2 API calls 57795->57796 57797 7ffc671071db 57796->57797 57797->57793 57798 7ffc671071e0 RtlDeleteBoundaryDescriptor 57797->57798 57798->57793 57799 7ffc671070f0 57800 7ffc67107146 57799->57800 57801 7ffc67107110 57799->57801 57803 7ffc67109ad0 _RunAllParam 2 API calls 57800->57803 57802 7ffc67109ad0 _RunAllParam 2 API calls 57801->57802 57804 7ffc6710711f 57802->57804 57805 7ffc67107155 57803->57805 57804->57800 57806 7ffc67107128 RtlCreateHeap 57804->57806 57806->57800

                                                                            Executed Functions

                                                                            Function 00007FFC6710A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e041a67c418c1ae1e1846d71522413af02414f75bfd1f7e465d30acbc3f736de
                                                                            • Instruction ID: c78f56406c9c6561432bcf7cdc2e2f26f9ec8b994acfb5efb39312f479c7861d
                                                                            • Opcode Fuzzy Hash: e041a67c418c1ae1e1846d71522413af02414f75bfd1f7e465d30acbc3f736de
                                                                            • Instruction Fuzzy Hash: 0803E266A0C7AEC2EB249F12D4682B967A1FF45B88F444833CA4D07795EF3CE544E760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F59F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 966 7ffc670f59f0-7ffc670f5a1a 967 7ffc670f5a51-7ffc670f5a7a call 7ffc67107db0 call 7ffc6711bbb0 966->967 968 7ffc670f5a1c-7ffc670f5a4c call 7ffc67101660 call 7ffc67121570 call 7ffc67107770 call 7ffc671223c0 966->968 978 7ffc670f5aba 967->978 979 7ffc670f5a7c-7ffc670f5a9a call 7ffc67101310 call 7ffc670dd1e0 967->979 968->967 981 7ffc670f5abc-7ffc670f5abf 978->981 990 7ffc670f5a9f-7ffc670f5ab2 call 7ffc67100cb0 979->990 984 7ffc670f5aca-7ffc670f5afa call 7ffc67121850 call 7ffc671075b0 981->984 985 7ffc670f5ac1-7ffc670f5ac5 call 7ffc67100e20 981->985 997 7ffc670f5b12-7ffc670f5b46 call 7ffc67121c30 call 7ffc67107db0 call 7ffc671220e0 call 7ffc67100e20 984->997 998 7ffc670f5afc-7ffc670f5b0f call 7ffc67121ac0 984->998 985->984 990->978 996 7ffc670f5ab4-7ffc670f5ab8 990->996 996->981 1009 7ffc670f5b48-7ffc670f5b53 call 7ffc671075b0 997->1009 1010 7ffc670f5b59-7ffc670f5b79 call 7ffc67101a90 call 7ffc67109ad0 997->1010 998->997 1009->1010 1016 7ffc670f5be0-7ffc670f5be3 1009->1016 1020 7ffc670f5b7b-7ffc670f5b8a 1010->1020 1021 7ffc670f5b8f-7ffc670f5bae call 7ffc670f2170 call 7ffc670e7eb0 1010->1021 1018 7ffc670f5c7b-7ffc670f5c8d call 7ffc67109ad0 1016->1018 1019 7ffc670f5be9-7ffc670f5c04 call 7ffc67121850 call 7ffc671075b0 1016->1019 1027 7ffc670f5c93-7ffc670f5cca call 7ffc671223c0 call 7ffc67103fd0 call 7ffc67100e20 1018->1027 1028 7ffc670f5c8f-7ffc670f5c91 ExitProcess 1018->1028 1036 7ffc670f5c06 1019->1036 1037 7ffc670f5c72-7ffc670f5c76 call 7ffc67121c30 1019->1037 1020->1021 1039 7ffc670f5bb0-7ffc670f5bcc call 7ffc6710f150 call 7ffc670e7eb0 1021->1039 1040 7ffc670f5bce-7ffc670f5bd2 call 7ffc670ffca0 1021->1040 1041 7ffc670f5c10-7ffc670f5c1d call 7ffc67121ac0 1036->1041 1037->1018 1039->1040 1047 7ffc670f5bd7-7ffc670f5bdb call 7ffc67100e20 1040->1047 1054 7ffc670f5c3b-7ffc670f5c6d call 7ffc67107db0 call 7ffc671220e0 call 7ffc671217b0 call 7ffc671223c0 call 7ffc67100e20 1041->1054 1055 7ffc670f5c1f-7ffc670f5c37 call 7ffc67121a70 call 7ffc6710f150 1041->1055 1047->1016 1054->1037 1055->1041 1065 7ffc670f5c39 1055->1065 1065->1037
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseExitProcess
                                                                            • String ID: -R+
                                                                            • API String ID: 3487036407-215093852
                                                                            • Opcode ID: 861e373727f0bf5d6b131c94e4e6e9b6b0c96c54314d595459500fe5a7d22774
                                                                            • Instruction ID: 0bc01b030c3d127525b9bbaef63d67f3c16429dff6ef3f2e8a315d9e09d8e317
                                                                            • Opcode Fuzzy Hash: 861e373727f0bf5d6b131c94e4e6e9b6b0c96c54314d595459500fe5a7d22774
                                                                            • Instruction Fuzzy Hash: ED817F26B1C66AD5FB10EBB2C5652FD2365AF84348F814832DE0E579CADE2CE545C370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1071 7ffc6711ed10-7ffc6711ed37 call 7ffc6711ddc0 1074 7ffc6711ed3f-7ffc6711ed51 call 7ffc67109ad0 1071->1074 1075 7ffc6711ed39-7ffc6711ed3c 1071->1075 1078 7ffc6711ed53-7ffc6711ed76 FindFirstFileExW 1074->1078 1079 7ffc6711eda4-7ffc6711eda8 1074->1079 1075->1074 1080 7ffc6711ed9f-7ffc6711eda2 1078->1080 1081 7ffc6711ed78-7ffc6711ed7e 1078->1081 1082 7ffc6711edd1 1079->1082 1083 7ffc6711edaa-7ffc6711edb0 1079->1083 1085 7ffc6711edd8-7ffc6711ede2 1080->1085 1081->1080 1084 7ffc6711ed80-7ffc6711ed84 1081->1084 1082->1085 1083->1082 1086 7ffc6711edb2-7ffc6711edb6 1083->1086 1084->1080 1087 7ffc6711ed86-7ffc6711ed98 call 7ffc67109ad0 1084->1087 1088 7ffc6711ee4d-7ffc6711ee58 call 7ffc6710d730 1085->1088 1089 7ffc6711ede4-7ffc6711ede8 1085->1089 1086->1082 1090 7ffc6711edb8-7ffc6711edca call 7ffc67109ad0 1086->1090 1087->1080 1102 7ffc6711ed9a 1087->1102 1100 7ffc6711ee61-7ffc6711ee72 1088->1100 1101 7ffc6711ee5a 1088->1101 1089->1088 1092 7ffc6711edea-7ffc6711edef 1089->1092 1090->1082 1107 7ffc6711edcc 1090->1107 1097 7ffc6711ee1e-7ffc6711ee2c 1092->1097 1098 7ffc6711edf1-7ffc6711edf8 1092->1098 1105 7ffc6711ee2e-7ffc6711ee30 1097->1105 1106 7ffc6711ee32-7ffc6711ee35 1097->1106 1103 7ffc6711ee07-7ffc6711ee18 1098->1103 1104 7ffc6711edfa-7ffc6711edfe 1098->1104 1101->1100 1102->1080 1103->1097 1104->1097 1108 7ffc6711ee00-7ffc6711ee05 1104->1108 1105->1106 1109 7ffc6711ee3b-7ffc6711ee4c 1105->1109 1106->1103 1110 7ffc6711ee37-7ffc6711ee39 1106->1110 1107->1082 1108->1097 1108->1103 1110->1103 1110->1109
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID: .
                                                                            • API String ID: 1974802433-248832578
                                                                            • Opcode ID: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
                                                                            • Instruction ID: daf6856250c4f48e30f4f7e7ac2b7c69af0f1bd74807e2e3eeb4eaec37b02cd7
                                                                            • Opcode Fuzzy Hash: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
                                                                            • Instruction Fuzzy Hash: 7241F631A0D265C1EF644B62D1243792391EF44BA8F184A32CA6D1BBD8DF2DE986C320
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E7880 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1242 7ffc670e7880-7ffc670e78c5 1243 7ffc670e78c7-7ffc670e78ca 1242->1243 1244 7ffc670e78cf-7ffc670e790c call 7ffc6712d8a0 call 7ffc67114bc0 call 7ffc6712d3a0 1242->1244 1245 7ffc670e79b2-7ffc670e79b5 1243->1245 1263 7ffc670e7913-7ffc670e791d 1244->1263 1247 7ffc670e7be8-7ffc670e7bfa call 7ffc67123bb0 1245->1247 1248 7ffc670e79bb-7ffc670e79f4 call 7ffc67107de0 call 7ffc67121850 call 7ffc67100e20 call 7ffc67121ac0 1245->1248 1257 7ffc670e7c0c-7ffc670e7c1d 1247->1257 1258 7ffc670e7bfc-7ffc670e7c07 call 7ffc67121c30 call 7ffc671072a0 1247->1258 1277 7ffc670e79fa-7ffc670e7a05 call 7ffc671075b0 1248->1277 1278 7ffc670e7a83-7ffc670e7a91 call 7ffc67121c30 call 7ffc67123bb0 1248->1278 1258->1257 1266 7ffc670e791f 1263->1266 1267 7ffc670e795e-7ffc670e7969 1263->1267 1272 7ffc670e7920-7ffc670e7939 call 7ffc67123af0 call 7ffc6712d4d0 1266->1272 1267->1263 1270 7ffc670e796b-7ffc670e796f call 7ffc67123bb0 1267->1270 1276 7ffc670e7974-7ffc670e798b 1270->1276 1292 7ffc670e793b-7ffc670e793f 1272->1292 1293 7ffc670e7943-7ffc670e795a call 7ffc67123c50 1272->1293 1280 7ffc670e799d-7ffc670e79ab 1276->1280 1281 7ffc670e798d-7ffc670e7998 call 7ffc67121c30 call 7ffc671072a0 1276->1281 1290 7ffc670e7a14-7ffc670e7a1f call 7ffc671075b0 1277->1290 1291 7ffc670e7a07-7ffc670e7a0f call 7ffc6712cf10 1277->1291 1300 7ffc670e7a96-7ffc670e7a9e 1278->1300 1280->1245 1281->1280 1307 7ffc670e7a25-7ffc670e7a65 call 7ffc670cd690 call 7ffc67107db0 call 7ffc671220e0 call 7ffc67100e20 call 7ffc671075b0 1290->1307 1308 7ffc670e7bdf-7ffc670e7be3 call 7ffc67121c30 1290->1308 1291->1290 1292->1272 1298 7ffc670e7941 1292->1298 1293->1270 1304 7ffc670e795c 1293->1304 1298->1304 1301 7ffc670e7ab0-7ffc670e7ac1 1300->1301 1302 7ffc670e7aa0-7ffc670e7aab call 7ffc67121c30 call 7ffc671072a0 1300->1302 1302->1301 1304->1267 1322 7ffc670e7a67-7ffc670e7a7e call 7ffc671217b0 call 7ffc671223c0 call 7ffc670d36f0 1307->1322 1323 7ffc670e7ac2-7ffc670e7adb call 7ffc67100180 call 7ffc670ffcd0 1307->1323 1308->1247 1322->1278 1333 7ffc670e7b44-7ffc670e7b8e call 7ffc67100150 * 3 call 7ffc671220e0 call 7ffc670e5f40 1323->1333 1334 7ffc670e7add-7ffc670e7ae5 1323->1334 1361 7ffc670e7b94-7ffc670e7bc2 call 7ffc670e5e90 call 7ffc671223c0 call 7ffc670ffca0 * 3 1333->1361 1362 7ffc670e7c1e-7ffc670e7c2b call 7ffc6712d340 1333->1362 1334->1333 1336 7ffc670e7ae7-7ffc670e7af2 call 7ffc6712d340 1334->1336 1342 7ffc670e7b25-7ffc670e7b3f call 7ffc671002b0 1336->1342 1343 7ffc670e7af4-7ffc670e7b0c call 7ffc670ffcd0 1336->1343 1342->1333 1349 7ffc670e7bc7-7ffc670e7bda call 7ffc670ffca0 call 7ffc671223c0 call 7ffc670d36f0 1343->1349 1350 7ffc670e7b12-7ffc670e7b23 call 7ffc67100230 1343->1350 1349->1308 1350->1333 1361->1349 1369 7ffc670e7d15-7ffc670e7ded call 7ffc67106d10 call 7ffc670ffcc0 call 7ffc671090b0 call 7ffc67100bc0 call 7ffc67100e20 call 7ffc671006d0 call 7ffc67100280 call 7ffc670ffcb0 * 2 call 7ffc670f7fac call 7ffc670e5bb0 call 7ffc671002b0 call 7ffc670fbae0 1362->1369 1370 7ffc670e7c31-7ffc670e7d10 call 7ffc67106d10 call 7ffc670ffcc0 call 7ffc671090b0 call 7ffc67100bc0 call 7ffc67100e20 call 7ffc671006d0 call 7ffc67100280 call 7ffc670ffcb0 * 2 call 7ffc670f7fac call 7ffc670e6300 call 7ffc671002b0 call 7ffc670f9990 1362->1370 1428 7ffc670e7df2-7ffc670e7df7 1369->1428 1370->1428 1430 7ffc670e7df9-7ffc670e7e18 call 7ffc671215d0 1428->1430 1431 7ffc670e7e1b-7ffc670e7e81 call 7ffc670e5e90 call 7ffc671223c0 call 7ffc670ffca0 * 4 call 7ffc671223c0 call 7ffc670d36f0 call 7ffc67121c30 call 7ffc67123bb0 1428->1431 1430->1431 1454 7ffc670e7e93-7ffc670e7ea5 1431->1454 1455 7ffc670e7e83-7ffc670e7e8e call 7ffc67121c30 call 7ffc671072a0 1431->1455 1455->1454
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: )8GV$)8GV
                                                                            • API String ID: 0-993736920
                                                                            • Opcode ID: 3711d9fbecb415313570ebbb9bb183def5a52c947dce29ce66411354ce6716ba
                                                                            • Instruction ID: e551a1038a0b7dc92577d3522c0671dbeaf1f1df1bd88cf90cafcf12714557a1
                                                                            • Opcode Fuzzy Hash: 3711d9fbecb415313570ebbb9bb183def5a52c947dce29ce66411354ce6716ba
                                                                            • Instruction Fuzzy Hash: 95F17322A2C56AD5EB10EF72D4612FD6365EF94384F801832EA4D8769ADF3CD546C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoSystem
                                                                            • String ID:
                                                                            • API String ID: 31276548-0
                                                                            • Opcode ID: e3c5db53bafe4e33eb6ebb8252a414bc0777859787fa4279c39abb1afb630ecb
                                                                            • Instruction ID: e1e2744c765ac1d2e5270ab3169ccf5505fa91137470748f6ccc94a6a02ac708
                                                                            • Opcode Fuzzy Hash: e3c5db53bafe4e33eb6ebb8252a414bc0777859787fa4279c39abb1afb630ecb
                                                                            • Instruction Fuzzy Hash: 2482E462A0C7AAC6EB648B5294602B977A0FF45F85F444C37CA4D0BB95EF3CD654C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6710CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5974580d677f27582c2e7808952499b910dd612dca587cb931af837cf1dab6d
                                                                            • Instruction ID: 391c30a6f5a6aa67b95649679ba6576edf73f979575dfece843ae0cef70d7b70
                                                                            • Opcode Fuzzy Hash: c5974580d677f27582c2e7808952499b910dd612dca587cb931af837cf1dab6d
                                                                            • Instruction Fuzzy Hash: 3C72CF62A0C7AAC5EB148F1294683F927A1FF45B88F945833CA8D07799DF3CE540E760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712D520 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2024 7ffc6712d520-7ffc6712d577 call 7ffc67123e50 call 7ffc67123bb0 call 7ffc67100150 2031 7ffc6712d580-7ffc6712d599 call 7ffc67109ad0 2024->2031 2034 7ffc6712d5f5-7ffc6712d621 call 7ffc6711ddc0 call 7ffc670ffcb0 2031->2034 2035 7ffc6712d59b-7ffc6712d5c7 call 7ffc670ffcc0 call 7ffc670ffcb0 NtQuerySystemInformation 2031->2035 2044 7ffc6712d7d7-7ffc6712d7da 2034->2044 2045 7ffc6712d627 2034->2045 2046 7ffc6712d5d0-7ffc6712d5d9 2035->2046 2047 7ffc6712d5c9-7ffc6712d5ce 2035->2047 2049 7ffc6712d83f-7ffc6712d882 call 7ffc670ffca0 call 7ffc67123bb0 2044->2049 2050 7ffc6712d7dc-7ffc6712d7e4 2044->2050 2048 7ffc6712d630-7ffc6712d637 2045->2048 2051 7ffc6712d5e2-7ffc6712d5f3 call 7ffc670ffcc0 call 7ffc67100280 2046->2051 2052 7ffc6712d5db call 7ffc67100280 2046->2052 2047->2034 2047->2046 2054 7ffc6712d63d-7ffc6712d641 2048->2054 2055 7ffc6712d7c8-7ffc6712d7cc 2048->2055 2073 7ffc6712d894-7ffc6712d89d 2049->2073 2074 7ffc6712d884-7ffc6712d88f call 7ffc67121c30 call 7ffc671072a0 2049->2074 2050->2049 2056 7ffc6712d7e6 2050->2056 2051->2031 2063 7ffc6712d5e0 2052->2063 2054->2055 2061 7ffc6712d647-7ffc6712d670 call 7ffc67107360 2054->2061 2055->2044 2059 7ffc6712d7ce-7ffc6712d7d1 2055->2059 2062 7ffc6712d7f0-7ffc6712d803 call 7ffc67123af0 2056->2062 2059->2044 2059->2048 2075 7ffc6712d672-7ffc6712d684 call 7ffc67123af0 2061->2075 2076 7ffc6712d695-7ffc6712d69b 2061->2076 2077 7ffc6712d837-7ffc6712d83d 2062->2077 2078 7ffc6712d805-7ffc6712d80e 2062->2078 2063->2031 2074->2073 2091 7ffc6712d72a-7ffc6712d72d 2075->2091 2092 7ffc6712d68a-7ffc6712d68f 2075->2092 2082 7ffc6712d69d-7ffc6712d6a3 2076->2082 2083 7ffc6712d6a9-7ffc6712d6ae call 7ffc671072c0 2076->2083 2077->2049 2077->2062 2078->2077 2081 7ffc6712d810-7ffc6712d820 call 7ffc67123af0 2078->2081 2099 7ffc6712d822-7ffc6712d826 2081->2099 2100 7ffc6712d82a-7ffc6712d831 2081->2100 2082->2083 2084 7ffc6712d7c5 2082->2084 2089 7ffc6712d6b3-7ffc6712d6bc 2083->2089 2084->2055 2094 7ffc6712d6c2-7ffc6712d728 call 7ffc67101a90 call 7ffc67101660 call 7ffc67100150 2089->2094 2095 7ffc6712d766 2089->2095 2096 7ffc6712d72f-7ffc6712d733 2091->2096 2097 7ffc6712d747-7ffc6712d74a 2091->2097 2092->2075 2098 7ffc6712d691 2092->2098 2104 7ffc6712d769-7ffc6712d7c3 call 7ffc67105840 call 7ffc67102000 call 7ffc67100e20 call 7ffc67102340 call 7ffc671014d0 call 7ffc67100e20 2094->2104 2095->2104 2105 7ffc6712d73d-7ffc6712d741 2096->2105 2106 7ffc6712d735-7ffc6712d738 call 7ffc6712d1e0 2096->2106 2101 7ffc6712d74e-7ffc6712d764 call 7ffc67123c50 2097->2101 2098->2076 2099->2081 2107 7ffc6712d828 2099->2107 2100->2077 2102 7ffc6712d833 2100->2102 2101->2055 2102->2077 2104->2101 2105->2097 2105->2098 2106->2105 2107->2077
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InformationQuerySystem
                                                                            • String ID:
                                                                            • API String ID: 3562636166-0
                                                                            • Opcode ID: e25f91d4ec7704f865dd44938a66bed721d62b213e4dfdd918b4760a7e869e4e
                                                                            • Instruction ID: 9a5e857954b4feeee4f08983d38a76f9fd0217e54200d5ecd28978f74054b5dc
                                                                            • Opcode Fuzzy Hash: e25f91d4ec7704f865dd44938a66bed721d62b213e4dfdd918b4760a7e869e4e
                                                                            • Instruction Fuzzy Hash: 15B19C36A0C65ADAE750EF26D2612AE33B0FF44788F504836DA5D47B95DF38E464C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC671097D0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2128 7ffc671097d0-7ffc671098ad call 7ffc67101a90 * 2 call 7ffc67109230 call 7ffc67102fa0 call 7ffc67100e20 call 7ffc67101ab0 call 7ffc67101b60 * 5 call 7ffc67102f50 call 7ffc6711ee80 2155 7ffc67109a7d-7ffc67109a8a call 7ffc67100e20 2128->2155 2156 7ffc671098b3-7ffc671098b9 2128->2156 2162 7ffc67109a8c-7ffc67109a93 2155->2162 2163 7ffc67109aa0-7ffc67109ab8 call 7ffc67100e20 * 2 2155->2163 2157 7ffc671098c0-7ffc671098f9 call 7ffc67102f50 call 7ffc671032a0 call 7ffc67106180 call 7ffc67100e20 2156->2157 2178 7ffc67109917-7ffc671099d2 call 7ffc67102f70 call 7ffc67101ab0 call 7ffc671011a0 call 7ffc67100150 call 7ffc670ffcb0 * 2 call 7ffc671011a0 call 7ffc671011d0 call 7ffc67109ad0 2157->2178 2179 7ffc671098fb-7ffc67109909 call 7ffc67100e20 call 7ffc6711ec70 2157->2179 2162->2163 2166 7ffc67109a95-7ffc67109a99 2162->2166 2175 7ffc67109aba-7ffc67109acd 2163->2175 2166->2163 2169 7ffc67109a9b call 7ffc6711ec40 2166->2169 2169->2163 2203 7ffc671099f2 2178->2203 2204 7ffc671099d4-7ffc671099f0 call 7ffc670ffcb0 LdrLoadDll 2178->2204 2186 7ffc6710990e-7ffc67109910 2179->2186 2186->2157 2188 7ffc67109912 2186->2188 2188->2155 2206 7ffc671099f5-7ffc671099fc 2203->2206 2204->2206 2208 7ffc671099fe-7ffc67109a00 2206->2208 2209 7ffc67109a5f-7ffc67109a78 call 7ffc670ffca0 call 7ffc67100e20 * 2 2206->2209 2208->2209 2210 7ffc67109a02-7ffc67109a2d call 7ffc670ffca0 call 7ffc67100e20 * 3 2208->2210 2209->2155 2224 7ffc67109a2f-7ffc67109a36 2210->2224 2225 7ffc67109a43-7ffc67109a5d call 7ffc67100e20 * 2 2210->2225 2224->2225 2226 7ffc67109a38-7ffc67109a3c 2224->2226 2225->2175 2226->2225 2228 7ffc67109a3e call 7ffc6711ec40 2226->2228 2228->2225
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindLoadNext
                                                                            • String ID:
                                                                            • API String ID: 50669962-0
                                                                            • Opcode ID: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
                                                                            • Instruction ID: 9e787faa0bceaf3dd038fc7c6bba84c78feb785c7cf1f997af0b5b8443798060
                                                                            • Opcode Fuzzy Hash: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
                                                                            • Instruction Fuzzy Hash: A1819022A2C56AC5EA10EB62D4792FE6365FFC4744F804932EA4D17ACADF3CE505D720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67109400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
                                                                            • Instruction ID: 4ed04fe3c232a77d106ef1f6eeafea0b8ba8b1b5eebf8b3c5c98a56db4f628cd
                                                                            • Opcode Fuzzy Hash: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
                                                                            • Instruction Fuzzy Hash: 8E0175A1A1C55EC2EE10EB16E8751BE5321FFD4784F805833E98E4768BDE2CD115D7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67107770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                                                                            • Instruction ID: d2315f2b09073cab8a7b48e2db21e56e70bd14cd73f25228fe0c6df8c9263fa5
                                                                            • Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                                                                            • Instruction Fuzzy Hash: 69D05E51A1D619C2FE2467A3A16D3B402909FD9744F084833CE8E0A3C7EE2C9891D332
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F5020 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: -R+
                                                                            • API String ID: 0-215093852
                                                                            • Opcode ID: 757887669241c1ad3ea049100046a135482c7929ff5ed67d69c536cca754f35d
                                                                            • Instruction ID: cfd2632594f3b14d0885ed29eabad587f2242df14e5f678503668899f2f13ee1
                                                                            • Opcode Fuzzy Hash: 757887669241c1ad3ea049100046a135482c7929ff5ed67d69c536cca754f35d
                                                                            • Instruction Fuzzy Hash: A9718026B0C669C5FB10EB62E4642EE63A1FF84344F944836EE4D47A8ADF3CE445D720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67113150 Relevance: .8, Instructions: 817COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a87f18a61a818c4bd4d6f9470d0c0ba478eb8fcb6f6f9b961852b18027112592
                                                                            • Instruction ID: d36a84fac0664f6c7ea9295053ee93fa180d5aa26e9f18f8e7904d6885240924
                                                                            • Opcode Fuzzy Hash: a87f18a61a818c4bd4d6f9470d0c0ba478eb8fcb6f6f9b961852b18027112592
                                                                            • Instruction Fuzzy Hash: D172B262A0D7A9C5FA248B26D4603B927A1FF45F84F445833CA4E0BB99EF3CD546C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670FAA70 Relevance: .5, Instructions: 521COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
                                                                            • Instruction ID: 3930091d18e4b5c7b80d59364576c51df122a6521e4282c8fab08d426c491044
                                                                            • Opcode Fuzzy Hash: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
                                                                            • Instruction Fuzzy Hash: 0B22BF26A0C56AC6EA20EF22D2612BD6355BF84744F504936DE0E877D6EF3CE509C7B0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67127650 Relevance: .2, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
                                                                            • Instruction ID: 6261c5683c2b7ad42f8bc950de7bbb287c8f893c58f2face29e74a7d7b95ec00
                                                                            • Opcode Fuzzy Hash: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
                                                                            • Instruction Fuzzy Hash: 4E61B531B1D26AC2FA54A623553557B51A1EF843A4F180A37EF7E427C5EF3CE441CA20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F76E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 217COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 7ffc670f76e0-7ffc670f7703 call 7ffc671084e0 3 7ffc670f7705-7ffc670f770a 0->3 4 7ffc670f7762-7ffc670f7795 call 7ffc671084f0 call 7ffc670f53a0 call 7ffc67101660 call 7ffc67109ad0 0->4 6 7ffc670f7753-7ffc670f7760 call 7ffc671086f0 3->6 7 7ffc670f770c-7ffc670f770f 3->7 25 7ffc670f7797-7ffc670f77a1 4->25 26 7ffc670f77a5-7ffc670f77b5 call 7ffc670f5020 4->26 6->4 10 7ffc670f7711-7ffc670f772c call 7ffc671084f0 6->10 7->10 11 7ffc670f772d-7ffc670f7752 call 7ffc670f4b50 call 7ffc671084f0 7->11 25->26 29 7ffc670f77b7-7ffc670f77ca call 7ffc67114530 26->29 30 7ffc670f77e2-7ffc670f77f4 26->30 29->30 41 7ffc670f77cc-7ffc670f77d6 29->41 32 7ffc670f784b-7ffc670f785d call 7ffc67109ad0 30->32 33 7ffc670f77f6-7ffc670f77f9 30->33 47 7ffc670f785f-7ffc670f7864 32->47 48 7ffc670f786d-7ffc670f7877 call 7ffc6711ddc0 32->48 36 7ffc670f77fb-7ffc670f780d call 7ffc67109ad0 33->36 37 7ffc670f7811-7ffc670f7814 33->37 36->37 49 7ffc670f780f FreeConsole 36->49 39 7ffc670f7816-7ffc670f7842 call 7ffc670f5cd0 call 7ffc67100e20 37->39 40 7ffc670f7843-7ffc670f7845 call 7ffc670f59f0 37->40 52 7ffc670f784a 40->52 41->30 46 7ffc670f77d8-7ffc670f77df 41->46 46->30 47->48 55 7ffc670f7879-7ffc670f7881 call 7ffc670f76e0 48->55 56 7ffc670f7886-7ffc670f78c8 call 7ffc670f1260 call 7ffc67106920 call 7ffc67100e20 call 7ffc67109ad0 48->56 49->37 52->32 55->56 67 7ffc670f78ca-7ffc670f78d6 call 7ffc67101310 56->67 68 7ffc670f78db-7ffc670f78f0 call 7ffc67109ad0 56->68 67->68 73 7ffc670f7906-7ffc670f791b call 7ffc67109ad0 68->73 74 7ffc670f78f2-7ffc670f7901 call 7ffc67101310 68->74 79 7ffc670f7931-7ffc670f7973 call 7ffc67102a60 call 7ffc67102000 call 7ffc67100e20 call 7ffc67100f10 73->79 80 7ffc670f791d-7ffc670f792c call 7ffc67101310 73->80 74->73 91 7ffc670f7975-7ffc670f797a 79->91 92 7ffc670f797e-7ffc670f79cc call 7ffc67100f40 call 7ffc67102340 call 7ffc671014d0 call 7ffc67100e20 79->92 80->79 91->92 101 7ffc670f7ae7-7ffc670f7af9 call 7ffc67109ad0 92->101 102 7ffc670f79d2-7ffc670f79e3 92->102 105 7ffc670f7afb-7ffc670f7b00 101->105 106 7ffc670f7b09-7ffc670f7b33 call 7ffc67103fd0 call 7ffc67100e20 101->106 102->101 105->106
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ConsoleFree
                                                                            • String ID: )8GV$UsS$UsS$d
                                                                            • API String ID: 771614528-2529742583
                                                                            • Opcode ID: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
                                                                            • Instruction ID: 5666e4b1029d1c5707ca211272cee02bcbfc713ee7008d18883d2bca0ed3c8ef
                                                                            • Opcode Fuzzy Hash: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
                                                                            • Instruction Fuzzy Hash: F191E621B1C66AC2EA54EB22E1751BE5351FF84780F944936EE5E877C6DE2CD801C371
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67122E60 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 111 7ffc67122e60-7ffc67122e89 112 7ffc67122e95 111->112 113 7ffc67122e8b-7ffc67122e93 111->113 114 7ffc67122e9a-7ffc67122ec3 call 7ffc67101a90 112->114 113->112 113->114 117 7ffc67122ec5 114->117 118 7ffc67122ec8-7ffc67122eda call 7ffc67109ad0 114->118 117->118 121 7ffc6712312e 118->121 122 7ffc67122ee0-7ffc67122ef0 118->122 123 7ffc67123131-7ffc67123145 call 7ffc6710d730 call 7ffc67100e20 121->123 122->123 127 7ffc67122ef6-7ffc67122efa 122->127 132 7ffc67123147-7ffc6712314b 123->132 133 7ffc67123166-7ffc67123175 123->133 127->123 129 7ffc67122f00-7ffc67122f21 call 7ffc670ffcc0 127->129 138 7ffc671230b5-7ffc671230c1 129->138 139 7ffc67122f27-7ffc67122f2c 129->139 132->133 137 7ffc6712314d-7ffc6712315f call 7ffc67109ad0 132->137 135 7ffc67123181-7ffc67123199 call 7ffc670ffcb0 133->135 136 7ffc67123177-7ffc6712317b 133->136 142 7ffc671232b9-7ffc671232d0 135->142 156 7ffc6712319f-7ffc671231ad 135->156 136->135 136->142 137->133 152 7ffc67123161 137->152 144 7ffc671230f3-7ffc6712310d call 7ffc67100e20 138->144 145 7ffc671230c3-7ffc671230ca 138->145 141 7ffc67122f30-7ffc67122f3a 139->141 147 7ffc67122f3c-7ffc67122f40 141->147 148 7ffc67122f5f-7ffc67122f88 call 7ffc670ffcb0 141->148 144->133 160 7ffc6712310f-7ffc67123113 144->160 145->144 151 7ffc671230cc-7ffc671230d0 145->151 147->148 153 7ffc67122f42-7ffc67122f54 call 7ffc67109ad0 147->153 167 7ffc67122f90-7ffc67122fa2 call 7ffc67109ad0 148->167 151->144 157 7ffc671230d2-7ffc671230e4 call 7ffc67109ad0 151->157 158 7ffc67123164 RegCloseKey 152->158 170 7ffc67122f56-7ffc67122f59 RegCloseKey 153->170 171 7ffc67122f5b 153->171 162 7ffc671231af-7ffc671231b5 156->162 163 7ffc671231bb-7ffc671231cc call 7ffc670ffcc0 156->163 175 7ffc671230e6 157->175 176 7ffc671230eb 157->176 158->133 160->133 166 7ffc67123115-7ffc67123127 call 7ffc67109ad0 160->166 162->142 162->163 179 7ffc671231ce 163->179 180 7ffc671231f8-7ffc67123203 call 7ffc6711ddc0 163->180 166->133 182 7ffc67123129-7ffc6712312c 166->182 183 7ffc67122fc0-7ffc67122fea call 7ffc67103300 call 7ffc67106180 call 7ffc67100e20 167->183 184 7ffc67122fa4-7ffc67122fba RegEnumKeyW 167->184 170->171 171->148 175->176 176->144 185 7ffc671231d0-7ffc671231e5 call 7ffc670ffcb0 179->185 180->142 192 7ffc67123209-7ffc67123234 call 7ffc67100180 call 7ffc670ffcc0 call 7ffc67100280 180->192 182->158 204 7ffc67122fec-7ffc67122ff3 183->204 205 7ffc67122ff5-7ffc67123011 call 7ffc67109ad0 183->205 184->183 188 7ffc671230b2 184->188 194 7ffc671231ef-7ffc671231f2 185->194 195 7ffc671231e7-7ffc671231eb 185->195 188->138 210 7ffc67123236-7ffc67123263 call 7ffc670ffcb0 * 2 call 7ffc67106d80 192->210 211 7ffc67123268-7ffc671232b8 call 7ffc670ffcb0 call 7ffc67122e60 call 7ffc670ffca0 192->211 194->142 194->180 195->185 198 7ffc671231ed 195->198 198->180 204->167 214 7ffc6712303f 205->214 215 7ffc67123013-7ffc6712303d RegOpenKeyExW 205->215 210->211 218 7ffc67123041-7ffc67123059 call 7ffc67101180 214->218 215->218 227 7ffc67123071-7ffc6712308d call 7ffc67101ab0 218->227 228 7ffc6712305b-7ffc6712306c call 7ffc67101b60 218->228 227->138 233 7ffc6712308f-7ffc67123093 227->233 228->227 233->138 234 7ffc67123095-7ffc671230aa 233->234 234->141 235 7ffc671230b0 234->235 235->138
                                                                            APIs
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67122F59
                                                                            • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67122FB4
                                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67123039
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC67123164
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$EnumOpen
                                                                            • String ID:
                                                                            • API String ID: 138425441-0
                                                                            • Opcode ID: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
                                                                            • Instruction ID: 17f2deafbfc04828739bba9b4cd114bcc09292585fa60eb428579f186d443f26
                                                                            • Opcode Fuzzy Hash: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
                                                                            • Instruction Fuzzy Hash: 07C1A831B0D669C2EE649B66E46037D6361EFC5750F044A32EE6D477C5DE2CE846CB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000228311A2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.273862836.00000228311A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000228311A0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_228311a0000_loaddll64.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: 9fde075fd532d683483e6ea7d4b61591267e691268cb87368af57e2a6bd6e7bd
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: 11B15276619AC486D770CB5AE4407EEBBA1F789B80F108126EE8953B68DF79C8518F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F550 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1111 7ffc6711f550-7ffc6711f585 call 7ffc67103360 1114 7ffc6711f587-7ffc6711f5a4 call 7ffc67106bf0 call 7ffc67102fa0 call 7ffc67100e20 1111->1114 1115 7ffc6711f5a9-7ffc6711f5ab 1111->1115 1114->1115 1117 7ffc6711f5ad-7ffc6711f5b2 1115->1117 1118 7ffc6711f5cc-7ffc6711f5de call 7ffc67109ad0 1115->1118 1120 7ffc6711f5b4-7ffc6711f5b7 1117->1120 1121 7ffc6711f5c7 1117->1121 1128 7ffc6711f5ff 1118->1128 1129 7ffc6711f5e0-7ffc6711f5ee 1118->1129 1124 7ffc6711f5c0-7ffc6711f5c5 1120->1124 1125 7ffc6711f5b9-7ffc6711f5be 1120->1125 1121->1118 1124->1118 1125->1118 1131 7ffc6711f602-7ffc6711f610 1128->1131 1135 7ffc6711f5f0-7ffc6711f5f7 call 7ffc6710d730 1129->1135 1136 7ffc6711f5f9-7ffc6711f5fd 1129->1136 1133 7ffc6711f672-7ffc6711f67f 1131->1133 1134 7ffc6711f612-7ffc6711f624 1131->1134 1137 7ffc6711f691 1133->1137 1138 7ffc6711f681-7ffc6711f683 1133->1138 1134->1133 1135->1128 1135->1136 1136->1131 1142 7ffc6711f697-7ffc6711f6ad call 7ffc67109ad0 1137->1142 1140 7ffc6711f685-7ffc6711f687 1138->1140 1141 7ffc6711f689-7ffc6711f68f 1138->1141 1140->1142 1141->1142 1146 7ffc6711f6af-7ffc6711f6d1 CreateFileW 1142->1146 1147 7ffc6711f6d3 1142->1147 1148 7ffc6711f6d5-7ffc6711f6ef call 7ffc671077b0 call 7ffc671075b0 1146->1148 1147->1148 1153 7ffc6711f6f1-7ffc6711f6f9 call 7ffc6710d730 1148->1153 1154 7ffc6711f6fb-7ffc6711f702 1148->1154 1161 7ffc6711f75c-7ffc6711f77b 1153->1161 1155 7ffc6711f725-7ffc6711f749 call 7ffc67106d10 call 7ffc67109ad0 1154->1155 1156 7ffc6711f704-7ffc6711f716 call 7ffc67109ad0 1154->1156 1155->1161 1168 7ffc6711f74b-7ffc6711f75a SetFileTime 1155->1168 1156->1155 1164 7ffc6711f718-7ffc6711f721 1156->1164 1164->1155 1168->1161
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
                                                                            • Instruction ID: ebddfab639dfa32e7a1e5b0fe1cdd0fa17d2988cd0fbadf6a6b926681fe21738
                                                                            • Opcode Fuzzy Hash: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
                                                                            • Instruction Fuzzy Hash: 56512921B0D6AAC2F6649B23A4343BA2265FF84784F144937DAAE0B7C5DE3DD441DB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F7A0 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 3154509469-0
                                                                            • Opcode ID: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
                                                                            • Instruction ID: a2d2bca99f1db04458628e36d8234714a147bffbd16d1f40bda1424cb3871bbe
                                                                            • Opcode Fuzzy Hash: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
                                                                            • Instruction Fuzzy Hash: 1F41A521F1D6A9C3EA50AB26A06117E6399EF84784F140536EA9E4BBD5DF3CD402CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67122810 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6710961D), ref: 00007FFC67122885
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6710961D), ref: 00007FFC671228E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
                                                                            • Instruction ID: 456c83149d5d6734ef7f60e65f37fe2f4bc60ece843003f8ef6c619278681f33
                                                                            • Opcode Fuzzy Hash: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
                                                                            • Instruction Fuzzy Hash: 0B21D637B1E66982EA10DB56A42112EA3A1EF847A4F084536EE9C47BD8DF7CD481CB10
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67121850 Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2233 7ffc67121850-7ffc6712189e call 7ffc671216b0 call 7ffc67100ee0 2238 7ffc671218ec-7ffc671218fe call 7ffc67109ad0 2233->2238 2239 7ffc671218a0 2233->2239 2248 7ffc67121910 2238->2248 2249 7ffc67121900-7ffc6712190e 2238->2249 2241 7ffc671218a8-7ffc671218ac 2239->2241 2242 7ffc67121a31-7ffc67121a34 2241->2242 2243 7ffc671218b2-7ffc671218bd call 7ffc67100ee0 2241->2243 2246 7ffc67121a41 2242->2246 2247 7ffc67121a36-7ffc67121a3c call 7ffc671077b0 2242->2247 2255 7ffc6712197c-7ffc67121998 call 7ffc67121490 call 7ffc67109ad0 2243->2255 2256 7ffc671218c3-7ffc671218d5 call 7ffc67109ad0 2243->2256 2253 7ffc67121a44-7ffc67121a60 2246->2253 2247->2246 2250 7ffc67121913-7ffc6712191d call 7ffc6710d730 2248->2250 2249->2250 2250->2241 2262 7ffc6712191f-7ffc67121922 2250->2262 2269 7ffc671219b5 2255->2269 2270 7ffc6712199a-7ffc671219b3 CreateMutexA 2255->2270 2256->2246 2266 7ffc671218db-7ffc671218e7 2256->2266 2262->2242 2265 7ffc67121928 2262->2265 2268 7ffc67121930-7ffc67121949 call 7ffc67109ad0 2265->2268 2266->2242 2276 7ffc67121962-7ffc67121972 call 7ffc6710d730 2268->2276 2277 7ffc6712194b-7ffc6712195c 2268->2277 2273 7ffc671219b8-7ffc671219c2 call 7ffc6710d730 2269->2273 2270->2273 2280 7ffc67121a0f-7ffc67121a14 2273->2280 2281 7ffc671219c4-7ffc671219cf call 7ffc67100ee0 2273->2281 2276->2268 2286 7ffc67121974-7ffc67121977 2276->2286 2277->2247 2277->2276 2280->2242 2284 7ffc67121a16-7ffc67121a28 call 7ffc67109ad0 2280->2284 2281->2280 2290 7ffc671219d1-7ffc671219e3 call 7ffc67109ad0 2281->2290 2284->2242 2291 7ffc67121a2a 2284->2291 2286->2253 2294 7ffc67121a0d 2290->2294 2295 7ffc671219e5-7ffc67121a02 2290->2295 2291->2242 2294->2280 2296 7ffc67121a09-7ffc67121a0b 2295->2296 2296->2280
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
                                                                            • Instruction ID: 69b3c109f16f0cc5d5709a9479b5e565b80d2b9a5a2cfdb242d2969dad9385d0
                                                                            • Opcode Fuzzy Hash: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
                                                                            • Instruction Fuzzy Hash: BB51CD32A0D3A5C6EB94EB2250352BD2261EF84B84F580836EE9D07785DF3DD981D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67121490 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC671214EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DescriptorSecurity$ConvertString
                                                                            • String ID:
                                                                            • API String ID: 3907675253-0
                                                                            • Opcode ID: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
                                                                            • Instruction ID: f061e0582c38a4cef2ed241a95240ac0e5f974d12b7430faa73e6a2dbff61de4
                                                                            • Opcode Fuzzy Hash: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
                                                                            • Instruction Fuzzy Hash: E821833670CB5AC2EA10EF5AA1640A973B0FF89784F944436DB9D07B45EF78E511CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F629 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
                                                                            • Instruction ID: 71c5517bebf96a4f4d620ead332a71bfea0dd4ccca4f7b16b38fd6af7bb5c086
                                                                            • Opcode Fuzzy Hash: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
                                                                            • Instruction Fuzzy Hash: 9A11E722A0D66AC2E6709B12A0243BB6394FF44784F580937DBAE0B791DF3DE441DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
                                                                            • Instruction ID: 0a12c22122c171aa0244ab060d558932ebdd2d787245e2a4df539d15c2f15a50
                                                                            • Opcode Fuzzy Hash: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
                                                                            • Instruction Fuzzy Hash: 4911C62260D66AC6E6609B1260243BA6395FF84784F580937DBDE0B791DF3CD441DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711EC70 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2351 7ffc6711ec70-7ffc6711ec7e 2352 7ffc6711ec80-7ffc6711ec92 call 7ffc67109ad0 2351->2352 2355 7ffc6711ecf1 2352->2355 2356 7ffc6711ec94-7ffc6711ec9f FindNextFileW 2352->2356 2357 7ffc6711ecf6-7ffc6711ed05 2355->2357 2358 7ffc6711eca1-7ffc6711eca8 call 7ffc6710d730 2356->2358 2359 7ffc6711ecaa-7ffc6711ecaf 2356->2359 2358->2357 2358->2359 2361 7ffc6711ecb1-7ffc6711ecb8 2359->2361 2362 7ffc6711ecc7-7ffc6711ecd5 2359->2362 2361->2352 2366 7ffc6711ecba-7ffc6711ecbe 2361->2366 2363 7ffc6711ecd7-7ffc6711ecd9 2362->2363 2364 7ffc6711ecdb-7ffc6711ecde 2362->2364 2363->2364 2368 7ffc6711ece4-7ffc6711ecf0 2363->2368 2364->2352 2369 7ffc6711ece0-7ffc6711ece2 2364->2369 2366->2362 2367 7ffc6711ecc0-7ffc6711ecc5 2366->2367 2367->2352 2367->2362 2369->2352 2369->2368
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindNext
                                                                            • String ID:
                                                                            • API String ID: 2029273394-0
                                                                            • Opcode ID: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
                                                                            • Instruction ID: 56e2db17ffddd385ee355572dd9702f3e610bd673300856617fc73fb7469345b
                                                                            • Opcode Fuzzy Hash: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
                                                                            • Instruction Fuzzy Hash: 7511C621A2C26AC2FB644BA6952177913D1DF50789F041832DE4C4B6C5DF2CEA99C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
                                                                            • Instruction ID: 493b0d88328c52f392fa653fae8f466e9db585727ea1320e62ef08666aec3be9
                                                                            • Opcode Fuzzy Hash: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
                                                                            • Instruction Fuzzy Hash: 4511E022A0D6AAC2E6709B1260243FA2394FF84780F180937DBAE0B790DF3CD441DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
                                                                            • Instruction ID: 6b2b77d80570fac13ad2bc04f73218479962fcb15e979423cdd825bc2a2a7bdc
                                                                            • Opcode Fuzzy Hash: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
                                                                            • Instruction Fuzzy Hash: 5D01A522A0D6AAC2E6709B12B0243BA6354FF84784F580937DB9E0B791DF3CD441DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC671226A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnumValue
                                                                            • String ID:
                                                                            • API String ID: 2814608202-0
                                                                            • Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                                                                            • Instruction ID: 5668e3d75a2cd46fb618cca09badb813bdaffb4d24fec8b2e199cc41921c7ac7
                                                                            • Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                                                                            • Instruction Fuzzy Hash: 59114F7660CB85C6D6209F02F45019AB7A4FB88B80F698526EF9D03B04DF38D591CB04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC671070F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateHeap
                                                                            • String ID:
                                                                            • API String ID: 10892065-0
                                                                            • Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                                                                            • Instruction ID: d46c35bca76d3d9b640076a98c9a19b6a8855c95a10b86f20a1853828b930cb3
                                                                            • Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                                                                            • Instruction Fuzzy Hash: FB01F261A0CA69C2FA548B12F93466563A0FF89BC4F088836DACC0A795EE3CD420C710
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC671094A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ComputerName
                                                                            • String ID:
                                                                            • API String ID: 3545744682-0
                                                                            • Opcode ID: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
                                                                            • Instruction ID: a94b1dd4c3dd42c6aed8a2fa1bdbe26a2b4b6b262399d2e264e00402d1e2fed2
                                                                            • Opcode Fuzzy Hash: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
                                                                            • Instruction Fuzzy Hash: 4E0171A1A2C56EC2EE10EB17E8791BA5321FFD8784F405833E98E4768BDE2CD115D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67107190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: BoundaryDeleteDescriptor
                                                                            • String ID:
                                                                            • API String ID: 3203483114-0
                                                                            • Opcode ID: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
                                                                            • Instruction ID: 4a78a38863c437d914e34cfeb6b49a89ca47a7e84444b3898e8ee76d879d2d41
                                                                            • Opcode Fuzzy Hash: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
                                                                            • Instruction Fuzzy Hash: 39F03440E0E26A82FE68A3A3583827101825F89740F1C8C37C85E4A3C6EE2CEA51E221
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000228311A2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000228311A29A2), ref: 00000228311A20B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.273862836.00000228311A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000228311A0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_228311a0000_loaddll64.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: a36aa80bb0f86e0e79c4c7693e7cd256ee6ce0a4abceed8d4d3a6cfdceccc0c4
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: CA314B76615A8086D790CF1AE45479A7BB0F389FD4F205026EF8D87B28DF39C4428B00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00007FFC670EC030 Relevance: 9.5, Strings: 7, Instructions: 762COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0020$0020$3050$3050$4040$GNOP$UsS
                                                                            • API String ID: 0-786335679
                                                                            • Opcode ID: 5be17ce47cb696ad8ebe08059e3a04d8274828d0908c5d2498a1ef30804e777d
                                                                            • Instruction ID: 12c5acca109651849dd426818243d7eb232cd29b6d41fe925ce48b6f9af37fde
                                                                            • Opcode Fuzzy Hash: 5be17ce47cb696ad8ebe08059e3a04d8274828d0908c5d2498a1ef30804e777d
                                                                            • Instruction Fuzzy Hash: 6772852261C6AAD5EB20EF22C4A12FD2765FF94344F804532EA4D8769ADF3CE645C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670FBAE0 Relevance: 6.9, Strings: 5, Instructions: 645COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: S4$vfoR$vfoR$vfoR$vfoR
                                                                            • API String ID: 0-2269768260
                                                                            • Opcode ID: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
                                                                            • Instruction ID: fd5ff133f42e9a29ad180b427ea5c4bfcd4e3709c5d3e922268ed9d2f560563b
                                                                            • Opcode Fuzzy Hash: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
                                                                            • Instruction Fuzzy Hash: 82422821B0C66AC1FA10EB6296712FE5251AF857A4F440A31DE1E877DAEF3CE505C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67134FF0 Relevance: 5.7, Strings: 4, Instructions: 682COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ERCP$VUUU$VUUU$VUUU
                                                                            • API String ID: 0-2165971703
                                                                            • Opcode ID: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
                                                                            • Instruction ID: 56102c6ccfb2df1cf668b46486808a12c09e50bc58021d01f4686d380f25a98f
                                                                            • Opcode Fuzzy Hash: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
                                                                            • Instruction Fuzzy Hash: B7528072A0D6A9CAEB648A7694603BD37A1FF04B68F144937DB4E56E84DF3CE580C710
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E6FE0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: )8GV$)8GV$@
                                                                            • API String ID: 0-2802744955
                                                                            • Opcode ID: be4ed7d546273f48a43cc3949a30825a3f966d05a4d232db6a547afc854aff41
                                                                            • Instruction ID: 3018f5046f41b2ecddc58344147b1175a6e39ca749fe0b26499fef83697f07a9
                                                                            • Opcode Fuzzy Hash: be4ed7d546273f48a43cc3949a30825a3f966d05a4d232db6a547afc854aff41
                                                                            • Instruction Fuzzy Hash: B2326F22A2C66AD5EB10EF62D8712FD2365EF84384F805832EA4D87696DF3CE545C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C6790 Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: */*$GET$POST
                                                                            • API String ID: 0-3233530491
                                                                            • Opcode ID: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
                                                                            • Instruction ID: 67886a16fb9984d8a88fabcdf9b88730343aae8ada1157d8d1fa51cd1de77459
                                                                            • Opcode Fuzzy Hash: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
                                                                            • Instruction Fuzzy Hash: 1512B436A1CA5AC5EB10DF62E8641EE7361FF84388F400832EA4D47B9ADF38D549D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67122CA0 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,q,\$,q,\
                                                                            • API String ID: 0-1092452903
                                                                            • Opcode ID: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
                                                                            • Instruction ID: 728bf1e697fa5fdbf8b480067d7f2159b1b33f29c26ec3d7b75c7084f9cb4cd7
                                                                            • Opcode Fuzzy Hash: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
                                                                            • Instruction Fuzzy Hash: 85418222F2C57AD4FB10EB7298650FD1275AF98B84B844832EE1E57BCADE2CD441D320
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670CC5A0 Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: GET
                                                                            • API String ID: 0-1805413626
                                                                            • Opcode ID: 191bd874223b941efcdc37b276927ba136f876b1b1cf62d8a1eba65c660f0a7c
                                                                            • Instruction ID: a58c89a082b3d64e27f5b0ffb0108e3c41693290608d36287fe9b625fd844cb2
                                                                            • Opcode Fuzzy Hash: 191bd874223b941efcdc37b276927ba136f876b1b1cf62d8a1eba65c660f0a7c
                                                                            • Instruction Fuzzy Hash: C982A122A1C66AC1FB50DB26D0B53BE6760EF95748F541932EA4E876C6CE3CE446C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D9D70 Relevance: 2.1, APIs: 1, Instructions: 609COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e9212d7575b3fbabd50a379440132ff797bc44526c62079ea4db29769d4571f2
                                                                            • Instruction ID: 0ffd8d342d86dbf3d99e8928ce982d6dc484cd37ea2a6307dce67871df34a543
                                                                            • Opcode Fuzzy Hash: e9212d7575b3fbabd50a379440132ff797bc44526c62079ea4db29769d4571f2
                                                                            • Instruction Fuzzy Hash: E5527221A1C6AAC5FB20EB72C4753FD23A5EF90754F900832EA0D56ADADE2CE545C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D5420 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID: ,q,\
                                                                            • API String ID: 3535843008-3313482636
                                                                            • Opcode ID: 279a58ebf584ed7ba7a6137754720abf4cd195921bddb2da9a4930e224aabd46
                                                                            • Instruction ID: 7e857828679d083ed1950952db561f2aca00d7d0785daf9808ab65ffc58192a1
                                                                            • Opcode Fuzzy Hash: 279a58ebf584ed7ba7a6137754720abf4cd195921bddb2da9a4930e224aabd46
                                                                            • Instruction Fuzzy Hash: 14627E22B1C66AD5EB10EB72D4651FD6361EF94348F804832EA0E47ACAEF3CE545D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D3CD0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID: z
                                                                            • API String ID: 1964310414-1657960367
                                                                            • Opcode ID: 1e707f74714288df0667b0df01b82e277c3d87d6d76ba15377dbc88d48ddda99
                                                                            • Instruction ID: ac52ae59ea7ce7531bb0170aed2957083ec9be3533356cead8602f3d4c4897c3
                                                                            • Opcode Fuzzy Hash: 1e707f74714288df0667b0df01b82e277c3d87d6d76ba15377dbc88d48ddda99
                                                                            • Instruction Fuzzy Hash: 3F527E32B18AA9E6E748EB31C6652ED7365FF84344F804836E71D43686DF38E165C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E5050 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: !hMy
                                                                            • API String ID: 0-318797071
                                                                            • Opcode ID: 2d843baf34b2fd8d5bc90b995860dada836707dc61b81bacbb5f51131095915e
                                                                            • Instruction ID: 74800c2cf9666f752bdee80f9087cf0d41a8e3bf48da489825fbb7d38372d95c
                                                                            • Opcode Fuzzy Hash: 2d843baf34b2fd8d5bc90b995860dada836707dc61b81bacbb5f51131095915e
                                                                            • Instruction Fuzzy Hash: 88428236A1C66AC5EA24EB22D4652FE6360EF95344F804C32D79E822D6DF3CE585C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670EA310 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEnumValue
                                                                            • String ID: 'Q|
                                                                            • API String ID: 858281747-3964534801
                                                                            • Opcode ID: a7f88f11ebb2f20ff444be0074f6f7f4e2b2bd0c8388cc24e2b6011576de200b
                                                                            • Instruction ID: 49710ced281052175f2b811221368114e56309b9015018a14257e097a50769ca
                                                                            • Opcode Fuzzy Hash: a7f88f11ebb2f20ff444be0074f6f7f4e2b2bd0c8388cc24e2b6011576de200b
                                                                            • Instruction Fuzzy Hash: CE229D22B1C56AC5EA10EB62C1751FD2371EF88748F944932EA4E976CADF2CE506C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F3CF0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: -R+
                                                                            • API String ID: 0-215093852
                                                                            • Opcode ID: c2ebaee40d3443b75258207ad54ae9ef1b3727b9b2307a94eb29f165cfbdaf13
                                                                            • Instruction ID: fd580cdc981b5d90de083af007db4c004a95d279b0196e8dfadebe3f50b6d61e
                                                                            • Opcode Fuzzy Hash: c2ebaee40d3443b75258207ad54ae9ef1b3727b9b2307a94eb29f165cfbdaf13
                                                                            • Instruction Fuzzy Hash: 1902AF22A2C6AAD5EB10EF62D5601ED6325FF84344F804832EA4D97ADADF3CE545C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670EF6B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
                                                                            • Instruction ID: db939553db064fb8abe43f3537c556aedf40f029ca8da8953e24131fcdb306f8
                                                                            • Opcode Fuzzy Hash: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
                                                                            • Instruction Fuzzy Hash: 4181C521B1D26AC2E954A763A43437E6256BFC5B80F444C35E98E877CADE3CE901DB31
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E3D50 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: `ngU
                                                                            • API String ID: 0-1771476526
                                                                            • Opcode ID: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
                                                                            • Instruction ID: ce3c12764ae9ac002fb95710383ad22d53b8a5e4d2d484e1568d7cd7dfbd075e
                                                                            • Opcode Fuzzy Hash: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
                                                                            • Instruction Fuzzy Hash: A191A522B1C56AC5FB14EB72D0A52FD6371AF54788F805833EA0D9769ADE2CE405D370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6713B7A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ERCP
                                                                            • API String ID: 0-1384759551
                                                                            • Opcode ID: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                                                                            • Instruction ID: 64ad6c8a474110177e59ba370b623202840fd983bf0eb553b37af5e9c105da6d
                                                                            • Opcode Fuzzy Hash: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                                                                            • Instruction Fuzzy Hash: 7E41D667B244558BE3189F2998212BA2791F7E87817008838FBD7C3B89ED7CDE51C364
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67110650 Relevance: .9, Instructions: 875COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7debaff0c189cc42f27e709916392a2aa8c7e4bf85a6ef2bf3043c85e3627177
                                                                            • Instruction ID: a0fa98993a89aad90b4b4e9af561c4817a80df81c071596dbcc9d30c3dd1a0cc
                                                                            • Opcode Fuzzy Hash: 7debaff0c189cc42f27e709916392a2aa8c7e4bf85a6ef2bf3043c85e3627177
                                                                            • Instruction Fuzzy Hash: 3B82C062B1C7AAC2FA248B1294643B963A1FF44F84F855833DA4D4B799EF3CD855C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67114BC0 Relevance: .8, Instructions: 806COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 938572b376330c988c2ab532f803d7d936e039e3a94341f4623fef4a4037a9e3
                                                                            • Instruction ID: a26c6cdc347734a4f5b4582225890518bcb55d1bd5d551fe4b914abd61e6452c
                                                                            • Opcode Fuzzy Hash: 938572b376330c988c2ab532f803d7d936e039e3a94341f4623fef4a4037a9e3
                                                                            • Instruction Fuzzy Hash: 0372D061B0C7AEC5EB658B1694602B867A1FF95F84F854833CA4D0B795EF3CE981C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67115840 Relevance: .8, Instructions: 796COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8924dbe6c7d405e2cff27ca73bd22417ad998fd89c4a4b63178fafe79df92f65
                                                                            • Instruction ID: c92f574b973ea68f3bbf2bfedba711c59c94211aefa7e300413914a967087d0b
                                                                            • Opcode Fuzzy Hash: 8924dbe6c7d405e2cff27ca73bd22417ad998fd89c4a4b63178fafe79df92f65
                                                                            • Instruction Fuzzy Hash: 9B72F171B0C7AEC1EA648B1694642B867A5FF85B84F854833CA4D0B795EF3CE981C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D7410 Relevance: .7, Instructions: 747COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 9a309b6559be776572afeeb754e3d6c3cc73aff03e68f9f8e21edbf3e8152795
                                                                            • Instruction ID: b4f24fcdc70ba3a5324f41fa9243f85a1d62b5a0174a7d845ed31bc8be3a86d8
                                                                            • Opcode Fuzzy Hash: 9a309b6559be776572afeeb754e3d6c3cc73aff03e68f9f8e21edbf3e8152795
                                                                            • Instruction Fuzzy Hash: 18723F21B2C66AD4EB00EF72C5A51ED6765EF94344FC04832EA4D87A9AEF2CE505C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6710F870 Relevance: .7, Instructions: 683COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3faeac1cbfb6292ffdda141fe1e23e6e0c6ce6059580f73432d93193a345a3b9
                                                                            • Instruction ID: 0a7c7a107c83f3880b626d8768647496cdc4893f51a4cd6cf2ca87ed5972a539
                                                                            • Opcode Fuzzy Hash: 3faeac1cbfb6292ffdda141fe1e23e6e0c6ce6059580f73432d93193a345a3b9
                                                                            • Instruction Fuzzy Hash: 2452F362B1CBA9C1EB648B12D4643B963A1FF84B84F445833DA5D07799EF3CE850D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6713EF80 Relevance: .7, Instructions: 677COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
                                                                            • Instruction ID: b6ee770ef54eb594334c14f5b9106140cfc050bba978a1939048bda9c8ba67a1
                                                                            • Opcode Fuzzy Hash: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
                                                                            • Instruction Fuzzy Hash: 11626DB6618669CBD7648F26C09052C37B1FB58F68B255626CF1D43B89CF38E891CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C6E90 Relevance: .7, Instructions: 651COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4aad6c12c6f4205963c672b76a8099d02b26c8d99045ba3237d2967ca350f401
                                                                            • Instruction ID: 7e1ea8d7dc4ebc121c80d9d2ae168d1814de528a06c26ae26279bd4d699cb8f9
                                                                            • Opcode Fuzzy Hash: 4aad6c12c6f4205963c672b76a8099d02b26c8d99045ba3237d2967ca350f401
                                                                            • Instruction Fuzzy Hash: 3352A121A2C66AC1FA40EB62E4755FE6361FF84784F805832EA4E87696DF3CE505C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D8670 Relevance: .6, Instructions: 558COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 715062e220f59cf9500e4b1a395658f8ab7f47472dd04a4be2b1a5b16cc3dca4
                                                                            • Instruction ID: a4e128f856a18f21fe7104dd9a64fdafbfb743df579255dcc0b7b1a7e42dbd58
                                                                            • Opcode Fuzzy Hash: 715062e220f59cf9500e4b1a395658f8ab7f47472dd04a4be2b1a5b16cc3dca4
                                                                            • Instruction Fuzzy Hash: 76427B22A1C6AAC5EB10EB72C5612FD6365EF94354F804832EA0D87ADADF3CE545C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E4800 Relevance: .5, Instructions: 545COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e648facd1d502af1e49e6eb6358983bc58e1ad11de91e4235a1da34ba6cd2659
                                                                            • Instruction ID: c3119dc900060a2258a7744ccca3521d1bccf1347d73575b74ef8fd5d2c62505
                                                                            • Opcode Fuzzy Hash: e648facd1d502af1e49e6eb6358983bc58e1ad11de91e4235a1da34ba6cd2659
                                                                            • Instruction Fuzzy Hash: 7E32C622B18666C5EB10EF77C4A52ED2765EF84B98F445436EE0E8778ADE3CE045C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D23F0 Relevance: .5, Instructions: 542COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
                                                                            • Instruction ID: fc3fcc5221f96567d45d234464294515e189abecee0434864ca0c2b1c2bf13b4
                                                                            • Opcode Fuzzy Hash: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
                                                                            • Instruction Fuzzy Hash: 33329022A1C66AD5EB10EF22D4A51FD2365EF94388F804832EA4D876DADF3CE505D770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D95C0 Relevance: .5, Instructions: 460COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0b44c345080f3d0d1bc8bef216de49d3e5bfd808f9b766a3ba0443cddd708ccd
                                                                            • Instruction ID: 9f2b4694ade63ea6cac57ca9bda372ba5c32e430a78221a42bff268275b3b61b
                                                                            • Opcode Fuzzy Hash: 0b44c345080f3d0d1bc8bef216de49d3e5bfd808f9b766a3ba0443cddd708ccd
                                                                            • Instruction Fuzzy Hash: 80128121A2C66AC5EB10EF72D4752FD63A5EF84744F800832EA4D96ADADE3CE545C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E400 Relevance: .5, Instructions: 458COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
                                                                            • Instruction ID: f423b98ff0a8c816ef990eedf1c062721b6238d2f4cc845a73532161272e1e28
                                                                            • Opcode Fuzzy Hash: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
                                                                            • Instruction Fuzzy Hash: A002017290C2BAC5FB658B3680293793BB1EF11704F154937DAAE425E5DE2CE688D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670CDE20 Relevance: .5, Instructions: 456COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
                                                                            • Instruction ID: 09471cd9e1873fcf24ff1c3c8780a26cf2ac3e9d7638eaf7129c85ccbcba7cc1
                                                                            • Opcode Fuzzy Hash: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
                                                                            • Instruction Fuzzy Hash: D6225322B2C66AD5EB10EF72C5A51ED6365FF94344F804832EA4D8769AEF3CE105C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C5C20 Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
                                                                            • Instruction ID: b52d9b7521ba978e4d22eac4cea1d8984fe40d0096c4a9f62fe16028b3d83a0d
                                                                            • Opcode Fuzzy Hash: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
                                                                            • Instruction Fuzzy Hash: 3122B732A2C66AC1EB10EB62D4695FE2365FF94784F804832EA4D83696DF3CE545C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC671282A0 Relevance: .4, Instructions: 448COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
                                                                            • Instruction ID: 08cb11feb0b256bfdcf4fee20eea164c5cfc94f9952e1680e77192d9b011c038
                                                                            • Opcode Fuzzy Hash: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
                                                                            • Instruction Fuzzy Hash: CC029131B0C66AC7FB20EB6290712F912A5AF94748F444936EE5D47BC6EF2CE541C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67129410 Relevance: .4, Instructions: 440COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
                                                                            • Instruction ID: 7640f7b16f42486e249dccc5514ef23db0b5af4abe0ab5b34affe6be69f292bc
                                                                            • Opcode Fuzzy Hash: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
                                                                            • Instruction Fuzzy Hash: C2028D36B0C26ACAEB10DF26C1A51AD33A5EF84784F514836DE1E97786DE3CE845C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670CBB20 Relevance: .4, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
                                                                            • Instruction ID: 1e76f383a1bdf5c35fac8d14758ca447b3b671d8327a74596fc25c405298291a
                                                                            • Opcode Fuzzy Hash: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
                                                                            • Instruction Fuzzy Hash: 7E129621A2C66AD5EB10EF22D4A52FD6365FF84388F801832EA4D9768BDE7CD505D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E872B Relevance: .4, Instructions: 396COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
                                                                            • Instruction ID: 57585f55a8db03dec92d6135a0f2ed82dfdaf98e9654cc7934269a7cf32d6272
                                                                            • Opcode Fuzzy Hash: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
                                                                            • Instruction Fuzzy Hash: 1512A332B2CA9AD9EB10EF72C4612ED2761EF91344F800832E64D47ADADF38D645C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F06A0 Relevance: .4, Instructions: 391COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
                                                                            • Instruction ID: 18cd7f9f9221e42e79c478f65e313fb9273e70d62cede7a6ae4555716c4b6613
                                                                            • Opcode Fuzzy Hash: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
                                                                            • Instruction Fuzzy Hash: 7E028222B2C66AD5EA00EF62D5651ED6364EF94384F801832EE4D83A9ADF3CE545C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D8FC0 Relevance: .4, Instructions: 376COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab26bde139a577f634ec716a25e385d05db8043f997b8ff14e02340ecc886974
                                                                            • Instruction ID: ab145a3962ebb20f6dc051af5dfec07b2bd25fd7ca934c23e65385e99de3eab6
                                                                            • Opcode Fuzzy Hash: ab26bde139a577f634ec716a25e385d05db8043f997b8ff14e02340ecc886974
                                                                            • Instruction Fuzzy Hash: E1F17421A2C66AD5EB10EB72D5751FD2365EF94358F840932EA0D866CADE3CE505C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712C780 Relevance: .4, Instructions: 359COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfa656bd85405484802945174f5bcfb23684b2d937a5203aa7dfb0011b340f73
                                                                            • Instruction ID: a690dda25ad177c8db0c2d060b7ad2d70ef8a078236f3302cb011094cd909d48
                                                                            • Opcode Fuzzy Hash: cfa656bd85405484802945174f5bcfb23684b2d937a5203aa7dfb0011b340f73
                                                                            • Instruction Fuzzy Hash: 1EF17F22A2C9AAD8EB10EF32D8A51FD6365EF94348F804833E60D569DADF3CD545D720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670DA7D0 Relevance: .3, Instructions: 331COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ea5b5a020c6f80b43bf7431dfd3305376970a53eb8ec286be017b541b982922
                                                                            • Instruction ID: ab560029adce1441b86e17ce04622b670c29b8a48488ef8a4b9e4e6c48a661a0
                                                                            • Opcode Fuzzy Hash: 3ea5b5a020c6f80b43bf7431dfd3305376970a53eb8ec286be017b541b982922
                                                                            • Instruction Fuzzy Hash: 79E1A122A1C66AC5FB10EB72D4752FD23A5EF90358F904832EA0D46ACADF2CE545C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670ED550 Relevance: .3, Instructions: 331COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
                                                                            • Instruction ID: 2ff8c0364ec1172a08daf024994c57e3f09ed5e9b1bbb2f71caa4e52d07fcdf6
                                                                            • Opcode Fuzzy Hash: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
                                                                            • Instruction Fuzzy Hash: F8E18522A2C56AD5EA00EF62D5651ED6364FF84384F900832EE4D93ADAEF3CE545C770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670EDAA0 Relevance: .3, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
                                                                            • Instruction ID: 91d02e037f77d31f36bcbf0510a94a1eab84b33982e925006638cc30fa7a8ae0
                                                                            • Opcode Fuzzy Hash: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
                                                                            • Instruction Fuzzy Hash: 60D15222B2C56AD1EB00EF72D4651ED6365FF94344F904832EA4D87A9ADF3CD505CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F0D10 Relevance: .3, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
                                                                            • Instruction ID: c1c66901a3ca9efaa8bb5e420a7fef04a0c9a0dadaa219ea8f98005954e04677
                                                                            • Opcode Fuzzy Hash: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
                                                                            • Instruction Fuzzy Hash: 25C19122B1C52AC5FB20EB7295603BE27A1AF84388F544836EE4D976D9DE3CE505C370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670EAC80 Relevance: .3, Instructions: 290COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindNext
                                                                            • String ID:
                                                                            • API String ID: 2029273394-0
                                                                            • Opcode ID: 6a1bd024c2c415626e3d26f25a7162ee42f270b7bb063cf94463ffc28699e898
                                                                            • Instruction ID: 4835f7b1e88634a7408c0b9bf2fde960d48d6a9092c513ac6f893ead99037e6b
                                                                            • Opcode Fuzzy Hash: 6a1bd024c2c415626e3d26f25a7162ee42f270b7bb063cf94463ffc28699e898
                                                                            • Instruction Fuzzy Hash: A9D1A022A2C66AD5EB00EB22D4652FD6365FF84384F804832EA5D47ACADF3CE505D770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67120770 Relevance: .3, Instructions: 287COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
                                                                            • Instruction ID: 2ef2d101904763483076f57c9cb1008731672eb547b9533a9eb45a0269ba53cf
                                                                            • Opcode Fuzzy Hash: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
                                                                            • Instruction Fuzzy Hash: 63C19E22B1C62AC6FB10EBA2C0792BD2365EF54788F804932DE1D576D6EE3CE545D360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67120F30 Relevance: .3, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
                                                                            • Instruction ID: 5cc98f1726e3e5b6140ca79a022da008675f5a98d5ec42d4affbbe3fb359af16
                                                                            • Opcode Fuzzy Hash: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
                                                                            • Instruction Fuzzy Hash: D8C1C332B0C65AD6EB14EB72D4742FC23A1AF44758F440A32DA2D57AC6DF38E5A5D320
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F1D30 Relevance: .3, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d38a847d9370bba91ed3935733d594ce3305399c67660d5bb08561dfbf887e03
                                                                            • Instruction ID: 5c41e6a678bf4eab77527fa15608f020ae488bb8f1710fe525c8a8cbf4aa8419
                                                                            • Opcode Fuzzy Hash: d38a847d9370bba91ed3935733d594ce3305399c67660d5bb08561dfbf887e03
                                                                            • Instruction Fuzzy Hash: D8C17422B1C5AAD9FB10EB62D5642FD2365AF94348F804832DE0DA6ADADF3CD505D370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F25C0 Relevance: .3, Instructions: 270COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
                                                                            • Instruction ID: 21dc1b9c2088620e0102393af8cd74af6787cfe143a409c5c6a58fea3cf34dda
                                                                            • Opcode Fuzzy Hash: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
                                                                            • Instruction Fuzzy Hash: 5EB17022B2C5AAC2EA14EF22D5651FE6351EF94784F844832EE4D8779ADE3CE504C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67124390 Relevance: .3, Instructions: 270COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
                                                                            • Instruction ID: 469989dda8b39ca10d7265335b0b1ee740645f0fcd3224ee8cfe55fdad882ec0
                                                                            • Opcode Fuzzy Hash: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
                                                                            • Instruction Fuzzy Hash: CEA13B31A1C6BAC2EB619B2694343BA16F1AF84344F545932EE6E477C8EE3CDC41C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E48B Relevance: .3, Instructions: 258COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
                                                                            • Instruction ID: b5923fcc0d6d826c02715e043479ff67e1b28dfb9e6be0d496d515169f30c60d
                                                                            • Opcode Fuzzy Hash: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
                                                                            • Instruction Fuzzy Hash: 56A1157280C2BAC5FB658A3280653797BF1EF11709F154433DAAE425D5DE2CEA89D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67127AF0 Relevance: .3, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
                                                                            • Instruction ID: 96e3b0afef3945bba5401bb06cec60a85f910f7996e330048cf88467e0277057
                                                                            • Opcode Fuzzy Hash: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
                                                                            • Instruction Fuzzy Hash: E9A1BF32B0C66AD5EB10EB6294602BA22E5EF98784F440937DE5D537D5EF38E941C370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E4AD Relevance: .2, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                                            • Instruction ID: 5294df780cfba91cfe06979aab40d5e1b33e16349ab0bb0c888b0e7188b42704
                                                                            • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                                                                            • Instruction Fuzzy Hash: C0A1367280C2BAC5FB658A32802537A3BB1EF11708F154433DAEE465D5DE2CEA89D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E49D Relevance: .2, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                                            • Instruction ID: 74ba2630e6230bbd936a1decefbb181092ccd02935c5053fc779fc3082c0de49
                                                                            • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                                                                            • Instruction Fuzzy Hash: A2A1367280C2BAC5FB658A32802537A7BF1EF11709F154433DAAE465D5DE2CEA89D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E4A6 Relevance: .2, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                                            • Instruction ID: e0e9da7c3e9869cb0333a26431ac643db5d9525d82819a645906e64873d05359
                                                                            • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                                                                            • Instruction Fuzzy Hash: 31A1267280C2BAC5FB658A32802537A7BB1EF11709F154433DAAE465D5DE2CEA89D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E4B6 Relevance: .2, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                                            • Instruction ID: bd8021cbe37d2f6d0dabc166cd4f60138c8b0fc152884de69f09d8e1225c4239
                                                                            • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                                                                            • Instruction Fuzzy Hash: 3FA1267280C2BAC5FB658A32802537A7BF1EF11705F154433DAAD465D5DE2CEA89DB30
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712E494 Relevance: .2, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                                            • Instruction ID: 7a2e220692977701b417ff3be56bd98663de9707aa22b67a2a8d36ebf1f56f36
                                                                            • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                                                                            • Instruction Fuzzy Hash: B7A1367280C2BAC5FB658A32802537A7BF1EF11709F154433DAAE465D5DE2CEA89D730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C1010 Relevance: .2, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 569d583be82325c813b668e3fae29fac5c2c643f185a7702baf3db750c305004
                                                                            • Instruction ID: c68592b63e5b3076dc9b7a7f157d5ba28381f570baffca0908ffa2234d77f27d
                                                                            • Opcode Fuzzy Hash: 569d583be82325c813b668e3fae29fac5c2c643f185a7702baf3db750c305004
                                                                            • Instruction Fuzzy Hash: 60919136B0D66AC6EB50EB62D5742BD23A5AF84748F444832DE0E87B95EE3CE405C370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D65E0 Relevance: .2, Instructions: 218COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d50560bdfbda826e81843fbf93004351cf64035d4d4cac07f969261b8185ab4f
                                                                            • Instruction ID: 58e6adaf04f4b18b863b11ab28f7770e31745f244224362a6ec96609ce38e199
                                                                            • Opcode Fuzzy Hash: d50560bdfbda826e81843fbf93004351cf64035d4d4cac07f969261b8185ab4f
                                                                            • Instruction Fuzzy Hash: 3BA16422B1C66AD9FB10EB72D5651FC2365AF94348F804932EA0D57ACAEF38E505D370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670D8340 Relevance: .2, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
                                                                            • Instruction ID: ca5011bcb9a503e4cd051b1944a73470f628b9bc4299dc10f8cde028ecc7d0c4
                                                                            • Opcode Fuzzy Hash: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
                                                                            • Instruction Fuzzy Hash: 37913122F1C62AD9EB10EBB2C5651FC13659F94348F804836DD0D976CAEE2CE509D370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6713BF6F Relevance: .2, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
                                                                            • Instruction ID: 6e5ed03eae513f3f001ba5eecf4b45f328a5982cdf5fe9e6da322c660c4ab47d
                                                                            • Opcode Fuzzy Hash: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
                                                                            • Instruction Fuzzy Hash: E9817076A182A9CBE764CF2A8058B6D36A8FF04754F11497ADF4D87B84DF39E840CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670FF870 Relevance: .2, Instructions: 207COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
                                                                            • Instruction ID: 3a1b889e16bcc08509788f1d13176ad25cebf2091a465961d1f8f3942883a97d
                                                                            • Opcode Fuzzy Hash: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
                                                                            • Instruction Fuzzy Hash: 1381B962A0CA6AC6EB218B2BD66007D6B65FF85B90F184532CE8E87755CE3CF441C730
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E82E0 Relevance: .2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
                                                                            • Instruction ID: dde992cd60c7d717485350bfd260ffbd8b66da1e6164a84abbf2e7da0e465343
                                                                            • Opcode Fuzzy Hash: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
                                                                            • Instruction Fuzzy Hash: 39917E22B1C56ACAF710EB62D4612FE23A0EF94748F845832DA4E876D6DF2CE445D770
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F0300 Relevance: .2, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
                                                                            • Instruction ID: a701dd3ee7d457476a5bf1ab615e861c55e515390d5bb5e62fddeeeaee816f4b
                                                                            • Opcode Fuzzy Hash: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
                                                                            • Instruction Fuzzy Hash: 80914E32B1C56AD6EB10EBB2D5612ED2361AF80358F800932DE1D979DADF3CE555C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F2E10 Relevance: .2, Instructions: 182COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f4ab40f336fdfb1061e144a8cc54dd8d077ea0d8f8a68ce9c2a609d9519aa0c7
                                                                            • Instruction ID: 3ea768013565d162a61b8ddd2a238cb8e7b319b364739ed23abfeb19a90b33b3
                                                                            • Opcode Fuzzy Hash: f4ab40f336fdfb1061e144a8cc54dd8d077ea0d8f8a68ce9c2a609d9519aa0c7
                                                                            • Instruction Fuzzy Hash: 28719321B0D66AD5EB14EB72D2742BD5291DF88788F444836EE0D87BCAEE3CE505D321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67127EC0 Relevance: .2, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
                                                                            • Instruction ID: 3c4b9f7f2dd86e03d3a2c492313c7645135a8887e6ff404908b938808a703ce6
                                                                            • Opcode Fuzzy Hash: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
                                                                            • Instruction Fuzzy Hash: AC611521B1C66AC1EB50EB2395315BA52A0EF857D0F444A33EE6D877D6EF2CE441CB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712A6B0 Relevance: .2, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
                                                                            • Instruction ID: 501d39a54b2ef7533b12af3bdbe2dab0ad59bb3b8de8c2f7c0a40a5bfeceffd7
                                                                            • Opcode Fuzzy Hash: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
                                                                            • Instruction Fuzzy Hash: 79715736B0CA2AC9EB14DB66D0712BD23A1EF84B48F544832DE0E47B89DE38D549C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6711F2C0 Relevance: .2, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
                                                                            • Instruction ID: 9ac892af78273f6a22dcb2e7bb72484fa6067b4af3325719340a8486194df159
                                                                            • Opcode Fuzzy Hash: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
                                                                            • Instruction Fuzzy Hash: ED61A621B1D56AD5FB10EB72C0742FD1365AF88788F844833EA0D5BACAEE2CD501E761
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C1620 Relevance: .2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
                                                                            • Instruction ID: bd216cceeabf8faf67b2f5684bec936890e3dd5d06c7de24641fe20e0585b771
                                                                            • Opcode Fuzzy Hash: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
                                                                            • Instruction Fuzzy Hash: 2C61A722A2C66AC1FA20EB16D0756BE6361FF85784F805932FA5D47ACADF3CD504D720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712AAA0 Relevance: .2, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 275f6da6b97318c83fb225dda8a1cf2de2bb796bd6b45b7edf39d740dbf5db77
                                                                            • Instruction ID: a71eb33b07153204e8a72bc6600ab81f7c7120c8a01e38ab7ca8b6f2a320d363
                                                                            • Opcode Fuzzy Hash: 275f6da6b97318c83fb225dda8a1cf2de2bb796bd6b45b7edf39d740dbf5db77
                                                                            • Instruction Fuzzy Hash: 4E517532A1C56AD6FB50EB62D4752FE6361FF84344F840832EA4D47A9ADE2CE544DB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670DE770 Relevance: .1, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
                                                                            • Instruction ID: 82ac3c10ca98d0d09637ed8355f4b5ab220335fcb4da00906bc4a41f9ca85301
                                                                            • Opcode Fuzzy Hash: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
                                                                            • Instruction Fuzzy Hash: 8F51C232A1C79AC5EB10DB26D4A42BDA3A1FF85784F404936EA4D47BDADE3CD501CB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E3340 Relevance: .1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 26a7ff3bafcc2a37528706618fae0f8a897251bd7c282e2d47e5eb98ccc3a526
                                                                            • Instruction ID: e63a974e16e48b22ef300a31934539b827998cf2d45591566448f5dc67f31cf6
                                                                            • Opcode Fuzzy Hash: 26a7ff3bafcc2a37528706618fae0f8a897251bd7c282e2d47e5eb98ccc3a526
                                                                            • Instruction Fuzzy Hash: 14613932508B85C1E750DF32A454AED33A9FB48B88F984539EE9D4B35ADF398056E334
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC6712A490 Relevance: .1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9d04c4905bf18e0a6290439cd50923c1c84a3f6567b06c6e696e708ae0d6a31f
                                                                            • Instruction ID: 05b05996f8a2426751c498e914511c575ae22d3027ed914654adfc16f981c537
                                                                            • Opcode Fuzzy Hash: 9d04c4905bf18e0a6290439cd50923c1c84a3f6567b06c6e696e708ae0d6a31f
                                                                            • Instruction Fuzzy Hash: DC51722272C5AAD1EA50EB23D5656AE6365FF85BC0F805833EE4D43B86DE3CD404DB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F1B30 Relevance: .1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
                                                                            • Instruction ID: aa11da51afd0b857bbaa584026fa050e44764d5caa9f7f21b5103401461f73f4
                                                                            • Opcode Fuzzy Hash: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
                                                                            • Instruction Fuzzy Hash: B4518122B1C55AD9FB10DB62D4716FD2365AF84788F844832EE0D96ACADE3CE505D360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670EE7B0 Relevance: .1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0ae699ce5c0bbda65b5b1ef91aada53cd0acd1d5adef34fe9746f0cfa28bcfde
                                                                            • Instruction ID: 2686e77250481ddc1aefde792cd29611379c958248e71f9e9655d3a39b1f9c3e
                                                                            • Opcode Fuzzy Hash: 0ae699ce5c0bbda65b5b1ef91aada53cd0acd1d5adef34fe9746f0cfa28bcfde
                                                                            • Instruction Fuzzy Hash: 0B51A222B1C56AD5FB50EB72D4653FE6361BF84348F840832EA4D4698ADF3CE549DB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F0020 Relevance: .1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b3305b9fafefbf6d9665b48dca7e44a69e4cfd2294423a0bed973e24c3a70c7
                                                                            • Instruction ID: 79f8dd94e3813cfb9124b726a28ced120187c219456e1079bc472f40f3eacc62
                                                                            • Opcode Fuzzy Hash: 2b3305b9fafefbf6d9665b48dca7e44a69e4cfd2294423a0bed973e24c3a70c7
                                                                            • Instruction Fuzzy Hash: 8C51B132A1CA6AD2EA10DB22C5655BE6364FF98750F814932EE0D83792DF3CE155C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67122AE0 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
                                                                            • Instruction ID: 58f2c44165fd3c0acecf53169d14a9bdb0eef9b183e5b6a77f0c3d529a34d619
                                                                            • Opcode Fuzzy Hash: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
                                                                            • Instruction Fuzzy Hash: DC417F22F2C53AC5FB14EB7298651FD1261AF88784F854832EE1E57A9ADE2CD541D320
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E3610 Relevance: .1, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e4d8bc27a582ef8d29315fb647332a4b76fe57972c11c4165758e2aa1f2c7868
                                                                            • Instruction ID: 9084fd8b620d442859af02e8f1ad31bb6c8aa8fa693755aebda6e0ae5634f256
                                                                            • Opcode Fuzzy Hash: e4d8bc27a582ef8d29315fb647332a4b76fe57972c11c4165758e2aa1f2c7868
                                                                            • Instruction Fuzzy Hash: AD510632618BA4C5E744DF36E8542DD33A8FB48F88F58853AEA8D4B799DF348052D760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670F5CD0 Relevance: .1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
                                                                            • Instruction ID: 7f7e2a35a9c7d226aee8e6aef9966f9abd1dcac2b6e9d73ddd2415d1dc7a8aa8
                                                                            • Opcode Fuzzy Hash: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
                                                                            • Instruction Fuzzy Hash: A7511472709755CAE7649F71A0603AE3692EF84308F148939EA4E0BBC9DF3DC411C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E92C0 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 38d7dda58c0679c6977d4be68162329fe93ef909192df4c5a73cbb15fa83e01e
                                                                            • Instruction ID: 0d2a502285d57ebc34fc421785ceaf53f410ae01ac71eae8710981951f9a23ff
                                                                            • Opcode Fuzzy Hash: 38d7dda58c0679c6977d4be68162329fe93ef909192df4c5a73cbb15fa83e01e
                                                                            • Instruction Fuzzy Hash: 52517A32718A96E2E708DB22D5A13E9B368FF48340F908426DB5C57655CF38E1B6D710
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670E2F50 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d55567f7f273d0114b6f9410826bea7b15bcd4cc08515cb4158118f754d9868c
                                                                            • Instruction ID: 25faf22ec587904ae01c65cff4c3d4824544fe37a83aebe7ffc93a729283a812
                                                                            • Opcode Fuzzy Hash: d55567f7f273d0114b6f9410826bea7b15bcd4cc08515cb4158118f754d9868c
                                                                            • Instruction Fuzzy Hash: 57511832618BA5C5E744DF35E8512DD33A8FB48F88F58453AEA8D4B799DF348052D360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC67125760 Relevance: .1, Instructions: 93COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b1fead93054258a54130b91537c3a8daa966aa2fadcba53e9f14037a1a1fe7d
                                                                            • Instruction ID: c083a88df49a69033581e0a1463ab54f4693d5f5c4adab289f5ad5f0932ea1ae
                                                                            • Opcode Fuzzy Hash: 4b1fead93054258a54130b91537c3a8daa966aa2fadcba53e9f14037a1a1fe7d
                                                                            • Instruction Fuzzy Hash: 4F314872A0CA69C2F6549B07A4A127976A1EF88340F948577DBAD433C8DEBCD8C1C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C5350 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
                                                                            • Instruction ID: bef1246b6bd62546e7d08921d2c2a35d93a2278047012230672b22c551db1aa6
                                                                            • Opcode Fuzzy Hash: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
                                                                            • Instruction Fuzzy Hash: BD315C32624B54D1E248DF26D8942ED73A9FB88B88FA88436E38C07695DF79D063D310
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC670C7E80 Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true
                                                                            • Associated: 00000000.00000002.274205923.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274496167.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274522065.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.274545976.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
                                                                            • Instruction ID: 4680ba70c6a3af8f97329cdf6f7b6a2c3e848f611ae0c9f168beba79b5b52dee
                                                                            • Opcode Fuzzy Hash: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
                                                                            • Instruction Fuzzy Hash: 11311036614B44C0D740DF3599942ED72E9FF98B88FA88836D64C4A5A5DF79C057E320
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:18.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:15
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 226 1b4136b2978 227 1b4136b2986 226->227 232 1b4136b2060 VirtualAlloc 227->232 229 1b4136b29a2 234 1b4136b2264 229->234 231 1b4136b29ba 233 1b4136b20c4 232->233 233->229 235 1b4136b230f 234->235 236 1b4136b238c VirtualProtect 234->236 235->236 237 1b4136b23ee 236->237 238 1b4136b244d VirtualProtect 237->238 239 1b4136b2507 VirtualProtect 238->239 240 1b4136b2544 238->240 239->240 242 1b4136b25c5 240->242 243 1b4136b258c RtlAvlRemoveNode 240->243 242->231 243->242

                                                                            Callgraph

                                                                            Executed Functions

                                                                            Function 000001B4136B2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.361984298.000001B4136B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B4136B0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_1b4136b0000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: c20d198818f812762298bd4414392727eec44091d745325d84c5480c2867557a
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: B4B152B6618BC486D730CB1AE4807DEB7A0F7C9B80F108126EE8D57B59DB39C8918F44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000001B4136B2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001B4136B29A2), ref: 000001B4136B20B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.361984298.000001B4136B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B4136B0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_1b4136b0000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: e87ee7ff7679b97bf05a0d6f4421543faf64ef3627b6c4f6683f1b65b442883b
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: B5313C76615B90C6D790DF1AE49579A7BB0F389BD4F205026EF8D87B18DF39C4828B04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:18.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:15
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 226 1a65a442978 227 1a65a442986 226->227 232 1a65a442060 VirtualAlloc 227->232 229 1a65a4429a2 234 1a65a442264 229->234 231 1a65a4429ba 233 1a65a4420c4 232->233 233->229 235 1a65a44238c VirtualProtect 234->235 236 1a65a44230f 234->236 237 1a65a4423ee 235->237 236->235 238 1a65a44244d VirtualProtect 237->238 239 1a65a442507 VirtualProtect 238->239 240 1a65a442544 238->240 239->240 242 1a65a4425c5 240->242 243 1a65a44258c RtlAvlRemoveNode 240->243 242->231 243->242

                                                                            Callgraph

                                                                            Executed Functions

                                                                            Function 000001A65A442264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.254104458.000001A65A440000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A65A440000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_1a65a440000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: 075a081627d003ea7cfd0f2bafed24a7ed272a17833b30a566666718db3f2e4f
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: 4CB151B6619BC486D7308F5AE440BDEB7A0F799B84F148026EEC953B98DB39C8418F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000001A65A442060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001A65A4429A2), ref: 000001A65A4420B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.254104458.000001A65A440000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A65A440000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_1a65a440000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: 31541dda8601241f6ead38e7dd94ef2d1bfd1b2dd3c3c88ab21486454545f26a
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 31315AB2615B8086D790CF1AE45479A7BB0F389BC4F204026EF8D87B58DF3AC482CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:18.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:15
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 226 2a99d012978 227 2a99d012986 226->227 232 2a99d012060 VirtualAlloc 227->232 229 2a99d0129a2 234 2a99d012264 229->234 231 2a99d0129ba 233 2a99d0120c4 232->233 233->229 235 2a99d01238c VirtualProtect 234->235 236 2a99d01230f 234->236 237 2a99d0123ee 235->237 236->235 238 2a99d01244d VirtualProtect 237->238 239 2a99d012544 238->239 243 2a99d012507 VirtualProtect 238->243 241 2a99d01258c RtlAvlRemoveNode 239->241 242 2a99d0125c5 239->242 241->242 242->231 243->239

                                                                            Callgraph

                                                                            Executed Functions

                                                                            Function 000002A99D012264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.260369270.000002A99D010000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002A99D010000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_2a99d010000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: c85073091e1881e36a5dd9030ff34978450e8468f00858cc8a311cb7b3efd6b9
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: 3EB16876618BC586D770CB1AE48079EB7A0F7C9B84F108126EE8D57B58DF79C8918F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000002A99D012060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002A99D0129A2), ref: 000002A99D0120B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.260369270.000002A99D010000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002A99D010000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_2a99d010000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: ae60fe3ae1f2de58b7724af65103d4799915aeb3f1664b566d7e792477c4b706
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 63313C76715B9086D790DF1AE49579A7BB0F389BD4F205026EF8D87B18DF7AC4828B00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:18.7%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:15
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 226 1ff796f2978 227 1ff796f2986 226->227 232 1ff796f2060 VirtualAlloc 227->232 229 1ff796f29a2 234 1ff796f2264 229->234 231 1ff796f29ba 233 1ff796f20c4 232->233 233->229 235 1ff796f238c VirtualProtect 234->235 236 1ff796f230f 234->236 237 1ff796f23ee 235->237 236->235 238 1ff796f244d VirtualProtect 237->238 239 1ff796f2507 VirtualProtect 238->239 240 1ff796f2544 238->240 239->240 242 1ff796f25c5 240->242 243 1ff796f258c RtlAvlRemoveNode 240->243 242->231 243->242

                                                                            Callgraph

                                                                            Executed Functions

                                                                            Function 000001FF796F2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.267841455.000001FF796F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF796F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_1ff796f0000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: d769e9d3f8e0510f3a95f982669d79a35c92397b137c028dfbe8920dc5390862
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: ECB14677618BC586D770CB1AE4407EAB7A1F7C9B80F10812ADE8D57B58DB79C8528F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000001FF796F2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001FF796F29A2), ref: 000001FF796F20B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000008.00000002.267841455.000001FF796F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF796F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_8_2_1ff796f0000_rundll32.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: 2398e0cddd787f3e3382868fceea1f24d464e6aad55aa88344680b0f2dba5026
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 553180B2615B8486D790DF1AE45479A7BB1F789BC4F214126EF8D87B18DF7AC442CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:2.4%
                                                                            Dynamic/Decrypted Code Coverage:93.8%
                                                                            Signature Coverage:0.8%
                                                                            Total number of Nodes:129
                                                                            Total number of Limit Nodes:16
                                                                            execution_graph 57936 7ffc03821c7c 57938 7ffc03821cba 57936->57938 57937 7ffc03821d23 57938->57937 57940 7ff6811e7570 SetUnhandledExceptionFilter 57938->57940 57940->57938 57941 7ffc74c670f0 57942 7ffc74c67110 _RunAllParam 57941->57942 57944 7ffc74c67146 _RunAllParam 57941->57944 57943 7ffc74c67128 RtlCreateHeap 57942->57943 57942->57944 57943->57944 57945 216cde32978 57946 216cde32986 57945->57946 57951 216cde32060 VirtualAlloc 57946->57951 57948 216cde329a2 57953 216cde32264 57948->57953 57950 216cde329ba 57952 216cde320c4 57951->57952 57952->57948 57954 216cde3238c VirtualProtect 57953->57954 57955 216cde3230f 57953->57955 57956 216cde323ee 57954->57956 57955->57954 57957 216cde3244d VirtualProtect 57956->57957 57958 216cde32507 VirtualProtect 57957->57958 57959 216cde32544 57957->57959 57958->57959 57961 216cde325c5 57959->57961 57962 216cde3258c RtlAvlRemoveNode 57959->57962 57961->57950 57962->57961 57963 7ffc03821d40 57965 7ffc03821d49 57963->57965 57964 7ffc03821de8 57965->57964 57967 7ff6811e1000 memset 57965->57967 57972 7ff6811e1390 InitializeCriticalSection 57967->57972 57971 7ff6811e7519 57971->57965 57973 7ff6811e1054 57972->57973 57974 7ff6811e7480 57973->57974 57975 7ff6811e749b 57974->57975 57976 7ff6811e74a8 57974->57976 57978 7ffc74c54dd0 57975->57978 57976->57971 57979 7ffc74c54de3 _RunAllParam 57978->57979 57980 7ffc74c54dec 57979->57980 57981 7ffc74c54de8 ExitProcess 57979->57981 57980->57976 57982 7ffc74c47880 57983 7ffc74c478cf 57982->57983 57997 7ffc74c478c7 57982->57997 58071 7ffc74c8d8a0 12 API calls 57983->58071 57985 7ffc74c478f4 58072 7ffc74c8d3a0 NtClose GetTokenInformation GetTokenInformation 57985->58072 57987 7ffc74c47c04 57988 7ffc74c47be8 _RunAllParam 57988->57987 58085 7ffc74c81c30 NtClose _RunAllParam 57988->58085 57991 7ffc74c47a83 58078 7ffc74c81c30 NtClose _RunAllParam 57991->58078 57992 7ffc74c4796b _RunAllParam 57992->57997 58074 7ffc74c81c30 NtClose _RunAllParam 57992->58074 57996 7ffc74c479ce _RunAllParam 57996->57991 58003 7ffc74c47a14 _RunAllParam 57996->58003 58075 7ffc74c8cf10 NtClose _RunAllParam 57996->58075 57997->57988 58041 7ffc74c67de0 15 API calls 57997->58041 57998 7ffc74c47909 57998->57992 58073 7ffc74c8d4d0 NtClose GetTokenInformation GetTokenInformation _RunAllParam 57998->58073 58000 7ffc74c47aa8 58001 7ffc74c47a8c _RunAllParam 58001->58000 58079 7ffc74c81c30 NtClose _RunAllParam 58001->58079 58002 7ffc74c47bdf 58084 7ffc74c81c30 NtClose _RunAllParam 58002->58084 58003->58002 58042 7ffc74c67db0 15 API calls 58003->58042 58007 7ffc74c47a3e _RunAllParam 58008 7ffc74c47a67 58007->58008 58012 7ffc74c47ac2 58007->58012 58076 7ffc74c823c0 NtClose _RunAllParam 58008->58076 58010 7ffc74c47a79 58077 7ffc74c336f0 15 API calls 58010->58077 58014 7ffc74c47aef _RunAllParam 58012->58014 58080 7ffc74c8d340 NtClose GetTokenInformation GetTokenInformation 58012->58080 58025 7ffc74c47ba6 _RunAllParam 58014->58025 58043 7ffc74c45f40 NtClose _RunAllParam 58014->58043 58017 7ffc74c47b8a 58019 7ffc74c47c1e 58017->58019 58020 7ffc74c47b94 58017->58020 58018 7ffc74c47bd5 58083 7ffc74c336f0 15 API calls 58018->58083 58044 7ffc74c8d340 NtClose GetTokenInformation GetTokenInformation 58019->58044 58081 7ffc74c823c0 NtClose _RunAllParam 58020->58081 58023 7ffc74c47c26 58026 7ffc74c47c31 _RunAllParam 58023->58026 58027 7ffc74c47d15 _RunAllParam 58023->58027 58082 7ffc74c823c0 NtClose _RunAllParam 58025->58082 58086 7ffc74c59990 NtClose _RunAllParam 58026->58086 58045 7ffc74c5bae0 58027->58045 58030 7ffc74c47d10 58087 7ffc74c823c0 NtClose _RunAllParam 58030->58087 58032 7ffc74c47e2d _RunAllParam 58088 7ffc74c823c0 NtClose _RunAllParam 58032->58088 58034 7ffc74c47e5c 58089 7ffc74c336f0 15 API calls 58034->58089 58036 7ffc74c47e66 58090 7ffc74c81c30 NtClose _RunAllParam 58036->58090 58038 7ffc74c47e8b 58039 7ffc74c47e6f _RunAllParam 58039->58038 58091 7ffc74c81c30 NtClose _RunAllParam 58039->58091 58041->57996 58042->58007 58043->58017 58044->58023 58046 7ffc74c5bb2b _RunAllParam 58045->58046 58048 7ffc74c5bfe8 _RunAllParam 58046->58048 58092 7ffc74c5c4d0 NtClose _RunAllParam 58046->58092 58048->58030 58049 7ffc74c5bd1e _RunAllParam 58093 7ffc74c5aa70 58049->58093 58051 7ffc74c5be63 58054 7ffc74c5aa70 NtClose 58051->58054 58055 7ffc74c5be96 58051->58055 58052 7ffc74c5bfd6 _RunAllParam 58096 7ffc74c823c0 NtClose _RunAllParam 58052->58096 58054->58051 58055->58052 58056 7ffc74c5aa70 NtClose 58055->58056 58057 7ffc74c5bf3d _RunAllParam 58055->58057 58056->58055 58057->58052 58058 7ffc74c5c02c 58057->58058 58059 7ffc74c5aa70 NtClose 58057->58059 58058->58052 58060 7ffc74c5aa70 NtClose 58058->58060 58062 7ffc74c5c0bb _RunAllParam 58058->58062 58059->58057 58060->58058 58061 7ffc74c5aa70 NtClose 58061->58062 58062->58052 58062->58061 58063 7ffc74c5c19f _RunAllParam 58062->58063 58063->58052 58064 7ffc74c5aa70 NtClose 58063->58064 58066 7ffc74c5c25f _RunAllParam 58063->58066 58064->58063 58065 7ffc74c5aa70 NtClose 58069 7ffc74c5c3dd _RunAllParam 58065->58069 58066->58052 58067 7ffc74c5aa70 NtClose 58066->58067 58066->58069 58067->58066 58068 7ffc74c5c463 _RunAllParam 58097 7ffc74c823c0 NtClose _RunAllParam 58068->58097 58069->58052 58069->58065 58069->58068 58071->57985 58072->57998 58073->57998 58074->57997 58075->58003 58076->58010 58077->57991 58078->58001 58079->58000 58080->58014 58081->58025 58082->58018 58083->58002 58084->57988 58085->57987 58086->58030 58087->58032 58088->58034 58089->58036 58090->58039 58091->58038 58092->58049 58098 7ffc74c5cb00 58093->58098 58095 7ffc74c5aa9a _RunAllParam 58095->58051 58096->58048 58097->58048 58101 7ffc74c5cb2c _RunAllParam 58098->58101 58099 7ffc74c5cc82 _RunAllParam 58099->58095 58101->58099 58102 7ffc74c67770 58101->58102 58104 7ffc74c6777e _RunAllParam 58102->58104 58103 7ffc74c6779b 58103->58099 58104->58103 58105 7ffc74c67796 NtClose 58104->58105 58105->58103

                                                                            Executed Functions

                                                                            Function 00007FFC74C55CD0 Relevance: 7.6, APIs: 5, Instructions: 117memorynativethreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$CloseContinueCreateHandlerThreadUserVectored
                                                                            • String ID:
                                                                            • API String ID: 238847861-0
                                                                            • Opcode ID: ffdb2e897d51309c9cfa44661aa458b34e077ee3b8b64c7fddac15a101757554
                                                                            • Instruction ID: 8a9d40a72f03e44d7ba9058b8d423f67047967e4a92ba9bcfcf0683ef3eeee7c
                                                                            • Opcode Fuzzy Hash: ffdb2e897d51309c9cfa44661aa458b34e077ee3b8b64c7fddac15a101757554
                                                                            • Instruction Fuzzy Hash: 8351EF73719765CAE7649F70A0803AE36E2EB85348F54813AEA4E0BB9ADF3DD401C711
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 794fddeec091488d0266f77ce4b42b0e8f4fd83534cd91505d3ec6062436d045
                                                                            • Instruction ID: 04ce9d5607f9be03514e3476240780cbdb00e9d251f0c834be8ef49b146f8ff6
                                                                            • Opcode Fuzzy Hash: 794fddeec091488d0266f77ce4b42b0e8f4fd83534cd91505d3ec6062436d045
                                                                            • Instruction Fuzzy Hash: AF03B227B28BAAC1EB149B25D5802B977A1FF45B88F488037CA0D47795EF3CE545C362
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C7DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoSystem
                                                                            • String ID:
                                                                            • API String ID: 31276548-0
                                                                            • Opcode ID: 71be521c66c2e521a4a3a2acf0d2581604644030785edf8a38092361cc74bd07
                                                                            • Instruction ID: bb7e1cca93b4b5cdf135848572aa380b3d6dacb99a52bde289810076a28ce7ed
                                                                            • Opcode Fuzzy Hash: 71be521c66c2e521a4a3a2acf0d2581604644030785edf8a38092361cc74bd07
                                                                            • Instruction Fuzzy Hash: D382C163B287AAC2EB669B35D4802B977A1FB45B84F484437CA4D0779ADF3CE540C361
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a9b5fde6fea638bca7eb2fa8a031851fec4002b7951c58cff6a2789b1a3b61c
                                                                            • Instruction ID: ebf0ed9d54a735bb9d5d01d075771e083f5ca9ca24441187bdfaf684af3577f3
                                                                            • Opcode Fuzzy Hash: 3a9b5fde6fea638bca7eb2fa8a031851fec4002b7951c58cff6a2789b1a3b61c
                                                                            • Instruction Fuzzy Hash: C472B163B287AAC1EB158B25D4803B977A1FB45B84F888437CA1D07799DF3CE951C362
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C67770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1615 7ffc74c67770-7ffc74c67780 call 7ffc74c675b0 1618 7ffc74c677a2-7ffc74c677a7 1615->1618 1619 7ffc74c67782-7ffc74c67794 call 7ffc74c69ad0 1615->1619 1622 7ffc74c6779b 1619->1622 1623 7ffc74c67796-7ffc74c67799 NtClose 1619->1623 1622->1618 1623->1622
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                                                                            • Instruction ID: 72ed8d3d9af2847b2398ad6ccae687d48c2cd243c3cf94c5b6924fe3d37706e1
                                                                            • Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                                                                            • Instruction Fuzzy Hash: 9CD05E52A36619C1FE2567A2A1823B402908F99704F0884B2CE8D0A3D7EE2CA885C333
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6811E7570 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1624 7ff6811e7570-7ff6811e7587 SetUnhandledExceptionFilter
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383471380.00007FF6811E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6811E0000, based on PE: true
                                                                            • Associated: 00000015.00000002.383455947.00007FF6811E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383601316.00007FF681200000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383612347.00007FF681202000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383639755.00007FF681221000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ff6811e0000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: c9b2b50406bbf5d5202ddcccc0dda5e5e6a2367eb5eb6ee1f2599cd6d21bcebc
                                                                            • Instruction ID: 0905ec1754b5378a7fba5c5b2ee8742855671a215edbce5fe66ea5048ac9bc72
                                                                            • Opcode Fuzzy Hash: c9b2b50406bbf5d5202ddcccc0dda5e5e6a2367eb5eb6ee1f2599cd6d21bcebc
                                                                            • Instruction Fuzzy Hash: 08B09260E16482D1E708ABA1AC920B01AA07F58310FC10474C04DC1920DE2C929BC740
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C576E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 217COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 7ffc74c576e0-7ffc74c57703 call 7ffc74c684e0 3 7ffc74c57762-7ffc74c57795 call 7ffc74c684f0 call 7ffc74c553a0 call 7ffc74c61660 call 7ffc74c69ad0 0->3 4 7ffc74c57705-7ffc74c5770a 0->4 25 7ffc74c577a5-7ffc74c577b5 call 7ffc74c55020 3->25 26 7ffc74c57797-7ffc74c577a3 GetModuleFileNameA 3->26 5 7ffc74c57753-7ffc74c57760 call 7ffc74c686f0 4->5 6 7ffc74c5770c-7ffc74c5770f 4->6 5->3 8 7ffc74c57711-7ffc74c5772c call 7ffc74c684f0 5->8 6->8 9 7ffc74c5772d-7ffc74c57752 call 7ffc74c54b50 call 7ffc74c684f0 6->9 29 7ffc74c577e2-7ffc74c577f4 25->29 30 7ffc74c577b7-7ffc74c577ca call 7ffc74c74530 25->30 26->25 32 7ffc74c5784b-7ffc74c5785d call 7ffc74c69ad0 29->32 33 7ffc74c577f6-7ffc74c577f9 29->33 30->29 42 7ffc74c577cc-7ffc74c577d6 30->42 43 7ffc74c5786d-7ffc74c57877 call 7ffc74c7ddc0 32->43 44 7ffc74c5785f-7ffc74c57864 32->44 34 7ffc74c57811-7ffc74c57814 33->34 35 7ffc74c577fb-7ffc74c5780d call 7ffc74c69ad0 33->35 40 7ffc74c57843-7ffc74c5784a call 7ffc74c559f0 34->40 41 7ffc74c57816-7ffc74c5781e call 7ffc74c55cd0 34->41 35->34 49 7ffc74c5780f 35->49 40->32 51 7ffc74c57823-7ffc74c57842 call 7ffc74c60e20 41->51 42->29 48 7ffc74c577d8-7ffc74c577df 42->48 55 7ffc74c57879-7ffc74c57881 call 7ffc74c576e0 43->55 56 7ffc74c57886-7ffc74c578c8 call 7ffc74c51260 call 7ffc74c66920 call 7ffc74c60e20 call 7ffc74c69ad0 43->56 44->43 48->29 49->34 55->56 67 7ffc74c578ca-7ffc74c578d6 call 7ffc74c61310 56->67 68 7ffc74c578db-7ffc74c578f0 call 7ffc74c69ad0 56->68 67->68 73 7ffc74c578f2-7ffc74c57901 call 7ffc74c61310 68->73 74 7ffc74c57906-7ffc74c5791b call 7ffc74c69ad0 68->74 73->74 79 7ffc74c57931-7ffc74c57973 call 7ffc74c62a60 call 7ffc74c62000 call 7ffc74c60e20 call 7ffc74c60f10 74->79 80 7ffc74c5791d-7ffc74c5792c call 7ffc74c61310 74->80 91 7ffc74c5797e-7ffc74c579cc call 7ffc74c60f40 call 7ffc74c62340 call 7ffc74c614d0 call 7ffc74c60e20 79->91 92 7ffc74c57975-7ffc74c5797a 79->92 80->79 101 7ffc74c579d2-7ffc74c579e3 91->101 102 7ffc74c57ae7-7ffc74c57af9 call 7ffc74c69ad0 91->102 92->91 101->102 105 7ffc74c57b09-7ffc74c57b33 call 7ffc74c63fd0 call 7ffc74c60e20 102->105 106 7ffc74c57afb-7ffc74c57b00 102->106 106->105
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileModuleName
                                                                            • String ID: )8GV$UsS$UsS$d
                                                                            • API String ID: 514040917-2529742583
                                                                            • Opcode ID: 20b11de6978a828222f7f6d72d36fae21482c049acdced23b59f066161fc6e11
                                                                            • Instruction ID: e953847c23db86d55f4df42744529c31493203e4d5e073d23efd0b2bea9b828a
                                                                            • Opcode Fuzzy Hash: 20b11de6978a828222f7f6d72d36fae21482c049acdced23b59f066161fc6e11
                                                                            • Instruction Fuzzy Hash: 9791E823B39669C2EA40E725A0911BDA351EF84780F648137EE5E477D7DE2CE940C361
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C82E60 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 150 7ffc74c82e60-7ffc74c82e89 151 7ffc74c82e8b-7ffc74c82e93 150->151 152 7ffc74c82e95 150->152 151->152 153 7ffc74c82e9a-7ffc74c82ec3 call 7ffc74c61a90 151->153 152->153 156 7ffc74c82ec8-7ffc74c82eda call 7ffc74c69ad0 153->156 157 7ffc74c82ec5 153->157 160 7ffc74c82ee0-7ffc74c82ef0 156->160 161 7ffc74c8312e 156->161 157->156 162 7ffc74c83131-7ffc74c83145 call 7ffc74c6d730 call 7ffc74c60e20 160->162 165 7ffc74c82ef6-7ffc74c82efa 160->165 161->162 172 7ffc74c83147-7ffc74c8314b 162->172 173 7ffc74c83166-7ffc74c83175 162->173 165->162 167 7ffc74c82f00-7ffc74c82f21 call 7ffc74c5fcc0 165->167 176 7ffc74c82f27-7ffc74c82f2c 167->176 177 7ffc74c830b5-7ffc74c830c1 167->177 172->173 178 7ffc74c8314d-7ffc74c8315f call 7ffc74c69ad0 172->178 174 7ffc74c83181-7ffc74c83199 call 7ffc74c5fcb0 173->174 175 7ffc74c83177-7ffc74c8317b 173->175 179 7ffc74c832b9-7ffc74c832d0 174->179 195 7ffc74c8319f-7ffc74c831ad 174->195 175->174 175->179 183 7ffc74c82f30-7ffc74c82f3a 176->183 181 7ffc74c830f3-7ffc74c8310d call 7ffc74c60e20 177->181 182 7ffc74c830c3-7ffc74c830ca 177->182 178->173 193 7ffc74c83161 178->193 181->173 197 7ffc74c8310f-7ffc74c83113 181->197 182->181 190 7ffc74c830cc-7ffc74c830d0 182->190 186 7ffc74c82f5f-7ffc74c82f88 call 7ffc74c5fcb0 183->186 187 7ffc74c82f3c-7ffc74c82f40 183->187 206 7ffc74c82f90-7ffc74c82fa2 call 7ffc74c69ad0 186->206 187->186 192 7ffc74c82f42-7ffc74c82f54 call 7ffc74c69ad0 187->192 190->181 196 7ffc74c830d2-7ffc74c830e4 call 7ffc74c69ad0 190->196 210 7ffc74c82f5b 192->210 211 7ffc74c82f56-7ffc74c82f59 RegCloseKey 192->211 199 7ffc74c83164 RegCloseKey 193->199 201 7ffc74c831af-7ffc74c831b5 195->201 202 7ffc74c831bb-7ffc74c831cc call 7ffc74c5fcc0 195->202 214 7ffc74c830eb 196->214 215 7ffc74c830e6 196->215 197->173 204 7ffc74c83115-7ffc74c83127 call 7ffc74c69ad0 197->204 199->173 201->179 201->202 218 7ffc74c831ce 202->218 219 7ffc74c831f8-7ffc74c83203 call 7ffc74c7ddc0 202->219 204->173 221 7ffc74c83129-7ffc74c8312c 204->221 222 7ffc74c82fc0-7ffc74c82fea call 7ffc74c63300 call 7ffc74c66180 call 7ffc74c60e20 206->222 223 7ffc74c82fa4-7ffc74c82fba RegEnumKeyW 206->223 210->186 211->210 214->181 215->214 224 7ffc74c831d0-7ffc74c831e5 call 7ffc74c5fcb0 218->224 219->179 230 7ffc74c83209-7ffc74c83234 call 7ffc74c60180 call 7ffc74c5fcc0 call 7ffc74c60280 219->230 221->199 243 7ffc74c82fec-7ffc74c82ff3 222->243 244 7ffc74c82ff5-7ffc74c83011 call 7ffc74c69ad0 222->244 223->222 226 7ffc74c830b2 223->226 233 7ffc74c831ef-7ffc74c831f2 224->233 234 7ffc74c831e7-7ffc74c831eb 224->234 226->177 249 7ffc74c83268-7ffc74c832b8 call 7ffc74c5fcb0 call 7ffc74c82e60 call 7ffc74c5fca0 230->249 250 7ffc74c83236-7ffc74c83263 call 7ffc74c5fcb0 * 2 call 7ffc74c66d80 230->250 233->179 233->219 234->224 237 7ffc74c831ed 234->237 237->219 243->206 252 7ffc74c83013-7ffc74c8303d RegOpenKeyExW 244->252 253 7ffc74c8303f 244->253 250->249 257 7ffc74c83041-7ffc74c83059 call 7ffc74c61180 252->257 253->257 266 7ffc74c83071-7ffc74c8308d call 7ffc74c61ab0 257->266 267 7ffc74c8305b-7ffc74c8306c call 7ffc74c61b60 257->267 266->177 272 7ffc74c8308f-7ffc74c83093 266->272 267->266 272->177 273 7ffc74c83095-7ffc74c830aa 272->273 273->183 274 7ffc74c830b0 273->274 274->177
                                                                            APIs
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C82F59
                                                                            • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C82FB4
                                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C83039
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC74C83164
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$EnumOpen
                                                                            • String ID:
                                                                            • API String ID: 138425441-0
                                                                            • Opcode ID: 06ba0df4a9f65e9d02a11f09cca4ebd09bc5c8b737be47ebcab4b37cc5b0f75f
                                                                            • Instruction ID: 946b3befe0e55c1d712fb0f0e6655864ded854ddfec1efbcfc97cfa9ca622a90
                                                                            • Opcode Fuzzy Hash: 06ba0df4a9f65e9d02a11f09cca4ebd09bc5c8b737be47ebcab4b37cc5b0f75f
                                                                            • Instruction Fuzzy Hash: 14C1A623B2D669C2EE609B56E4803B9A394EF85760F444233EA6D477D6DF3CE805C721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000216CDE32264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383194538.00000216CDE30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216CDE30000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_216cde30000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: 3323a4eb4239096313e371b0b0b3e375c57c7e082b728686d8f08d92bcef9ac8
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: 6CB15576618BC586D7308B1AE4447EEB7A1F7D9B84F108026DECD57B58DB3AC8418F80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C54DD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1005 7ffc74c54dd0-7ffc74c54de6 call 7ffc74c69ad0 1008 7ffc74c54dec-7ffc74c54df0 1005->1008 1009 7ffc74c54de8-7ffc74c54dea ExitProcess 1005->1009
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess
                                                                            • String ID: -R+
                                                                            • API String ID: 621844428-215093852
                                                                            • Opcode ID: 262a9daca3c6903437174900c16c88979450af6d99b85d49eaf8942293b0e5db
                                                                            • Instruction ID: 8676dd3b9f940401fb4d3b23f13ee76e8c48042009f010b515288a09f96e0a07
                                                                            • Opcode Fuzzy Hash: 262a9daca3c6903437174900c16c88979450af6d99b85d49eaf8942293b0e5db
                                                                            • Instruction Fuzzy Hash: D6C02B15F6732981ECAC33A010C203C10D20F86300FA804BAC21F083C1DC1DE462C321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C82810 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C6961D), ref: 00007FFC74C82885
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C6961D), ref: 00007FFC74C828E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 4fab0cdabc577b74abb442e93f1ceda5e2dbadf0fe7474966f9ad26fc3efd0eb
                                                                            • Instruction ID: c23c2f274dc92b2e5cd66ba3ee73c6176e08ccb96d5b38b028b6de6dfff07fe8
                                                                            • Opcode Fuzzy Hash: 4fab0cdabc577b74abb442e93f1ceda5e2dbadf0fe7474966f9ad26fc3efd0eb
                                                                            • Instruction Fuzzy Hash: 2A21B527B2966986EE54CB55A44013AE795EF857F4F084132EE9C07BD8DF7CD481CB10
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C826A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnumValue
                                                                            • String ID:
                                                                            • API String ID: 2814608202-0
                                                                            • Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                                                                            • Instruction ID: 538f25a3226573fa40108d4c52006088ed136fd11336cd61861760cb59ac8a4a
                                                                            • Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                                                                            • Instruction Fuzzy Hash: DF113377618B85C6D7209F52F44459AB7A8F788B80F588136EF9D43B04DF38D591CB04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C670F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1605 7ffc74c670f0-7ffc74c6710e 1606 7ffc74c67110-7ffc74c67126 call 7ffc74c69ad0 1605->1606 1607 7ffc74c67146-7ffc74c67158 call 7ffc74c69ad0 1605->1607 1606->1607 1612 7ffc74c67128-7ffc74c6713f RtlCreateHeap 1606->1612 1613 7ffc74c6715a-7ffc74c67172 1607->1613 1614 7ffc74c67176-7ffc74c67180 1607->1614 1612->1607 1613->1614
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true
                                                                            • Associated: 00000015.00000002.383757129.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383834389.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383884316.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383895274.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc74c20000_FileHistory.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateHeap
                                                                            • String ID:
                                                                            • API String ID: 10892065-0
                                                                            • Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                                                                            • Instruction ID: cb60625c1c6331a805617c32946329ea287646cfd49c95da0a5be674574e5cde
                                                                            • Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                                                                            • Instruction Fuzzy Hash: 6101A726B28669C2E6518B10F99156573A1EF853C4F08C436DA8D067A5EE3CD461CB12
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000216CDE32060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000216CDE329A2), ref: 00000216CDE320B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383194538.00000216CDE30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000216CDE30000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_216cde30000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: 22f4360ec62dd61407431294d27c05cd9d05b8680f5388706e9cf6a557562a23
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 0C3130B6615B5086D790DF1AE45979A7BB0F389BD4F205026EF8D87B18DF3AC4428B40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6811E1000 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 00007FF6811E1011
                                                                              • Part of subcall function 00007FF6811E1390: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF6811E1054), ref: 00007FF6811E1394
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383471380.00007FF6811E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6811E0000, based on PE: true
                                                                            • Associated: 00000015.00000002.383455947.00007FF6811E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383601316.00007FF681200000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383612347.00007FF681202000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383639755.00007FF681221000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ff6811e0000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalInitializeSectionmemset
                                                                            • String ID:
                                                                            • API String ID: 3584914384-0
                                                                            • Opcode ID: 487f93c87ab9b7a176c8ad3303933b33621f45341ba73c79b35604da050e29af
                                                                            • Instruction ID: 96b83ed9b1d4cf75b4d60674dbb62397d1316b82cf3d86e0be2bbed6ee5fe6a7
                                                                            • Opcode Fuzzy Hash: 487f93c87ab9b7a176c8ad3303933b33621f45341ba73c79b35604da050e29af
                                                                            • Instruction Fuzzy Hash: AC01C425E19A47C9EB04DB95EDA11B53AA9BF44340F44063ED44DC2A60DE2CE295C740
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC03821729 Relevance: .2, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383732321.00007FFC03820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC03820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc03820000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 32f5e97b9f80aa1652833398700ebfa7edc5230a839778d9b3662683c5b1d60a
                                                                            • Instruction ID: cc04024700b77697b8195a7ac84f3c3105c6161ac347061e07de1346aca3d2e2
                                                                            • Opcode Fuzzy Hash: 32f5e97b9f80aa1652833398700ebfa7edc5230a839778d9b3662683c5b1d60a
                                                                            • Instruction Fuzzy Hash: A3519E70D0C69D8FEB54DB688859BE87BE0FF15310F0442BAE54DD6293CA39684ACB25
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC03821C7C Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383732321.00007FFC03820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC03820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc03820000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a22cd620906b3cbbe4e2b932ab78ae99430485e2aee8efeaf8b82a4019a71149
                                                                            • Instruction ID: 79d3ba255a188e5a56f1897a254bcce9401b40d4b1d5b080fa24b283e2c349db
                                                                            • Opcode Fuzzy Hash: a22cd620906b3cbbe4e2b932ab78ae99430485e2aee8efeaf8b82a4019a71149
                                                                            • Instruction Fuzzy Hash: F6214B3190CB6C8FDB659F9898496F67BE0EB59320F10426BC48DD3113D675A806C7A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC03821D40 Relevance: .1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383732321.00007FFC03820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC03820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc03820000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c35bdd4e519949dff21e13a7891b8beb501acfe05898fbc6c18f18dd1107d31
                                                                            • Instruction ID: 37a7316cb35377d94d2d3c5f0f37b790b71ab6400270e92e090e57a5a8ab6738
                                                                            • Opcode Fuzzy Hash: 7c35bdd4e519949dff21e13a7891b8beb501acfe05898fbc6c18f18dd1107d31
                                                                            • Instruction Fuzzy Hash: 7B21373180CB5C8FEB65DBA8884E6E57BE0EB56321F04426BC449D3153DA75A40ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC038213DD Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383732321.00007FFC03820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC03820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc03820000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b35d045b3c64cf7203fe7ff7a16360b53fe5b42812ef02eac070267eea206b4
                                                                            • Instruction ID: 6f309f0d7e04972f8ade08d579ce9ecf2d75e1e0afe2a5e084f3d30edb2cb1e7
                                                                            • Opcode Fuzzy Hash: 5b35d045b3c64cf7203fe7ff7a16360b53fe5b42812ef02eac070267eea206b4
                                                                            • Instruction Fuzzy Hash: D711272B90C6AD5EEB02B669F8014E9BF20EF41330B4502B7E248D6093DE551A8FC7B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC03821551 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383732321.00007FFC03820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC03820000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ffc03820000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 87d9a96b75ccdeea0583d6bdcb56fa21d5cd562be61d95d16f001d8c7f32d11b
                                                                            • Instruction ID: e4b6814d3cc99f2efc8ca6ec37c1d774f087f62be6660e2f1d11beddc9d5d9a2
                                                                            • Opcode Fuzzy Hash: 87d9a96b75ccdeea0583d6bdcb56fa21d5cd562be61d95d16f001d8c7f32d11b
                                                                            • Instruction Fuzzy Hash: 3ED02E3290968D8FCB80EF10EA408EAB721FF02200B0002E2D42CE3083CA306D69CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00007FF6811E7704 Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383471380.00007FF6811E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6811E0000, based on PE: true
                                                                            • Associated: 00000015.00000002.383455947.00007FF6811E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383601316.00007FF681200000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383612347.00007FF681202000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383639755.00007FF681221000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ff6811e0000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                            • String ID:
                                                                            • API String ID: 4104442557-0
                                                                            • Opcode ID: 2d634761a3639b904e3491e4d3ccc995283cef095050c91e7c6814d11b006dff
                                                                            • Instruction ID: 04ee1b3863d2987cab2f609d4c9485a1e26ff00b2e1e5de10f6dafa5fb8328cd
                                                                            • Opcode Fuzzy Hash: 2d634761a3639b904e3491e4d3ccc995283cef095050c91e7c6814d11b006dff
                                                                            • Instruction Fuzzy Hash: 3E111F31A04F45CAEB00DFB1E8541A837E4FB49758B400A39EAAD83B54EF3CD6A4C340
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6811E77EC Relevance: 4.5, APIs: 3, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383471380.00007FF6811E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6811E0000, based on PE: true
                                                                            • Associated: 00000015.00000002.383455947.00007FF6811E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383601316.00007FF681200000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383612347.00007FF681202000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383639755.00007FF681221000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ff6811e0000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$CurrentProcess
                                                                            • String ID:
                                                                            • API String ID: 1249254920-0
                                                                            • Opcode ID: 0d7e853c7fb0fe6a76a4d084c67a9e38c0d463592d4574a4433265186adc3d91
                                                                            • Instruction ID: 19a8b604f8100cd5b7c5bfcdeca5ace67b465d092d4fd994c764d28418c62eb2
                                                                            • Opcode Fuzzy Hash: 0d7e853c7fb0fe6a76a4d084c67a9e38c0d463592d4574a4433265186adc3d91
                                                                            • Instruction Fuzzy Hash: DFD09EF1A1854AC6E7185BF16C151751A35BF98B55B491038CD4F86750DE3C5689C204
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6811E71BC Relevance: 12.1, APIs: 8, Instructions: 137sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000015.00000002.383471380.00007FF6811E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6811E0000, based on PE: true
                                                                            • Associated: 00000015.00000002.383455947.00007FF6811E0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383601316.00007FF681200000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383612347.00007FF681202000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            • Associated: 00000015.00000002.383639755.00007FF681221000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_21_2_7ff6811e0000_FileHistory.jbxd
                                                                            Similarity
                                                                            • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                            • String ID:
                                                                            • API String ID: 2995914023-0
                                                                            • Opcode ID: 8698ae3c9ad918519c6d53765528b6bb676f1c616df4b43868dacc8dbd53a6c8
                                                                            • Instruction ID: a19d1bf73fc46b94e9f9efd77fdee2c01e7d50e0e52bcce4fe67c428c02ed82f
                                                                            • Opcode Fuzzy Hash: 8698ae3c9ad918519c6d53765528b6bb676f1c616df4b43868dacc8dbd53a6c8
                                                                            • Instruction Fuzzy Hash: 1E510771A0C647C6F760CBA1E9613B92AA1BF44784F58013DE98DC2EA5DF3CE685C680
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:2.9%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:397
                                                                            Total number of Limit Nodes:45
                                                                            execution_graph 76793 7ffc74c57200 76794 7ffc74c5725f 76793->76794 76796 7ffc74c57215 76793->76796 76795 7ffc74c57229 76799 7ffc74c57252 76795->76799 76800 7ffc74c57190 76795->76800 76796->76795 76808 7ffc74c59ad0 76796->76808 76801 7ffc74c571ee 76800->76801 76802 7ffc74c57195 76800->76802 76801->76799 76802->76801 76803 7ffc74c59ad0 _RunAllParam 2 API calls 76802->76803 76804 7ffc74c571b5 76803->76804 76804->76801 76805 7ffc74c59ad0 _RunAllParam 2 API calls 76804->76805 76806 7ffc74c571db 76805->76806 76806->76801 76807 7ffc74c571e0 RtlReleasePrivilege 76806->76807 76807->76801 76809 7ffc74c59ae5 _RunAllParam 76808->76809 76810 7ffc74c59af2 76809->76810 76818 7ffc74c586f0 76809->76818 76810->76795 76812 7ffc74c59b06 76813 7ffc74c59b1d 76812->76813 76824 7ffc74c597d0 76812->76824 76813->76810 76842 7ffc74c58a60 76813->76842 76816 7ffc74c59b12 76816->76810 76817 7ffc74c586f0 _RunAllParam 2 API calls 76816->76817 76817->76813 76820 7ffc74c58728 76818->76820 76819 7ffc74c58796 _RunAllParam 76819->76812 76820->76819 76822 7ffc74c588a3 _RunAllParam 76820->76822 76848 7ffc74c75760 76820->76848 76822->76819 76823 7ffc74c59ad0 _RunAllParam 2 API calls 76822->76823 76823->76819 76825 7ffc74c597f6 _RunAllParam 76824->76825 76852 7ffc74c59230 76825->76852 76827 7ffc74c5980c _RunAllParam 76831 7ffc74c59917 _RunAllParam 76827->76831 76838 7ffc74c59912 _RunAllParam 76827->76838 76856 7ffc74c56180 76827->76856 76861 7ffc74c6ec70 76827->76861 76867 7ffc74c50150 76831->76867 76833 7ffc74c59960 _RunAllParam 76834 7ffc74c59ad0 _RunAllParam FindNextFileW 76833->76834 76835 7ffc74c599c4 _RunAllParam 76834->76835 76836 7ffc74c599f2 76835->76836 76837 7ffc74c599e0 LdrLoadDll 76835->76837 76836->76838 76839 7ffc74c59a02 _RunAllParam 76836->76839 76837->76836 76840 7ffc74c59a43 _RunAllParam 76838->76840 76871 7ffc74c6ec40 LdrLoadDll FindNextFileW _RunAllParam 76838->76871 76839->76840 76870 7ffc74c6ec40 LdrLoadDll FindNextFileW _RunAllParam 76839->76870 76840->76816 76843 7ffc74c58a78 _RunAllParam 76842->76843 76844 7ffc74c75760 _RunAllParam 2 API calls 76843->76844 76845 7ffc74c58b72 _RunAllParam 76843->76845 76847 7ffc74c58a8b _RunAllParam 76843->76847 76844->76843 76846 7ffc74c59ad0 _RunAllParam 2 API calls 76845->76846 76845->76847 76846->76847 76847->76810 76850 7ffc74c7580c 76848->76850 76851 7ffc74c75792 76848->76851 76849 7ffc74c59ad0 _RunAllParam 2 API calls 76849->76851 76850->76820 76851->76849 76851->76850 76854 7ffc74c5923e _RunAllParam 76852->76854 76853 7ffc74c59270 _RunAllParam 76853->76827 76854->76853 76855 7ffc74c59ad0 _RunAllParam 2 API calls 76854->76855 76855->76853 76872 7ffc74c555b0 76856->76872 76858 7ffc74c5619a 76859 7ffc74c75760 _RunAllParam 2 API calls 76858->76859 76860 7ffc74c561ca 76859->76860 76860->76827 76863 7ffc74c6ec80 76861->76863 76862 7ffc74c59ad0 _RunAllParam LdrLoadDll 76862->76863 76863->76862 76864 7ffc74c6ece4 76863->76864 76865 7ffc74c6ec94 FindNextFileW 76863->76865 76878 7ffc74c5d730 76863->76878 76864->76827 76865->76863 76892 7ffc74c500b0 76867->76892 76869 7ffc74c50170 76869->76833 76870->76840 76871->76840 76873 7ffc74c5566c _RunAllParam 76872->76873 76874 7ffc74c555dc 76872->76874 76873->76858 76874->76873 76875 7ffc74c59ad0 _RunAllParam 2 API calls 76874->76875 76876 7ffc74c55619 _RunAllParam 76875->76876 76877 7ffc74c59ad0 _RunAllParam 2 API calls 76876->76877 76877->76873 76880 7ffc74c5d771 76878->76880 76879 7ffc74c5dd82 76879->76863 76880->76879 76881 7ffc74c75760 _RunAllParam 2 API calls 76880->76881 76885 7ffc74c5d928 _RunAllParam 76880->76885 76888 7ffc74c5d917 _RunAllParam 76880->76888 76881->76880 76882 7ffc74c58a60 _RunAllParam 2 API calls 76882->76879 76883 7ffc74c597d0 _RunAllParam 2 API calls 76884 7ffc74c5daba 76883->76884 76884->76879 76886 7ffc74c75760 _RunAllParam 2 API calls 76884->76886 76889 7ffc74c5dc05 _RunAllParam 76884->76889 76891 7ffc74c5dbf4 _RunAllParam 76884->76891 76887 7ffc74c59ad0 _RunAllParam 2 API calls 76885->76887 76885->76888 76886->76884 76887->76888 76888->76883 76888->76891 76889->76879 76890 7ffc74c59ad0 _RunAllParam 2 API calls 76889->76890 76889->76891 76890->76891 76891->76879 76891->76882 76893 7ffc74c500ce 76892->76893 76895 7ffc74c500de 76892->76895 76898 7ffc74c56d80 LdrLoadDll FindNextFileW _RunAllParam 76893->76898 76897 7ffc74c50123 76895->76897 76899 7ffc74c56df0 76895->76899 76897->76869 76898->76895 76900 7ffc74c56e0d 76899->76900 76901 7ffc74c56e26 76899->76901 76900->76901 76902 7ffc74c59ad0 _RunAllParam 2 API calls 76900->76902 76901->76897 76902->76901 76903 7ffc74c570f0 76904 7ffc74c57110 76903->76904 76905 7ffc74c57146 76903->76905 76906 7ffc74c59ad0 _RunAllParam 2 API calls 76904->76906 76907 7ffc74c59ad0 _RunAllParam 2 API calls 76905->76907 76908 7ffc74c5711f 76906->76908 76909 7ffc74c57155 76907->76909 76908->76905 76910 7ffc74c57128 RtlCreateHeap 76908->76910 76910->76905 76911 7ffc74c6ed10 76925 7ffc74c6ddc0 76911->76925 76914 7ffc74c59ad0 _RunAllParam 2 API calls 76915 7ffc74c6ed4e 76914->76915 76916 7ffc74c6ed53 FindFirstFileExW 76915->76916 76918 7ffc74c6eda4 76915->76918 76917 7ffc74c6ed78 76916->76917 76922 7ffc74c6ed95 76916->76922 76920 7ffc74c59ad0 _RunAllParam 2 API calls 76917->76920 76917->76922 76921 7ffc74c59ad0 _RunAllParam 2 API calls 76918->76921 76918->76922 76919 7ffc74c5d730 _RunAllParam 2 API calls 76923 7ffc74c6ee52 76919->76923 76920->76922 76921->76922 76922->76919 76924 7ffc74c6edea 76922->76924 76926 7ffc74c6ddeb 76925->76926 76927 7ffc74c6eb83 76926->76927 76964 7ffc74c56d10 76926->76964 76927->76914 76929 7ffc74c6de4c 76930 7ffc74c75760 _RunAllParam 2 API calls 76929->76930 76933 7ffc74c6e47a 76929->76933 76944 7ffc74c6e027 _RunAllParam 76929->76944 76946 7ffc74c6e016 _RunAllParam 76929->76946 76930->76929 76931 7ffc74c597d0 _RunAllParam 2 API calls 76940 7ffc74c6e1ab 76931->76940 76932 7ffc74c58a60 _RunAllParam 2 API calls 76932->76933 76968 7ffc74c59540 76933->76968 76935 7ffc74c6e4e0 77010 7ffc74c5ca50 76935->77010 76938 7ffc74c6e51f 77113 7ffc74c69410 NtClose LdrLoadDll FindNextFileW _RunAllParam 76938->77113 76939 7ffc74c6e54c 77038 7ffc74c5a2c0 76939->77038 76940->76933 76942 7ffc74c75760 _RunAllParam 2 API calls 76940->76942 76949 7ffc74c6e2f7 _RunAllParam 76940->76949 76955 7ffc74c6e2e6 _RunAllParam 76940->76955 76942->76940 76945 7ffc74c59ad0 _RunAllParam 2 API calls 76944->76945 76944->76946 76945->76946 76946->76931 76946->76955 76947 7ffc74c6eb7c GetSystemInfo 76947->76927 76948 7ffc74c75760 _RunAllParam 2 API calls 76951 7ffc74c6e524 76948->76951 76950 7ffc74c59ad0 _RunAllParam 2 API calls 76949->76950 76949->76955 76950->76955 76951->76947 76951->76948 76956 7ffc74c6e727 _RunAllParam 76951->76956 76960 7ffc74c6e716 _RunAllParam 76951->76960 76952 7ffc74c58a60 _RunAllParam 2 API calls 76954 7ffc74c6eb70 76952->76954 76953 7ffc74c597d0 _RunAllParam 2 API calls 76958 7ffc74c6e8ab 76953->76958 76954->76927 76954->76947 76955->76932 76955->76933 76959 7ffc74c59ad0 _RunAllParam 2 API calls 76956->76959 76956->76960 76957 7ffc74c75760 _RunAllParam 2 API calls 76957->76958 76958->76927 76958->76957 76961 7ffc74c6e9f4 _RunAllParam 76958->76961 76963 7ffc74c6e9e3 _RunAllParam 76958->76963 76959->76960 76960->76953 76960->76963 76961->76927 76962 7ffc74c59ad0 _RunAllParam 2 API calls 76961->76962 76961->76963 76962->76963 76963->76927 76963->76952 76965 7ffc74c56d2d 76964->76965 76967 7ffc74c56d41 76964->76967 76966 7ffc74c59ad0 _RunAllParam 2 API calls 76965->76966 76965->76967 76966->76967 76967->76929 76969 7ffc74c6ddc0 14 API calls 76968->76969 76970 7ffc74c59553 76969->76970 76971 7ffc74c59558 76970->76971 76972 7ffc74c50150 _RunAllParam 2 API calls 76970->76972 76971->76935 76974 7ffc74c595a3 _RunAllParam 76972->76974 76975 7ffc74c595de 76974->76975 77114 7ffc74c50280 76974->77114 77117 7ffc74c735d0 76975->77117 76977 7ffc74c595f5 _RunAllParam 77121 7ffc74c72750 76977->77121 76979 7ffc74c59611 77124 7ffc74c72a70 76979->77124 76981 7ffc74c5961d _RunAllParam 76982 7ffc74c59664 76981->76982 76986 7ffc74c5962c _RunAllParam 76981->76986 76983 7ffc74c72750 3 API calls 76982->76983 76984 7ffc74c5967f 76983->76984 76987 7ffc74c72a70 4 API calls 76984->76987 76985 7ffc74c5964e 76985->76935 76986->76985 76989 7ffc74c3d410 _RunAllParam 2 API calls 76986->76989 76988 7ffc74c5968b _RunAllParam 76987->76988 76990 7ffc74c72750 3 API calls 76988->76990 76989->76985 76991 7ffc74c596a9 76990->76991 76992 7ffc74c72a70 4 API calls 76991->76992 76993 7ffc74c596b5 _RunAllParam 76992->76993 76994 7ffc74c596f8 76993->76994 76995 7ffc74c596c4 76993->76995 76996 7ffc74c596fd 76994->76996 76997 7ffc74c5975c 76994->76997 77000 7ffc74c59790 _RunAllParam 76995->77000 77001 7ffc74c596cc _RunAllParam 76995->77001 76998 7ffc74c5972d 76996->76998 77002 7ffc74c59701 _RunAllParam 76996->77002 76997->77000 77003 7ffc74c59766 _RunAllParam 76997->77003 76998->77000 77004 7ffc74c59732 _RunAllParam 76998->77004 76999 7ffc74c596ee 76999->76935 77000->76999 77005 7ffc74c3d410 _RunAllParam 2 API calls 77000->77005 77001->76999 77131 7ffc74c3d410 77001->77131 77002->76999 77007 7ffc74c3d410 _RunAllParam 2 API calls 77002->77007 77003->76999 77009 7ffc74c3d410 _RunAllParam 2 API calls 77003->77009 77004->76999 77008 7ffc74c3d410 _RunAllParam 2 API calls 77004->77008 77005->76999 77007->76999 77008->76999 77009->76999 77011 7ffc74c5cab0 77010->77011 77012 7ffc74c75760 _RunAllParam 2 API calls 77011->77012 77014 7ffc74c5d099 77011->77014 77019 7ffc74c5cc37 _RunAllParam 77011->77019 77022 7ffc74c5ccc3 _RunAllParam 77011->77022 77012->77011 77013 7ffc74c5d700 77013->76938 77013->76939 77014->77013 77015 7ffc74c5d6d6 GetTokenInformation 77014->77015 77018 7ffc74c75760 _RunAllParam 2 API calls 77014->77018 77027 7ffc74c5d277 _RunAllParam 77014->77027 77030 7ffc74c5d303 _RunAllParam 77014->77030 77015->77013 77016 7ffc74c597d0 _RunAllParam 2 API calls 77021 7ffc74c5cdba 77016->77021 77017 7ffc74c58a60 _RunAllParam 2 API calls 77017->77014 77018->77014 77020 7ffc74c59ad0 _RunAllParam 2 API calls 77019->77020 77019->77022 77020->77022 77021->77013 77024 7ffc74c75760 _RunAllParam 2 API calls 77021->77024 77032 7ffc74c5cf07 _RunAllParam 77021->77032 77034 7ffc74c5cef6 _RunAllParam 77021->77034 77022->77016 77022->77034 77023 7ffc74c58a60 _RunAllParam 2 API calls 77026 7ffc74c5d6d1 77023->77026 77024->77021 77025 7ffc74c597d0 _RunAllParam 2 API calls 77029 7ffc74c5d403 77025->77029 77026->77013 77026->77015 77028 7ffc74c59ad0 _RunAllParam 2 API calls 77027->77028 77027->77030 77028->77030 77029->77013 77031 7ffc74c75760 _RunAllParam 2 API calls 77029->77031 77035 7ffc74c5d555 _RunAllParam 77029->77035 77037 7ffc74c5d544 _RunAllParam 77029->77037 77030->77025 77030->77037 77031->77029 77033 7ffc74c59ad0 _RunAllParam 2 API calls 77032->77033 77032->77034 77033->77034 77034->77013 77034->77017 77035->77013 77036 7ffc74c59ad0 _RunAllParam 2 API calls 77035->77036 77035->77037 77036->77037 77037->77013 77037->77023 77039 7ffc74c5a31e 77038->77039 77040 7ffc74c5a8fa 77039->77040 77041 7ffc74c75760 _RunAllParam 2 API calls 77039->77041 77047 7ffc74c5a4a7 _RunAllParam 77039->77047 77057 7ffc74c5a533 _RunAllParam 77039->77057 77200 7ffc74c575b0 77040->77200 77041->77039 77043 7ffc74c5c326 _RunAllParam 77044 7ffc74c57770 _RunAllParam 3 API calls 77043->77044 77099 7ffc74c5c321 77043->77099 77044->77099 77045 7ffc74c597d0 _RunAllParam 2 API calls 77054 7ffc74c5a62b 77045->77054 77046 7ffc74c58a60 _RunAllParam 2 API calls 77046->77040 77050 7ffc74c59ad0 _RunAllParam 2 API calls 77047->77050 77047->77057 77048 7ffc74c5aaeb 77052 7ffc74c5af9c 77048->77052 77053 7ffc74c5af7f GetTokenInformation 77048->77053 77049 7ffc74c75760 _RunAllParam 2 API calls 77051 7ffc74c5a92b 77049->77051 77050->77057 77051->77043 77051->77048 77051->77049 77061 7ffc74c5aaf6 _RunAllParam 77051->77061 77063 7ffc74c5ab0d _RunAllParam 77051->77063 77052->77043 77059 7ffc74c50150 _RunAllParam 2 API calls 77052->77059 77053->77052 77054->77040 77058 7ffc74c75760 _RunAllParam 2 API calls 77054->77058 77068 7ffc74c5a777 _RunAllParam 77054->77068 77070 7ffc74c5a766 _RunAllParam 77054->77070 77055 7ffc74c58a60 _RunAllParam 2 API calls 77055->77048 77056 7ffc74c597d0 _RunAllParam 2 API calls 77060 7ffc74c5aca3 77056->77060 77057->77045 77057->77070 77058->77054 77065 7ffc74c5afb9 _RunAllParam 77059->77065 77060->77052 77062 7ffc74c75760 _RunAllParam 2 API calls 77060->77062 77067 7ffc74c5adf7 _RunAllParam 77060->77067 77079 7ffc74c5ade6 _RunAllParam 77060->77079 77061->77056 77061->77079 77062->77060 77063->77061 77064 7ffc74c59ad0 _RunAllParam 2 API calls 77063->77064 77064->77061 77066 7ffc74c5b608 GetTokenInformation 77065->77066 77069 7ffc74c75760 _RunAllParam 2 API calls 77065->77069 77080 7ffc74c5b197 _RunAllParam 77065->77080 77086 7ffc74c5b223 _RunAllParam 77065->77086 77066->77043 77071 7ffc74c5b632 77066->77071 77076 7ffc74c59ad0 _RunAllParam 2 API calls 77067->77076 77067->77079 77068->77070 77072 7ffc74c59ad0 _RunAllParam 2 API calls 77068->77072 77069->77065 77070->77040 77070->77046 77073 7ffc74c75760 _RunAllParam 2 API calls 77071->77073 77087 7ffc74c5bc3e 77071->77087 77089 7ffc74c5b7e7 _RunAllParam 77071->77089 77094 7ffc74c5b873 _RunAllParam 77071->77094 77072->77070 77073->77071 77074 7ffc74c597d0 _RunAllParam 2 API calls 77083 7ffc74c5b31b 77074->77083 77075 7ffc74c58a60 _RunAllParam 2 API calls 77077 7ffc74c5b5ee 77075->77077 77076->77079 77077->77043 77077->77066 77078 7ffc74c59ad0 _RunAllParam 2 API calls 77078->77086 77079->77052 77079->77055 77080->77078 77080->77086 77081 7ffc74c597d0 _RunAllParam 2 API calls 77093 7ffc74c5b96b 77081->77093 77082 7ffc74c58a60 _RunAllParam 2 API calls 77082->77087 77083->77043 77084 7ffc74c75760 _RunAllParam 2 API calls 77083->77084 77098 7ffc74c5b467 _RunAllParam 77083->77098 77105 7ffc74c5b456 _RunAllParam 77083->77105 77084->77083 77085 7ffc74c5c27a 77085->77043 77096 7ffc74c5c29e _RunAllParam 77085->77096 77086->77074 77086->77105 77087->77043 77087->77085 77088 7ffc74c75760 _RunAllParam 2 API calls 77087->77088 77101 7ffc74c5be25 _RunAllParam 77087->77101 77106 7ffc74c5be14 _RunAllParam 77087->77106 77088->77087 77090 7ffc74c59ad0 _RunAllParam 2 API calls 77089->77090 77089->77094 77090->77094 77091 7ffc74c58a60 _RunAllParam 2 API calls 77091->77085 77092 7ffc74c597d0 _RunAllParam 2 API calls 77097 7ffc74c5bfab 77092->77097 77093->77043 77095 7ffc74c75760 _RunAllParam 2 API calls 77093->77095 77107 7ffc74c5bab7 _RunAllParam 77093->77107 77110 7ffc74c5baa6 _RunAllParam 77093->77110 77094->77081 77094->77110 77095->77093 77096->77099 77208 7ffc74c57770 77096->77208 77097->77043 77102 7ffc74c75760 _RunAllParam 2 API calls 77097->77102 77109 7ffc74c5c0f7 _RunAllParam 77097->77109 77112 7ffc74c5c0e6 _RunAllParam 77097->77112 77100 7ffc74c59ad0 _RunAllParam 2 API calls 77098->77100 77098->77105 77099->76951 77100->77105 77104 7ffc74c59ad0 _RunAllParam 2 API calls 77101->77104 77101->77106 77102->77097 77104->77106 77105->77043 77105->77075 77106->77092 77106->77112 77108 7ffc74c59ad0 _RunAllParam 2 API calls 77107->77108 77107->77110 77108->77110 77109->77043 77111 7ffc74c59ad0 _RunAllParam 2 API calls 77109->77111 77109->77112 77110->77043 77110->77082 77111->77112 77112->77043 77112->77091 77113->76951 77115 7ffc74c500b0 _RunAllParam 2 API calls 77114->77115 77116 7ffc74c50294 77115->77116 77116->76974 77118 7ffc74c73607 _RunAllParam 77117->77118 77134 7ffc74c72e60 77118->77134 77120 7ffc74c73618 77120->76977 77172 7ffc74c726a0 77121->77172 77123 7ffc74c7277a _RunAllParam 77123->76979 77125 7ffc74c50150 _RunAllParam 2 API calls 77124->77125 77126 7ffc74c72a94 77125->77126 77185 7ffc74c72810 77126->77185 77128 7ffc74c72aa4 77129 7ffc74c72abb _RunAllParam 77128->77129 77199 7ffc74c50330 LdrLoadDll FindNextFileW _RunAllParam 77128->77199 77129->76981 77132 7ffc74c59ad0 _RunAllParam 2 API calls 77131->77132 77133 7ffc74c3d428 77132->77133 77133->76999 77135 7ffc74c72e8b _RunAllParam 77134->77135 77136 7ffc74c59ad0 _RunAllParam 2 API calls 77135->77136 77139 7ffc74c72ed7 77136->77139 77137 7ffc74c7312e 77138 7ffc74c5d730 _RunAllParam 2 API calls 77137->77138 77140 7ffc74c73136 _RunAllParam 77138->77140 77139->77137 77162 7ffc74c72f00 _RunAllParam 77139->77162 77141 7ffc74c59ad0 _RunAllParam 2 API calls 77140->77141 77151 7ffc74c73166 _RunAllParam 77140->77151 77153 7ffc74c73124 77141->77153 77142 7ffc74c732b9 77142->77120 77143 7ffc74c730b0 77144 7ffc74c59ad0 _RunAllParam 2 API calls 77143->77144 77146 7ffc74c730e1 _RunAllParam 77143->77146 77144->77146 77145 7ffc74c73164 RegCloseKey 77145->77151 77149 7ffc74c59ad0 _RunAllParam 2 API calls 77146->77149 77146->77151 77147 7ffc74c59ad0 LdrLoadDll FindNextFileW _RunAllParam 77147->77162 77148 7ffc74c72f56 RegCloseKey 77148->77162 77149->77153 77150 7ffc74c72fa4 RegEnumKeyW 77150->77143 77150->77162 77151->77142 77152 7ffc74c6ddc0 10 API calls 77151->77152 77154 7ffc74c731ff 77152->77154 77153->77145 77153->77151 77154->77142 77166 7ffc74c50180 77154->77166 77155 7ffc74c56180 _RunAllParam 2 API calls 77155->77162 77157 7ffc74c73216 77158 7ffc74c50280 2 API calls 77157->77158 77161 7ffc74c7322f _RunAllParam 77158->77161 77159 7ffc74c73268 _RunAllParam 77163 7ffc74c72e60 10 API calls 77159->77163 77160 7ffc74c73013 RegOpenKeyExW 77160->77162 77161->77159 77171 7ffc74c56d80 LdrLoadDll FindNextFileW _RunAllParam 77161->77171 77162->77143 77162->77147 77162->77148 77162->77150 77162->77155 77162->77160 77164 7ffc74c7329f _RunAllParam 77163->77164 77164->77120 77167 7ffc74c500b0 _RunAllParam 2 API calls 77166->77167 77168 7ffc74c501a3 77167->77168 77169 7ffc74c56df0 _RunAllParam 2 API calls 77168->77169 77170 7ffc74c501b7 77169->77170 77170->77157 77171->77159 77175 7ffc74c726d0 77172->77175 77173 7ffc74c59ad0 _RunAllParam 2 API calls 77173->77175 77174 7ffc74c726ef RegEnumValueA 77174->77175 77176 7ffc74c72730 77174->77176 77175->77173 77175->77174 77178 7ffc74c54310 77175->77178 77176->77123 77179 7ffc74c54385 77178->77179 77180 7ffc74c5434b 77178->77180 77183 7ffc74c543b9 _RunAllParam 77179->77183 77184 7ffc74c56d80 LdrLoadDll FindNextFileW _RunAllParam 77179->77184 77182 7ffc74c56df0 _RunAllParam 2 API calls 77180->77182 77182->77179 77183->77175 77184->77183 77186 7ffc74c7283a 77185->77186 77187 7ffc74c7282a 77185->77187 77186->77128 77187->77186 77188 7ffc74c59ad0 _RunAllParam 2 API calls 77187->77188 77189 7ffc74c72862 77188->77189 77190 7ffc74c72887 77189->77190 77191 7ffc74c72867 RegQueryValueExA 77189->77191 77192 7ffc74c7288f 77190->77192 77193 7ffc74c50280 2 API calls 77190->77193 77191->77190 77192->77128 77194 7ffc74c728a6 77193->77194 77195 7ffc74c59ad0 _RunAllParam 2 API calls 77194->77195 77196 7ffc74c728b5 _RunAllParam 77195->77196 77197 7ffc74c728ea 77196->77197 77198 7ffc74c728cb RegQueryValueExA 77196->77198 77197->77128 77198->77197 77199->77129 77201 7ffc74c575c1 77200->77201 77202 7ffc74c5762c 77200->77202 77201->77202 77203 7ffc74c59ad0 _RunAllParam 2 API calls 77201->77203 77202->77051 77205 7ffc74c575db 77203->77205 77204 7ffc74c575f0 77204->77051 77205->77204 77206 7ffc74c5d730 _RunAllParam 2 API calls 77205->77206 77207 7ffc74c57607 77206->77207 77207->77051 77209 7ffc74c575b0 _RunAllParam 2 API calls 77208->77209 77210 7ffc74c5777e 77209->77210 77211 7ffc74c5779b 77210->77211 77212 7ffc74c59ad0 _RunAllParam 2 API calls 77210->77212 77211->77099 77213 7ffc74c57791 77212->77213 77213->77211 77214 7ffc74c57796 NtClose 77213->77214 77214->77211 77215 214ad6f2978 77216 214ad6f2986 77215->77216 77221 214ad6f2060 VirtualAlloc 77216->77221 77218 214ad6f29a2 77223 214ad6f2264 77218->77223 77220 214ad6f29ba 77222 214ad6f20c4 77221->77222 77222->77218 77224 214ad6f230f 77223->77224 77225 214ad6f238c VirtualProtect 77223->77225 77224->77225 77226 214ad6f23ee 77225->77226 77227 214ad6f244d VirtualProtect 77226->77227 77228 214ad6f2507 VirtualProtect 77227->77228 77229 214ad6f2544 77227->77229 77228->77229 77231 214ad6f258c RtlAvlRemoveNode 77229->77231 77232 214ad6f25c5 77229->77232 77231->77232 77232->77220

                                                                            Executed Functions

                                                                            Function 00007FFC74C4BAE0 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 645nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 7ffc74c4bae0-7ffc74c4bb64 call 7ffc74c59ad0 call 7ffc74c50150 * 2 call 7ffc74c4fcc0 9 7ffc74c4bc00-7ffc74c4bca1 call 7ffc74c50150 * 2 call 7ffc74c590b0 call 7ffc74c50bc0 call 7ffc74c50e20 call 7ffc74c506d0 call 7ffc74c50280 call 7ffc74c4fcb0 * 2 call 7ffc74c47fac call 7ffc74c4fcc0 call 7ffc74c4a7a0 0->9 10 7ffc74c4bb6a-7ffc74c4bb6f 0->10 57 7ffc74c4bca3-7ffc74c4bcaa 9->57 58 7ffc74c4bcac-7ffc74c4bcc0 call 7ffc74c4a7a0 9->58 11 7ffc74c4bb70-7ffc74c4bbf4 call 7ffc74c4fcb0 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 10->11 54 7ffc74c4bbfa 11->54 54->9 57->57 57->58 61 7ffc74c4bcc2-7ffc74c4bcc9 58->61 62 7ffc74c4bccb-7ffc74c4bcce 58->62 61->61 61->62 63 7ffc74c4bfe8-7ffc74c4c00f call 7ffc74c4fca0 * 2 call 7ffc74c4cf00 call 7ffc74c4fca0 62->63 64 7ffc74c4bcd4-7ffc74c4bcd7 62->64 82 7ffc74c4c011-7ffc74c4c02b 63->82 64->63 65 7ffc74c4bcdd-7ffc74c4bd7f call 7ffc74c56d10 call 7ffc74c720e0 call 7ffc74c4c4d0 call 7ffc74c4fcc0 * 2 call 7ffc74c59ad0 * 2 64->65 89 7ffc74c4bd81-7ffc74c4bda0 NtReadVirtualMemory 65->89 90 7ffc74c4bda2-7ffc74c4be5e call 7ffc74c59ad0 * 8 call 7ffc74c4c970 call 7ffc74c4aa70 65->90 89->90 110 7ffc74c4be63-7ffc74c4be69 90->110 111 7ffc74c4be9c-7ffc74c4bea0 110->111 112 7ffc74c4be6b 110->112 114 7ffc74c4bfd6-7ffc74c4bfe3 call 7ffc74c4c8b0 call 7ffc74c723c0 111->114 115 7ffc74c4bea6-7ffc74c4bea9 111->115 113 7ffc74c4be70-7ffc74c4be73 112->113 116 7ffc74c4be98 113->116 117 7ffc74c4be75-7ffc74c4be94 call 7ffc74c5f150 call 7ffc74c4aa70 113->117 114->63 119 7ffc74c4bf40-7ffc74c4bf64 call 7ffc74c59ad0 * 2 115->119 120 7ffc74c4beaf-7ffc74c4becd call 7ffc74c4a8e0 call 7ffc74c4c970 115->120 116->111 117->113 136 7ffc74c4be96 117->136 137 7ffc74c4c02c-7ffc74c4c048 call 7ffc74c4b960 119->137 138 7ffc74c4bf6a-7ffc74c4bf83 119->138 120->119 135 7ffc74c4becf 120->135 139 7ffc74c4bed0-7ffc74c4bee5 call 7ffc74c4aa70 135->139 136->111 145 7ffc74c4c04a 137->145 146 7ffc74c4c0bb-7ffc74c4c0e4 call 7ffc74c59ad0 137->146 138->137 147 7ffc74c4bf89-7ffc74c4bf9e call 7ffc74c4aa70 138->147 148 7ffc74c4bf13-7ffc74c4bf17 139->148 149 7ffc74c4bee7-7ffc74c4beea 139->149 150 7ffc74c4c050-7ffc74c4c065 call 7ffc74c4aa70 145->150 164 7ffc74c4c110-7ffc74c4c134 call 7ffc74c59ad0 * 2 146->164 165 7ffc74c4c0e6-7ffc74c4c105 146->165 160 7ffc74c4bfa0-7ffc74c4bfa3 147->160 161 7ffc74c4bfcc-7ffc74c4bfd0 147->161 148->114 157 7ffc74c4bf1d-7ffc74c4bf3b call 7ffc74c4a8e0 call 7ffc74c4c970 148->157 153 7ffc74c4beec-7ffc74c4bf0b call 7ffc74c5f150 call 7ffc74c4aa70 149->153 154 7ffc74c4bf0f 149->154 171 7ffc74c4c093-7ffc74c4c097 150->171 172 7ffc74c4c067-7ffc74c4c06a 150->172 153->149 193 7ffc74c4bf0d 153->193 154->148 157->139 189 7ffc74c4bf3d 157->189 167 7ffc74c4bfc8 160->167 168 7ffc74c4bfa5-7ffc74c4bfc4 call 7ffc74c5f150 call 7ffc74c4aa70 160->168 161->114 161->119 196 7ffc74c4c19f-7ffc74c4c1d1 call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c4b960 164->196 197 7ffc74c4c136-7ffc74c4c14b 164->197 165->114 182 7ffc74c4c10b 165->182 167->161 168->160 199 7ffc74c4bfc6 168->199 171->114 176 7ffc74c4c09d-7ffc74c4c0b9 call 7ffc74c4b960 171->176 178 7ffc74c4c06c-7ffc74c4c08b call 7ffc74c5f150 call 7ffc74c4aa70 172->178 179 7ffc74c4c08f 172->179 176->146 176->150 178->172 201 7ffc74c4c08d 178->201 179->171 182->164 189->119 193->148 214 7ffc74c4c25f-7ffc74c4c271 call 7ffc74c59ad0 196->214 215 7ffc74c4c1d7 196->215 197->196 205 7ffc74c4c14d-7ffc74c4c162 call 7ffc74c4aa70 197->205 199->161 201->171 211 7ffc74c4c190-7ffc74c4c194 205->211 212 7ffc74c4c164-7ffc74c4c167 205->212 211->164 213 7ffc74c4c19a 211->213 216 7ffc74c4c18c 212->216 217 7ffc74c4c169-7ffc74c4c188 call 7ffc74c5f150 call 7ffc74c4aa70 212->217 213->114 226 7ffc74c4c273-7ffc74c4c291 214->226 227 7ffc74c4c297-7ffc74c4c301 call 7ffc74c50150 call 7ffc74c502b0 * 2 call 7ffc74c59ad0 214->227 219 7ffc74c4c1e0-7ffc74c4c1f6 call 7ffc74c4aa70 215->219 216->211 217->212 234 7ffc74c4c18a 217->234 228 7ffc74c4c1f8-7ffc74c4c1fb 219->228 229 7ffc74c4c224-7ffc74c4c228 219->229 226->114 226->227 255 7ffc74c4c320-7ffc74c4c34d call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c4b960 227->255 256 7ffc74c4c303-7ffc74c4c318 227->256 232 7ffc74c4c220 228->232 233 7ffc74c4c1fd-7ffc74c4c21c call 7ffc74c5f150 call 7ffc74c4aa70 228->233 229->114 237 7ffc74c4c22e-7ffc74c4c25d call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c4b960 229->237 232->229 233->228 250 7ffc74c4c21e 233->250 234->211 237->214 237->219 250->229 263 7ffc74c4c3e0-7ffc74c4c3f2 call 7ffc74c59ad0 255->263 264 7ffc74c4c353 255->264 256->255 269 7ffc74c4c463-7ffc74c4c4c2 call 7ffc74c715d0 call 7ffc74c4fca0 call 7ffc74c4c8b0 call 7ffc74c723c0 call 7ffc74c4fca0 * 2 call 7ffc74c4cf00 call 7ffc74c4fca0 263->269 270 7ffc74c4c3f4-7ffc74c4c409 263->270 265 7ffc74c4c360-7ffc74c4c376 call 7ffc74c4aa70 264->265 273 7ffc74c4c378-7ffc74c4c37b 265->273 274 7ffc74c4c3a4-7ffc74c4c3ac 265->274 269->82 270->269 282 7ffc74c4c40b-7ffc74c4c421 call 7ffc74c4aa70 270->282 279 7ffc74c4c3a0 273->279 280 7ffc74c4c37d-7ffc74c4c39c call 7ffc74c5f150 call 7ffc74c4aa70 273->280 277 7ffc74c4c3b2-7ffc74c4c3db call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c4b960 274->277 278 7ffc74c4c459-7ffc74c4c45e call 7ffc74c4fca0 274->278 277->265 311 7ffc74c4c3dd 277->311 278->114 279->274 280->273 301 7ffc74c4c39e 280->301 296 7ffc74c4c423-7ffc74c4c426 282->296 297 7ffc74c4c44f-7ffc74c4c453 282->297 302 7ffc74c4c428-7ffc74c4c447 call 7ffc74c5f150 call 7ffc74c4aa70 296->302 303 7ffc74c4c44b 296->303 297->263 300 7ffc74c4c455 297->300 300->278 301->274 302->296 317 7ffc74c4c449 302->317 303->297 311->263 317->297
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MemoryReadVirtual
                                                                            • String ID: S4$vfoR$vfoR$vfoR$vfoR
                                                                            • API String ID: 2834387570-2269768260
                                                                            • Opcode ID: 67d6a0e30ecfc99b0dca5ee771a92042449f7a4298f4177b590be756e3579b08
                                                                            • Instruction ID: 7fc517d275788eb15e4903931bf17b7370c764f400e85ec5a0a1d90ea8cfec5b
                                                                            • Opcode Fuzzy Hash: 67d6a0e30ecfc99b0dca5ee771a92042449f7a4298f4177b590be756e3579b08
                                                                            • Instruction Fuzzy Hash: 6342E823B2866AC1FA10D7A996D02FE5A51AF857A4F444233DD2E477DAEF3CD501C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C35F40 Relevance: 7.6, APIs: 5, Instructions: 146nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Section$DuplicateObjectView$CreateUnmap
                                                                            • String ID:
                                                                            • API String ID: 1515463610-0
                                                                            • Opcode ID: 69878a4946d5d80afd23506a8e305cf183fc80022670d662ddd9bab64adf7762
                                                                            • Instruction ID: f46b07c3bbd4a79897e79d9b2899b8efac24f2ba8a3f8a769fddd6015c100ea5
                                                                            • Opcode Fuzzy Hash: 69878a4946d5d80afd23506a8e305cf183fc80022670d662ddd9bab64adf7762
                                                                            • Instruction Fuzzy Hash: 7E51D2337147A58AEB60CF65A4812AE7AA5FB453A8F144236EF6E17BD5DF38C440C350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C4C4D0 Relevance: 7.6, APIs: 5, Instructions: 136nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateFileMappingW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C4C543
                                                                            • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C4C5D5
                                                                            • NtUnmapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C4C61F
                                                                            • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C4C65B
                                                                            • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C4C6B5
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DuplicateObjectSectionView$CreateFileMappingUnmap
                                                                            • String ID:
                                                                            • API String ID: 640117302-0
                                                                            • Opcode ID: 58a822aa4477f50f5e1e61e8374882f619ecb138e7a50048bdd6ad54e35075a7
                                                                            • Instruction ID: 22bbf6220ac015fe8dc089af0d8d54dbf5881765ea304d825b3c0e63dec303f1
                                                                            • Opcode Fuzzy Hash: 58a822aa4477f50f5e1e61e8374882f619ecb138e7a50048bdd6ad54e35075a7
                                                                            • Instruction Fuzzy Hash: 3A51C173618795C1EA20DB59A4812AEBB91EB857B4F144736EABE07BE9DF3CD000C710
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C45CD0 Relevance: 7.6, APIs: 5, Instructions: 117memorynativethreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$CloseContinueCreateHandlerThreadUserVectored
                                                                            • String ID:
                                                                            • API String ID: 238847861-0
                                                                            • Opcode ID: cc8494239bac652dbbaee1b0b9284e1eac3d1702bfe83ec2fe9336460b744edc
                                                                            • Instruction ID: 119b350146ee2856d620af7472655a7c11a7a9ae2955578da2c2f41efb6b7265
                                                                            • Opcode Fuzzy Hash: cc8494239bac652dbbaee1b0b9284e1eac3d1702bfe83ec2fe9336460b744edc
                                                                            • Instruction Fuzzy Hash: D951FE73719765CAE7649F74A1803AE3AA2EB85308F54413AEB5E0BB99DF39C401C721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C5A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf3acb177935af63fe9fac810cf0f9ad9d372d93759be908505ccfa49bf865e4
                                                                            • Instruction ID: cf5d220013fe5df32005c4b410eaf5b270cb806fe53d703bdb78f99cdbd14f45
                                                                            • Opcode Fuzzy Hash: cf3acb177935af63fe9fac810cf0f9ad9d372d93759be908505ccfa49bf865e4
                                                                            • Instruction Fuzzy Hash: 9003A127A287AEC2EB159B11D4802BDABA1FB55BC8F684033CA4D47795EF3CE545C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C4CB00 Relevance: 4.6, APIs: 3, Instructions: 110processthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                                                                            • String ID:
                                                                            • API String ID: 3863306361-0
                                                                            • Opcode ID: 505f117c0300a4843b49ad479d7ff982fe80ed7469af99b91e7bac2c96951e6b
                                                                            • Instruction ID: 9944e7e0e2cd9d1d94698208ae8bd121ff806e7232203b6c72739de3f2b49f4a
                                                                            • Opcode Fuzzy Hash: 505f117c0300a4843b49ad479d7ff982fe80ed7469af99b91e7bac2c96951e6b
                                                                            • Instruction Fuzzy Hash: 1F419623A3C66AC1EB65DB18D5D02BE6A51EFC4780F554032E56E477E9DF2CE500C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1515 7ffc74c6ed10-7ffc74c6ed37 call 7ffc74c6ddc0 1518 7ffc74c6ed3f-7ffc74c6ed51 call 7ffc74c59ad0 1515->1518 1519 7ffc74c6ed39-7ffc74c6ed3c 1515->1519 1522 7ffc74c6ed53-7ffc74c6ed76 FindFirstFileExW 1518->1522 1523 7ffc74c6eda4-7ffc74c6eda8 1518->1523 1519->1518 1524 7ffc74c6ed9f-7ffc74c6eda2 1522->1524 1525 7ffc74c6ed78-7ffc74c6ed7e 1522->1525 1526 7ffc74c6edd1 1523->1526 1527 7ffc74c6edaa-7ffc74c6edb0 1523->1527 1529 7ffc74c6edd8-7ffc74c6ede2 1524->1529 1525->1524 1528 7ffc74c6ed80-7ffc74c6ed84 1525->1528 1526->1529 1527->1526 1530 7ffc74c6edb2-7ffc74c6edb6 1527->1530 1528->1524 1531 7ffc74c6ed86-7ffc74c6ed98 call 7ffc74c59ad0 1528->1531 1532 7ffc74c6ee4d-7ffc74c6ee58 call 7ffc74c5d730 1529->1532 1533 7ffc74c6ede4-7ffc74c6ede8 1529->1533 1530->1526 1534 7ffc74c6edb8-7ffc74c6edca call 7ffc74c59ad0 1530->1534 1531->1524 1547 7ffc74c6ed9a 1531->1547 1545 7ffc74c6ee61-7ffc74c6ee72 1532->1545 1546 7ffc74c6ee5a 1532->1546 1533->1532 1537 7ffc74c6edea-7ffc74c6edef 1533->1537 1534->1526 1544 7ffc74c6edcc 1534->1544 1542 7ffc74c6edf1-7ffc74c6edf8 1537->1542 1543 7ffc74c6ee1e-7ffc74c6ee2c 1537->1543 1548 7ffc74c6edfa-7ffc74c6edfe 1542->1548 1549 7ffc74c6ee07-7ffc74c6ee18 1542->1549 1550 7ffc74c6ee32-7ffc74c6ee35 1543->1550 1551 7ffc74c6ee2e-7ffc74c6ee30 1543->1551 1544->1526 1546->1545 1547->1524 1548->1543 1552 7ffc74c6ee00-7ffc74c6ee05 1548->1552 1549->1543 1550->1549 1554 7ffc74c6ee37-7ffc74c6ee39 1550->1554 1551->1550 1553 7ffc74c6ee3b-7ffc74c6ee4c 1551->1553 1552->1543 1552->1549 1554->1549 1554->1553
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID: .
                                                                            • API String ID: 1974802433-248832578
                                                                            • Opcode ID: 020691f7aa2ce1173d872a35a3031ddd23a780c412a1d9d35a03053f3f84fba1
                                                                            • Instruction ID: 537ddb75d45fdf936a479f2a71d90a2f23ac2865c5e63611963587ba808633e4
                                                                            • Opcode Fuzzy Hash: 020691f7aa2ce1173d872a35a3031ddd23a780c412a1d9d35a03053f3f84fba1
                                                                            • Instruction Fuzzy Hash: AB41D633A18669C1FB644B14D1803796791DF44BA8F188637DA6C077D8DF7EE892C362
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C4AA70 Relevance: 3.5, APIs: 2, Instructions: 521COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1584 7ffc74c4aa70-7ffc74c4aaa5 call 7ffc74c4cb00 call 7ffc74c4fcd0 1589 7ffc74c4aac6-7ffc74c4ab0e call 7ffc74c4fcc0 1584->1589 1590 7ffc74c4aaa7-7ffc74c4aac5 call 7ffc74c4fca0 1584->1590 1595 7ffc74c4acbf-7ffc74c4acd4 call 7ffc74c4fcc0 1589->1595 1596 7ffc74c4ab14-7ffc74c4ab21 1589->1596 1601 7ffc74c4adf9-7ffc74c4ae07 call 7ffc74c4fca0 1595->1601 1602 7ffc74c4acda-7ffc74c4acdd 1595->1602 1598 7ffc74c4ab25-7ffc74c4ab48 call 7ffc74c4fcb0 call 7ffc74c4fcc0 1596->1598 1613 7ffc74c4ab4a 1598->1613 1614 7ffc74c4ab7b-7ffc74c4ab86 call 7ffc74c4fcc0 1598->1614 1610 7ffc74c4ae0d-7ffc74c4ae21 call 7ffc74c4fcc0 1601->1610 1611 7ffc74c4af94-7ffc74c4afdf call 7ffc74c50150 * 2 call 7ffc74c4fcc0 1601->1611 1605 7ffc74c4ace0-7ffc74c4ad03 call 7ffc74c4fcb0 call 7ffc74c4fcc0 1602->1605 1629 7ffc74c4ad38-7ffc74c4ad4d call 7ffc74c59ad0 1605->1629 1630 7ffc74c4ad05 1605->1630 1610->1611 1628 7ffc74c4ae27 1610->1628 1665 7ffc74c4afe5 1611->1665 1666 7ffc74c4b167-7ffc74c4b17c call 7ffc74c59ad0 1611->1666 1619 7ffc74c4ab50-7ffc74c4ab68 call 7ffc74c4fcb0 1613->1619 1625 7ffc74c4abdd-7ffc74c4abf2 call 7ffc74c59ad0 1614->1625 1626 7ffc74c4ab88-7ffc74c4ab93 call 7ffc74c4fcc0 1614->1626 1638 7ffc74c4ab72-7ffc74c4ab75 1619->1638 1639 7ffc74c4ab6a-7ffc74c4ab6e 1619->1639 1650 7ffc74c4abf4-7ffc74c4ac00 call 7ffc74c4fcb0 1625->1650 1651 7ffc74c4ac05-7ffc74c4ac11 call 7ffc74c4fcc0 1625->1651 1652 7ffc74c4abca-7ffc74c4abd8 call 7ffc74c4fcc0 call 7ffc74c50280 1626->1652 1653 7ffc74c4ab95-7ffc74c4abc5 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c56d80 1626->1653 1636 7ffc74c4ae30-7ffc74c4ae45 call 7ffc74c4fcb0 1628->1636 1648 7ffc74c4ad53-7ffc74c4ad71 call 7ffc74c4fcb0 1629->1648 1649 7ffc74c4add9-7ffc74c4adf3 call 7ffc74c4fcc0 1629->1649 1637 7ffc74c4ad10-7ffc74c4ad25 call 7ffc74c4fcb0 1630->1637 1667 7ffc74c4ae54-7ffc74c4ae58 1636->1667 1668 7ffc74c4ae47-7ffc74c4ae4d 1636->1668 1659 7ffc74c4ad2f-7ffc74c4ad32 1637->1659 1660 7ffc74c4ad27-7ffc74c4ad2b 1637->1660 1638->1614 1641 7ffc74c4ac89 1638->1641 1639->1619 1640 7ffc74c4ab70 1639->1640 1640->1614 1656 7ffc74c4ac8c-7ffc74c4acb6 call 7ffc74c4fcc0 1641->1656 1648->1649 1703 7ffc74c4ad73-7ffc74c4ad83 call 7ffc74c4fcc0 call 7ffc74c50280 1648->1703 1649->1601 1649->1605 1650->1651 1688 7ffc74c4ac13-7ffc74c4ac21 call 7ffc74c4fcc0 1651->1688 1689 7ffc74c4ac6e-7ffc74c4ac87 1651->1689 1652->1625 1653->1652 1656->1598 1683 7ffc74c4acbc 1656->1683 1659->1629 1659->1649 1660->1637 1677 7ffc74c4ad2d 1660->1677 1680 7ffc74c4aff0-7ffc74c4b006 call 7ffc74c59ad0 1665->1680 1692 7ffc74c4b1d1-7ffc74c4b213 call 7ffc74c4fcb0 * 2 call 7ffc74c4cf00 * 2 1666->1692 1693 7ffc74c4b17e-7ffc74c4b1b0 call 7ffc74c4fcb0 call 7ffc74c4fcc0 1666->1693 1667->1611 1682 7ffc74c4ae5e-7ffc74c4ae72 call 7ffc74c4fcc0 1667->1682 1668->1636 1681 7ffc74c4ae4f 1668->1681 1677->1629 1705 7ffc74c4b00c-7ffc74c4b020 1680->1705 1706 7ffc74c4b1b9-7ffc74c4b1cf call 7ffc74c4cf00 * 2 1680->1706 1681->1611 1699 7ffc74c4aed0-7ffc74c4aedf call 7ffc74c4fcc0 1682->1699 1700 7ffc74c4ae74-7ffc74c4ae83 call 7ffc74c4fcc0 1682->1700 1683->1595 1709 7ffc74c4ac23-7ffc74c4ac54 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c56d80 1688->1709 1710 7ffc74c4ac59-7ffc74c4ac69 call 7ffc74c4fcc0 call 7ffc74c50280 1688->1710 1689->1656 1755 7ffc74c4b216-7ffc74c4b24f 1692->1755 1693->1706 1758 7ffc74c4b1b2-7ffc74c4b1b7 1693->1758 1731 7ffc74c4aee1-7ffc74c4aef0 call 7ffc74c4fcc0 1699->1731 1732 7ffc74c4af38-7ffc74c4af92 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 1699->1732 1727 7ffc74c4aebb-7ffc74c4aecb call 7ffc74c4fcc0 call 7ffc74c50280 1700->1727 1728 7ffc74c4ae85-7ffc74c4aeb6 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c56d80 1700->1728 1746 7ffc74c4ad88-7ffc74c4add7 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 1703->1746 1705->1706 1726 7ffc74c4b026-7ffc74c4b02a 1705->1726 1706->1755 1709->1710 1710->1689 1726->1706 1737 7ffc74c4b030-7ffc74c4b06f call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 call 7ffc74c59ad0 1726->1737 1727->1699 1728->1727 1762 7ffc74c4aef2-7ffc74c4af20 call 7ffc74c4fcc0 call 7ffc74c4fcb0 * 2 call 7ffc74c56d80 1731->1762 1763 7ffc74c4af25-7ffc74c4af33 call 7ffc74c4fcc0 call 7ffc74c50280 1731->1763 1732->1611 1809 7ffc74c4b071-7ffc74c4b095 NtDuplicateObject 1737->1809 1810 7ffc74c4b09b-7ffc74c4b0a2 1737->1810 1746->1649 1758->1692 1758->1706 1762->1763 1763->1732 1809->1706 1809->1810 1810->1706 1813 7ffc74c4b0a8-7ffc74c4b0ac 1810->1813 1813->1706 1816 7ffc74c4b0b2-7ffc74c4b0e8 call 7ffc74c4fcc0 call 7ffc74c50280 call 7ffc74c4fcc0 call 7ffc74c4fcb0 1813->1816 1816->1680 1829 7ffc74c4b0ee-7ffc74c4b0f1 1816->1829 1829->1666 1830 7ffc74c4b0f3-7ffc74c4b0f9 1829->1830 1831 7ffc74c4b100-7ffc74c4b142 call 7ffc74c4fcb0 * 2 call 7ffc74c59ad0 * 2 1830->1831 1840 7ffc74c4b144-7ffc74c4b155 RtlQueueApcWow64Thread 1831->1840 1841 7ffc74c4b157-7ffc74c4b15d 1831->1841 1840->1841 1841->1831 1842 7ffc74c4b15f-7ffc74c4b163 1841->1842 1842->1666
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFirstProcessSnapshotThread32Toolhelp32
                                                                            • String ID:
                                                                            • API String ID: 3863306361-0
                                                                            • Opcode ID: a25b63a31ec6bd7a8169e77a42131edbb2ad07c0029c6ea7182009ffb04ab887
                                                                            • Instruction ID: 3bf484aaf01ea986800a15ada148dd604e7b528c50ea9839e307950f239ac32b
                                                                            • Opcode Fuzzy Hash: a25b63a31ec6bd7a8169e77a42131edbb2ad07c0029c6ea7182009ffb04ab887
                                                                            • Instruction Fuzzy Hash: B622D127B2866AC2EB20EB68D1D02BD6A65BF84740F544137DE2E477D6EE3CE505C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InfoSystem
                                                                            • String ID:
                                                                            • API String ID: 31276548-0
                                                                            • Opcode ID: 2b487375f9119d2caf835f72ab61a0d07478051212aa95693cce5121f44d3289
                                                                            • Instruction ID: c58774cfcb0880fb920ed4b718b86920acbe4a4d82b6f79ef360cfddb177e9d9
                                                                            • Opcode Fuzzy Hash: 2b487375f9119d2caf835f72ab61a0d07478051212aa95693cce5121f44d3289
                                                                            • Instruction Fuzzy Hash: 4982C063B287AAC2EB648B2594802BD77A1FB45B84F548437CA4D07799EF3DE540C361
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C5CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 21362e164c7537fd4366025052e5a21eeba13d6dd41becc6b9f6254d3e2e1a0c
                                                                            • Instruction ID: 8d811354463ca806cc07c1c070fa11fac13d760a7df850740d231b128f6589fd
                                                                            • Opcode Fuzzy Hash: 21362e164c7537fd4366025052e5a21eeba13d6dd41becc6b9f6254d3e2e1a0c
                                                                            • Instruction Fuzzy Hash: 7472A163A287AAC1EB158B1194843BDBBA1FB45BC4FA48033CA6D47799DF3CE541C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C7D520 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InformationQuerySystem
                                                                            • String ID:
                                                                            • API String ID: 3562636166-0
                                                                            • Opcode ID: 803e45b9a113cea96072e8d01317439e48261757f0bf75970d9c3a6cbfaee7e7
                                                                            • Instruction ID: 993b2b4978c4a7d9ba4a96160160722248e1448794c1a936283b6ecde15ecc09
                                                                            • Opcode Fuzzy Hash: 803e45b9a113cea96072e8d01317439e48261757f0bf75970d9c3a6cbfaee7e7
                                                                            • Instruction Fuzzy Hash: 7BB18A37A2465ADBE711EF35D2802AE77A4FB44788F504036DA5E47B99EF38E424C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C597D0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindLoadNext
                                                                            • String ID:
                                                                            • API String ID: 50669962-0
                                                                            • Opcode ID: 59d2471451db7e51a4b45ada4f58585e283dbf7daf4dba8ff27f7b46b0f6a5c5
                                                                            • Instruction ID: ea6e2df4329fb0dcde6e82a3c2cb65ac192fef4c7e5dee67abace13f70152a1d
                                                                            • Opcode Fuzzy Hash: 59d2471451db7e51a4b45ada4f58585e283dbf7daf4dba8ff27f7b46b0f6a5c5
                                                                            • Instruction Fuzzy Hash: 6A817323A2856AD1FB10EB21D4912FEAB65EF95344FA04173EA4E479CBEE3CD505C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C57770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 0429e0558a492ce487db87179675f5564a508562b572c62299fea09a8e834ad2
                                                                            • Instruction ID: 518cebe36143c4f68d4e77e687a920742b0f156884861699fa5823eaafb03233
                                                                            • Opcode Fuzzy Hash: 0429e0558a492ce487db87179675f5564a508562b572c62299fea09a8e834ad2
                                                                            • Instruction Fuzzy Hash: 3BD05B52A36619C1FE155761B18237C4650CF95744F184071CD4D4A3D6EF2C95C1C331
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C72E60 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 448 7ffc74c72e60-7ffc74c72e89 449 7ffc74c72e8b-7ffc74c72e93 448->449 450 7ffc74c72e95 448->450 449->450 451 7ffc74c72e9a-7ffc74c72ec3 call 7ffc74c51a90 449->451 450->451 454 7ffc74c72ec8-7ffc74c72eda call 7ffc74c59ad0 451->454 455 7ffc74c72ec5 451->455 458 7ffc74c72ee0-7ffc74c72ef0 454->458 459 7ffc74c7312e 454->459 455->454 460 7ffc74c73131-7ffc74c73145 call 7ffc74c5d730 call 7ffc74c50e20 458->460 463 7ffc74c72ef6-7ffc74c72efa 458->463 459->460 470 7ffc74c73166-7ffc74c73175 460->470 471 7ffc74c73147-7ffc74c7314b 460->471 463->460 465 7ffc74c72f00-7ffc74c72f21 call 7ffc74c4fcc0 463->465 472 7ffc74c72f27-7ffc74c72f2c 465->472 473 7ffc74c730b5-7ffc74c730c1 465->473 475 7ffc74c73181-7ffc74c73199 call 7ffc74c4fcb0 470->475 476 7ffc74c73177-7ffc74c7317b 470->476 471->470 474 7ffc74c7314d-7ffc74c7315f call 7ffc74c59ad0 471->474 477 7ffc74c72f30-7ffc74c72f3a 472->477 481 7ffc74c730f3-7ffc74c7310d call 7ffc74c50e20 473->481 482 7ffc74c730c3-7ffc74c730ca 473->482 474->470 490 7ffc74c73161 474->490 479 7ffc74c732b9-7ffc74c732d0 475->479 493 7ffc74c7319f-7ffc74c731ad 475->493 476->475 476->479 483 7ffc74c72f5f-7ffc74c72f88 call 7ffc74c4fcb0 477->483 484 7ffc74c72f3c-7ffc74c72f40 477->484 481->470 498 7ffc74c7310f-7ffc74c73113 481->498 482->481 488 7ffc74c730cc-7ffc74c730d0 482->488 506 7ffc74c72f90-7ffc74c72fa2 call 7ffc74c59ad0 483->506 484->483 489 7ffc74c72f42-7ffc74c72f54 call 7ffc74c59ad0 484->489 488->481 494 7ffc74c730d2-7ffc74c730e4 call 7ffc74c59ad0 488->494 511 7ffc74c72f5b 489->511 512 7ffc74c72f56-7ffc74c72f59 RegCloseKey 489->512 497 7ffc74c73164 RegCloseKey 490->497 500 7ffc74c731af-7ffc74c731b5 493->500 501 7ffc74c731bb-7ffc74c731cc call 7ffc74c4fcc0 493->501 508 7ffc74c730eb 494->508 509 7ffc74c730e6 494->509 497->470 498->470 505 7ffc74c73115-7ffc74c73127 call 7ffc74c59ad0 498->505 500->479 500->501 515 7ffc74c731ce 501->515 516 7ffc74c731f8-7ffc74c73203 call 7ffc74c6ddc0 501->516 505->470 522 7ffc74c73129-7ffc74c7312c 505->522 518 7ffc74c72fc0-7ffc74c72fea call 7ffc74c53300 call 7ffc74c56180 call 7ffc74c50e20 506->518 519 7ffc74c72fa4-7ffc74c72fba RegEnumKeyW 506->519 508->481 509->508 511->483 512->511 520 7ffc74c731d0-7ffc74c731e5 call 7ffc74c4fcb0 515->520 516->479 529 7ffc74c73209-7ffc74c73234 call 7ffc74c50180 call 7ffc74c4fcc0 call 7ffc74c50280 516->529 542 7ffc74c72fec-7ffc74c72ff3 518->542 543 7ffc74c72ff5-7ffc74c73011 call 7ffc74c59ad0 518->543 519->518 523 7ffc74c730b2 519->523 531 7ffc74c731ef-7ffc74c731f2 520->531 532 7ffc74c731e7-7ffc74c731eb 520->532 522->497 523->473 546 7ffc74c73268-7ffc74c732b8 call 7ffc74c4fcb0 call 7ffc74c72e60 call 7ffc74c4fca0 529->546 547 7ffc74c73236-7ffc74c73263 call 7ffc74c4fcb0 * 2 call 7ffc74c56d80 529->547 531->479 531->516 532->520 535 7ffc74c731ed 532->535 535->516 542->506 551 7ffc74c73013-7ffc74c7303d RegOpenKeyExW 543->551 552 7ffc74c7303f 543->552 547->546 553 7ffc74c73041-7ffc74c73059 call 7ffc74c51180 551->553 552->553 562 7ffc74c73071-7ffc74c7308d call 7ffc74c51ab0 553->562 563 7ffc74c7305b-7ffc74c7306c call 7ffc74c51b60 553->563 562->473 570 7ffc74c7308f-7ffc74c73093 562->570 563->562 570->473 571 7ffc74c73095-7ffc74c730aa 570->571 571->477 572 7ffc74c730b0 571->572 572->473
                                                                            APIs
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C72F59
                                                                            • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C72FB4
                                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C73039
                                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC74C73164
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close$EnumOpen
                                                                            • String ID:
                                                                            • API String ID: 138425441-0
                                                                            • Opcode ID: d831d7d41a78c46177841db07962bebc3c0c28e43f27e97abf2083a0b8a03e06
                                                                            • Instruction ID: c6d6dd860b49417f2f90b4f0411c3ffac18ea448d636ddf9fb4545b41cd2b715
                                                                            • Opcode Fuzzy Hash: d831d7d41a78c46177841db07962bebc3c0c28e43f27e97abf2083a0b8a03e06
                                                                            • Instruction Fuzzy Hash: 62C19523B2D66AC3EE619B25A4803BDA750EF857A0F544233EA6D477D6DF2CD805C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000214AD6F2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.448686597.00000214AD6F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000214AD6F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_214ad6f0000_mspaint.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: 34cc821f5ffdd0996243c884d8a41ff09cb438a6e31b1a0a5f805c8f523339cf
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: E7B152B6618BC486D7308B1AE4507DAB7A0F7D9B84F118026EE8D97B58DF3AC8518F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C4C970 Relevance: 4.6, APIs: 3, Instructions: 107COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Module$BaseEnumInformationModulesNameProcess
                                                                            • String ID:
                                                                            • API String ID: 2890305978-0
                                                                            • Opcode ID: 0d229061aa8e142c115a2b3722a2578adf890c0fb0d26f180515e3a3b06988d5
                                                                            • Instruction ID: 782af202154fb4582c9137605caa1b1b46b7f143310537419d1fa7500465f439
                                                                            • Opcode Fuzzy Hash: 0d229061aa8e142c115a2b3722a2578adf890c0fb0d26f180515e3a3b06988d5
                                                                            • Instruction Fuzzy Hash: FF419C22F24666C6EB14EBB598912FD6B61BB84788F950033EE4D57B8ADF38D405C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C7CF10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1555 7ffc74c7cf10-7ffc74c7cf60 call 7ffc74c57770 1558 7ffc74c7cf62 1555->1558 1559 7ffc74c7cf66-7ffc74c7cf7b call 7ffc74c59ad0 1555->1559 1558->1559 1562 7ffc74c7cf7d-7ffc74c7cf95 1559->1562 1563 7ffc74c7cf9c-7ffc74c7cfb5 call 7ffc74c59ad0 1559->1563 1562->1563 1567 7ffc74c7cf97-7ffc74c7cf9a 1562->1567 1568 7ffc74c7cfb7-7ffc74c7cfcb GetExitCodeProcess 1563->1568 1569 7ffc74c7cff6-7ffc74c7d008 call 7ffc74c59ad0 1563->1569 1571 7ffc74c7d017-7ffc74c7d034 call 7ffc74c575b0 1567->1571 1572 7ffc74c7cfcd-7ffc74c7cfd4 call 7ffc74c5d730 1568->1572 1573 7ffc74c7cfd6-7ffc74c7cfe1 1568->1573 1578 7ffc74c7d00a 1569->1578 1579 7ffc74c7d014 1569->1579 1572->1569 1572->1573 1573->1569 1577 7ffc74c7cfe3-7ffc74c7cff4 call 7ffc74c577b0 1573->1577 1577->1579 1578->1579 1579->1571
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseCodeExitProcess
                                                                            • String ID: 0
                                                                            • API String ID: 1252061823-4108050209
                                                                            • Opcode ID: b0385201ab5c8a860bf4c2c92f413f2ce956079472c193360d232d71439ffaa3
                                                                            • Instruction ID: 89b96e6cb3bc2b95393a219ca79b71175751d58dd663dedbbb95eacb4fddc6ff
                                                                            • Opcode Fuzzy Hash: b0385201ab5c8a860bf4c2c92f413f2ce956079472c193360d232d71439ffaa3
                                                                            • Instruction Fuzzy Hash: CA317733628696C7EA719F21E4802BEA660FB84394F544036D7CE87A99EF3CD545CB24
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F550 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1843 7ffc74c6f550-7ffc74c6f585 call 7ffc74c53360 1846 7ffc74c6f5a9-7ffc74c6f5ab 1843->1846 1847 7ffc74c6f587-7ffc74c6f5a4 call 7ffc74c56bf0 call 7ffc74c52fa0 call 7ffc74c50e20 1843->1847 1849 7ffc74c6f5cc-7ffc74c6f5de call 7ffc74c59ad0 1846->1849 1850 7ffc74c6f5ad-7ffc74c6f5b2 1846->1850 1847->1846 1859 7ffc74c6f5e0-7ffc74c6f5ee 1849->1859 1860 7ffc74c6f5ff 1849->1860 1851 7ffc74c6f5c7 1850->1851 1852 7ffc74c6f5b4-7ffc74c6f5b7 1850->1852 1851->1849 1855 7ffc74c6f5c0-7ffc74c6f5c5 1852->1855 1856 7ffc74c6f5b9-7ffc74c6f5be 1852->1856 1855->1849 1856->1849 1869 7ffc74c6f5f0-7ffc74c6f5f7 call 7ffc74c5d730 1859->1869 1870 7ffc74c6f5f9-7ffc74c6f5fd 1859->1870 1863 7ffc74c6f602-7ffc74c6f610 1860->1863 1864 7ffc74c6f672-7ffc74c6f67f 1863->1864 1865 7ffc74c6f612-7ffc74c6f624 1863->1865 1867 7ffc74c6f691 1864->1867 1868 7ffc74c6f681-7ffc74c6f683 1864->1868 1865->1864 1873 7ffc74c6f697-7ffc74c6f6ad call 7ffc74c59ad0 1867->1873 1871 7ffc74c6f689-7ffc74c6f68f 1868->1871 1872 7ffc74c6f685-7ffc74c6f687 1868->1872 1869->1860 1869->1870 1870->1863 1871->1873 1872->1873 1878 7ffc74c6f6d3 1873->1878 1879 7ffc74c6f6af-7ffc74c6f6d1 CreateFileW 1873->1879 1880 7ffc74c6f6d5-7ffc74c6f6ef call 7ffc74c577b0 call 7ffc74c575b0 1878->1880 1879->1880 1885 7ffc74c6f6f1-7ffc74c6f6f9 call 7ffc74c5d730 1880->1885 1886 7ffc74c6f6fb-7ffc74c6f702 1880->1886 1893 7ffc74c6f75c-7ffc74c6f77b 1885->1893 1888 7ffc74c6f704-7ffc74c6f716 call 7ffc74c59ad0 1886->1888 1889 7ffc74c6f725-7ffc74c6f749 call 7ffc74c56d10 call 7ffc74c59ad0 1886->1889 1888->1889 1897 7ffc74c6f718-7ffc74c6f721 1888->1897 1889->1893 1900 7ffc74c6f74b-7ffc74c6f75a SetFileTime 1889->1900 1897->1889 1900->1893
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5365410ca182d3222a7a9d6773cb6a47cedf27d2d4b54f6875b2aba454ade244
                                                                            • Instruction ID: 4374043a972ea07a40572ec0743035c86fb1fa50d9bce4b13bb560458fb6b7bc
                                                                            • Opcode Fuzzy Hash: 5365410ca182d3222a7a9d6773cb6a47cedf27d2d4b54f6875b2aba454ade244
                                                                            • Instruction Fuzzy Hash: 72514823B2C66AC1F6609A21A0903BE6656FF84784F248037DA5E477C5DF3DD801C721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F7A0 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 3154509469-0
                                                                            • Opcode ID: 832bfde2b9e185885e271b74d53c98e047d146bff4cc90fea80afd5982659240
                                                                            • Instruction ID: 46a3489df07f8a9971f2dc7014c980ee71b0b09efd218bffb536cc21bb2016bc
                                                                            • Opcode Fuzzy Hash: 832bfde2b9e185885e271b74d53c98e047d146bff4cc90fea80afd5982659240
                                                                            • Instruction Fuzzy Hash: 6641D923F2C7A5C3EA50AB25A08017E6799EF89780F544176EE4E47796DF3CD402CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C72810 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C5961D), ref: 00007FFC74C72885
                                                                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C5961D), ref: 00007FFC74C728E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: e4a99f104d09aedd8628b9d5e328fa791173fd4b4a6c8fff4a0cc5a729e16eab
                                                                            • Instruction ID: 3727e4c09cec7690a6f7569ab857eb7890a82ef0b9933c1913f2e0cc624bc461
                                                                            • Opcode Fuzzy Hash: e4a99f104d09aedd8628b9d5e328fa791173fd4b4a6c8fff4a0cc5a729e16eab
                                                                            • Instruction Fuzzy Hash: 7821D327B296A982EA11CB65A44012AE791EF857A4F084132EE9C47BD8DF3CD481CB10
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C71850 Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 0511245baa1ee9cf014b866f295f930ccdf3165ba743d99fbc23f661f0817bd7
                                                                            • Instruction ID: c8b74aaceddf79c86acf1f37feefcd66b9a8ceaa9b37a7eb38832781b0e91a71
                                                                            • Opcode Fuzzy Hash: 0511245baa1ee9cf014b866f295f930ccdf3165ba743d99fbc23f661f0817bd7
                                                                            • Instruction Fuzzy Hash: EE51C733A28365C7EB65AB3150812BD7651EF84790F680136EE5D4778AEF3CE942C760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C7D1E0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$CodeExitFullImageNameQuery
                                                                            • String ID:
                                                                            • API String ID: 2650637187-0
                                                                            • Opcode ID: 71029a62f07cccd3d7cde851520802ef93bb1f4d7a66b9d9fbb7e20f742e2e53
                                                                            • Instruction ID: f9b29d99edbbe852c3f607407964bb04344699df9d14af2a89b0b64ec03e5224
                                                                            • Opcode Fuzzy Hash: 71029a62f07cccd3d7cde851520802ef93bb1f4d7a66b9d9fbb7e20f742e2e53
                                                                            • Instruction Fuzzy Hash: 8D417133A2866AD2EB51AF31E0911BD6761EB94798F500032EB4E4769DDF3CD842C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C71490 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC74C714EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DescriptorSecurity$ConvertString
                                                                            • String ID:
                                                                            • API String ID: 3907675253-0
                                                                            • Opcode ID: 8932373bd885a01297975face86b4ac4918c9ac0501f6d8382c19f72bb183384
                                                                            • Instruction ID: b586489f8b744e04d0d8c47f3050fec045919c36aa2d1bacd5f1771dadd019fc
                                                                            • Opcode Fuzzy Hash: 8932373bd885a01297975face86b4ac4918c9ac0501f6d8382c19f72bb183384
                                                                            • Instruction Fuzzy Hash: 20218033A18B5AC2EA50AF66A1800ADB7A0FB84784F944036DB9D07B49EF78E511CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F629 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F6CC
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 1c608f3320eb0b6d07a7b9dc10397b1525712adb7ce4610a9a0e7b807aa47f7c
                                                                            • Instruction ID: 5ee51f0289bb09b1e7cc02d6624da1dc841ec6ab0ef27996fe6bec0883d8d8cb
                                                                            • Opcode Fuzzy Hash: 1c608f3320eb0b6d07a7b9dc10397b1525712adb7ce4610a9a0e7b807aa47f7c
                                                                            • Instruction Fuzzy Hash: 3E11C123A2866AC2E6709B10A0813BE6799FB48784F648136CB9E07795DF3DE441C772
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: f4c128b9d5b19e275c25f17b42ae4ed4a9879e3b0592de85a2dbbe9d326335b0
                                                                            • Instruction ID: 250c77c5a0b2dab60ec59d4b5cb04b419630e3f4387c515b13269279595e244c
                                                                            • Opcode Fuzzy Hash: f4c128b9d5b19e275c25f17b42ae4ed4a9879e3b0592de85a2dbbe9d326335b0
                                                                            • Instruction Fuzzy Hash: 7811C223A2866AC2E6609B11A0813BE6795FB887C4F588136DA9E07795DF3CD441C761
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6EC70 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFindNext
                                                                            • String ID:
                                                                            • API String ID: 2029273394-0
                                                                            • Opcode ID: aada0fd551bdf3c48dd13db8bfbc2fcfd14f669ce1326ecaf027b1a30cfeeefc
                                                                            • Instruction ID: 637328e2b29a2c86629466535541115a7040c4fcf49f3fea0738cad347de4bfb
                                                                            • Opcode Fuzzy Hash: aada0fd551bdf3c48dd13db8bfbc2fcfd14f669ce1326ecaf027b1a30cfeeefc
                                                                            • Instruction Fuzzy Hash: B6117363A2526A92FB644A25918127A17D1DF50789F045033DE48472C9EF2EE8D1C762
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: 467ece9721f42dffbf73521a826a3e9c4ed2f0e7d3e79ee7ead8efb41b3648b3
                                                                            • Instruction ID: 67cd4b1f6d570785cd52fb5145c7fa95d5b6bef3bcf3c93f75a6360f7f3dd2f3
                                                                            • Opcode Fuzzy Hash: 467ece9721f42dffbf73521a826a3e9c4ed2f0e7d3e79ee7ead8efb41b3648b3
                                                                            • Instruction Fuzzy Hash: 9B11C223A2826AC2E6709B1160817BE6795FB88784F588136DB9E07795DF3CD441C761
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C6F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F6CC
                                                                            • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C6F9E1), ref: 00007FFC74C6F75A
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateTime
                                                                            • String ID:
                                                                            • API String ID: 1043708186-0
                                                                            • Opcode ID: 58647e534438c17212cf6bb3a52e4e6121f5771211224d929211c77c94624c5d
                                                                            • Instruction ID: 15143ee885c1a02aac59296866ece6747edb6f1488f49faf63248cd4075bd165
                                                                            • Opcode Fuzzy Hash: 58647e534438c17212cf6bb3a52e4e6121f5771211224d929211c77c94624c5d
                                                                            • Instruction Fuzzy Hash: D4010423A282AAC2E6709B11B0813BE6794FB88780F588136DB9E07795DF3CD481C771
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C726A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnumValue
                                                                            • String ID:
                                                                            • API String ID: 2814608202-0
                                                                            • Opcode ID: 8aa796821d8b8f50368f5b2277d7e8a679d5b4de30b1a6fb50c025f503232d80
                                                                            • Instruction ID: 59a79ee1a49ffc81db369ae0167625993dea248b8e4b3af0405f9487aeb7df6a
                                                                            • Opcode Fuzzy Hash: 8aa796821d8b8f50368f5b2277d7e8a679d5b4de30b1a6fb50c025f503232d80
                                                                            • Instruction Fuzzy Hash: 15113077618B85C6D7209F11F44069AB7A4F788B80F68813AEF9D43B08DF38E991CB14
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C570F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateHeap
                                                                            • String ID:
                                                                            • API String ID: 10892065-0
                                                                            • Opcode ID: b7334df7df826ba59950408a90a960fc28c49b223dc7976af0b0d5351520d3da
                                                                            • Instruction ID: 92d251c00b510d1345224e31919a7056e4813ff58c81b9b1a36a643177586ebf
                                                                            • Opcode Fuzzy Hash: b7334df7df826ba59950408a90a960fc28c49b223dc7976af0b0d5351520d3da
                                                                            • Instruction Fuzzy Hash: 9F01F226B28665C2E6509B10F99566AB7A1FB893C4F188036DA9C0A7A5DF3CD460C720
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C594A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ComputerName
                                                                            • String ID:
                                                                            • API String ID: 3545744682-0
                                                                            • Opcode ID: 5c7ddf5cf301bc90637047b5caa946280ff68c384baccc5cd18bbeb8ef891232
                                                                            • Instruction ID: 8f3c46fbe1ecbae6ba94f6455e75a2ac050eea73513a6d844f020c70bfad4c0f
                                                                            • Opcode Fuzzy Hash: 5c7ddf5cf301bc90637047b5caa946280ff68c384baccc5cd18bbeb8ef891232
                                                                            • Instruction Fuzzy Hash: 5F014C62F3956AD2EA10EB55E8D11BEA711FFC47C4F505032E98E8768BDE2CD104CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C59400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 2068892fa17d751ec0076a03423b50e46e8ea0994ccf45ee1d1e017f624bba3d
                                                                            • Instruction ID: 6f69d5b9cd1e53113791541359d0561173373620203afbe039823c697816e468
                                                                            • Opcode Fuzzy Hash: 2068892fa17d751ec0076a03423b50e46e8ea0994ccf45ee1d1e017f624bba3d
                                                                            • Instruction Fuzzy Hash: 48014C62B3856AD2EE10EB55E8911BEA711FFC47C4F505032E98E4768BDF2CD104CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FFC74C57190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFC74C10000, based on PE: true
                                                                            • Associated: 00000019.00000002.457976469.00007FFC74C10000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458127930.00007FFC74C93000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458154990.00007FFC74CA6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                            • Associated: 00000019.00000002.458187164.00007FFC74CA8000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_7ffc74c10000_mspaint.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: PrivilegeRelease
                                                                            • String ID:
                                                                            • API String ID: 113639715-0
                                                                            • Opcode ID: 7cf2b3573e70af1af2e030802890d76a32fad9be1af3155919c0500a16593c8e
                                                                            • Instruction ID: 25dae31461aa6a858ef15bed7274539acd2993442d4f31db57f0cacd7f8d43ae
                                                                            • Opcode Fuzzy Hash: 7cf2b3573e70af1af2e030802890d76a32fad9be1af3155919c0500a16593c8e
                                                                            • Instruction Fuzzy Hash: A5F08906F2A36A81FD6463E158D117A4D836FC5380F2C4476CC5D463D5EE2CEA81C331
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000214AD6F2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000214AD6F29A2), ref: 00000214AD6F20B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.448686597.00000214AD6F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000214AD6F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_214ad6f0000_mspaint.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: b0ad87faf609b9746936496e87a1b197b29085b61971d2c378dce0a1c316347a
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 3A316BB2615B8086D790DF1AE45479A7BB1F789BC4F214026EF8D87B58DF3AC442CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:1.2%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:15
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 6740 292a12f2978 6741 292a12f2986 6740->6741 6746 292a12f2060 VirtualAlloc 6741->6746 6743 292a12f29a2 6748 292a12f2264 6743->6748 6745 292a12f29ba 6747 292a12f20c4 6746->6747 6747->6743 6749 292a12f230f 6748->6749 6750 292a12f238c VirtualProtect 6748->6750 6749->6750 6751 292a12f23ee 6750->6751 6752 292a12f244d VirtualProtect 6751->6752 6753 292a12f2507 VirtualProtect 6752->6753 6754 292a12f2544 6752->6754 6753->6754 6755 292a12f25c5 6754->6755 6757 292a12f258c RtlAvlRemoveNode 6754->6757 6755->6745 6757->6755

                                                                            Executed Functions

                                                                            Function 00000292A12F2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.492153784.00000292A12F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292A12F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_292a12f0000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$NodeRemove
                                                                            • String ID:
                                                                            • API String ID: 3879549435-0
                                                                            • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction ID: 812839302ad66a80890818ec6a6d9ec255a9c797d890acbacbd1f0717e6c417c
                                                                            • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                                                                            • Instruction Fuzzy Hash: A5B152B7618BE486D730CB1AE440B9AB7A0F7C9B94F108026EE8D53B59DB39C8558F40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00000292A12F2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000292A12F29A2), ref: 00000292A12F20B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.492153784.00000292A12F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000292A12F0000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_292a12f0000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction ID: 2bb03400792dd4307b77da69750b36dc914a215eb7347b0284cf5f205a681330
                                                                            • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                                                                            • Instruction Fuzzy Hash: 46315AB2615B90C6D790CF1AE45479A7BB0F389BD4F204026EF8D87B18DF3AC4568B00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00007FF672543A5C Relevance: 115.9, APIs: 31, Strings: 35, Instructions: 357registryfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2166 7ff672543a5c-7ff672543ac8 call 7ff67255a470 CoInitialize SHGetFolderPathW 2169 7ff672543cba-7ff672543ccf GetLastError call 7ff672557df0 2166->2169 2170 7ff672543ace-7ff672543aef LoadStringW 2166->2170 2173 7ff672543cd4-7ff672543d0c CoUninitialize call 7ff672559d40 2169->2173 2170->2169 2172 7ff672543af5-7ff672543b1f call 7ff6725412f0 2170->2172 2172->2169 2178 7ff672543b25-7ff672543b47 call 7ff672541040 2172->2178 2181 7ff672543b49-7ff672543b50 2178->2181 2182 7ff672543ba7-7ff672543bb8 CreateDirectoryW 2178->2182 2183 7ff672543b53-7ff672543b5b 2181->2183 2184 7ff672543bba-7ff672543bc2 GetLastError 2182->2184 2185 7ff672543be5-7ff672543bfd call 7ff672541040 2182->2185 2183->2183 2186 7ff672543b5d-7ff672543b60 2183->2186 2184->2185 2187 7ff672543bc4-7ff672543be0 GetLastError call 7ff672557df0 2184->2187 2185->2169 2193 7ff672543c03-7ff672543c0a 2185->2193 2189 7ff672543b91-7ff672543ba1 GetFileAttributesW 2186->2189 2190 7ff672543b62-7ff672543b6b 2186->2190 2187->2185 2189->2182 2195 7ff672543ba3-7ff672543ba5 2189->2195 2190->2189 2194 7ff672543b6d-7ff672543b74 2190->2194 2196 7ff672543c0d-7ff672543c15 2193->2196 2197 7ff672543b77-7ff672543b7f 2194->2197 2195->2182 2195->2185 2196->2196 2198 7ff672543c17-7ff672543c1a 2196->2198 2197->2197 2199 7ff672543b81-7ff672543b84 2197->2199 2200 7ff672543c1c-7ff672543c25 2198->2200 2201 7ff672543c4b-7ff672543c5b GetFileAttributesW 2198->2201 2199->2189 2202 7ff672543b86-7ff672543b8f 2199->2202 2200->2201 2203 7ff672543c27-7ff672543c2e 2200->2203 2201->2169 2204 7ff672543c5d-7ff672543c5f 2201->2204 2202->2181 2205 7ff672543c31-7ff672543c39 2203->2205 2204->2169 2206 7ff672543c61-7ff672543c7e call 7ff6725412f0 2204->2206 2205->2205 2207 7ff672543c3b-7ff672543c3e 2205->2207 2206->2169 2211 7ff672543c80-7ff672543c8f CreateDirectoryW 2206->2211 2207->2201 2209 7ff672543c40-7ff672543c49 2207->2209 2209->2193 2212 7ff672543d0d-7ff672543d2a GetUserDefaultLCID LCIDToLocaleName 2211->2212 2213 7ff672543c91-7ff672543c99 GetLastError 2211->2213 2214 7ff672543d2c-7ff672543d46 PathAddBackslashW call 7ff67254114c 2212->2214 2215 7ff672543d4b-7ff672543d7f CreateDirectoryW GetTickCount call 7ff6725412f0 2212->2215 2213->2212 2216 7ff672543c9b-7ff672543cb5 GetLastError call 7ff672557df0 2213->2216 2214->2215 2215->2169 2221 7ff672543d85-7ff672543d96 CreateDirectoryW 2215->2221 2216->2169 2222 7ff672543d98-7ff672543da0 GetLastError 2221->2222 2223 7ff672543dc5 2221->2223 2222->2169 2225 7ff672543da6-7ff672543dc0 GetLastError call 7ff672557df0 2222->2225 2224 7ff672543dca-7ff672543dcd 2223->2224 2226 7ff672543e63-7ff672543e68 2224->2226 2227 7ff672543dd3 2224->2227 2225->2169 2229 7ff672543e6a-7ff672543e6d 2226->2229 2230 7ff672543ece-7ff672543ed5 2226->2230 2232 7ff672543dd5-7ff672543dda 2227->2232 2233 7ff672543e53-7ff672543e61 2227->2233 2234 7ff672543e6f-7ff672543e72 2229->2234 2235 7ff672543ebe-7ff672543ecc 2229->2235 2238 7ff672543edc-7ff672543f09 call 7ff6725410c4 FindResourceW 2230->2238 2236 7ff672543ddc-7ff672543ddf 2232->2236 2237 7ff672543e40-7ff672543e4e 2232->2237 2233->2238 2239 7ff672543eae-7ff672543ebc 2234->2239 2240 7ff672543e74-7ff672543e77 2234->2240 2235->2238 2241 7ff672543e2d-7ff672543e3b 2236->2241 2242 7ff672543de1-7ff672543de4 2236->2242 2237->2238 2253 7ff672543fcd-7ff672543fd2 2238->2253 2254 7ff672543f0f-7ff672543f25 LoadResource 2238->2254 2239->2238 2244 7ff672543e79-7ff672543e7c 2240->2244 2245 7ff672543e9e-7ff672543eac 2240->2245 2241->2238 2246 7ff672543de6-7ff672543de9 2242->2246 2247 7ff672543e1a-7ff672543e28 2242->2247 2249 7ff672543e8e-7ff672543e9c 2244->2249 2250 7ff672543e7e-7ff672543e8c 2244->2250 2245->2238 2251 7ff672543e07-7ff672543e15 2246->2251 2252 7ff672543deb-7ff672543dee 2246->2252 2247->2238 2249->2238 2250->2238 2251->2238 2252->2250 2256 7ff672543df4-7ff672543e02 2252->2256 2253->2224 2255 7ff672543fd8-7ff672543fdb 2253->2255 2254->2253 2257 7ff672543f2b-7ff672543f58 call 7ff672541368 2254->2257 2255->2169 2258 7ff672543fe1-7ff672544023 RegCreateKeyExW 2255->2258 2256->2238 2257->2253 2262 7ff672543f5a-7ff672543f8e CreateFileW 2257->2262 2258->2173 2261 7ff672544029 2258->2261 2263 7ff672544030-7ff672544038 2261->2263 2262->2253 2264 7ff672543f90-7ff672543fc7 SizeofResource WriteFile CloseHandle 2262->2264 2263->2263 2265 7ff67254403a-7ff67254406e RegSetValueExW 2263->2265 2264->2253 2266 7ff67254408a-7ff672544095 RegCloseKey 2265->2266 2267 7ff672544070-7ff672544085 GetLastError call 7ff672557df0 2265->2267 2266->2173 2267->2266
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$Create$DirectoryFile$Resource$AttributesCloseLoadPath$BackslashCountDefaultFindFolderHandleInitializeLocaleNameSizeofStringTickUninitializeUserValueWrite_vsnwprintf
                                                                            • String ID: %s%s$%s\%08X$%s\%s.wpl$%s\Sync Playlists$01_Music_auto_rated_at_5_stars$02_Music_added_in_the_last_month$03_Music_rated_at_4_or_5_stars$04_Music_played_in_the_last_month$05_Pictures_taken_in_the_last_month$06_Pictures_rated_4_or_5_stars$07_TV_recorded_in_the_last_week$08_Video_rated_at_4_or_5_stars$09_Music_played_the_most$10_All_Music$11_All_Pictures$12_All_Video$ERROR: Failed to obfuscate playlists. Error code is 0x%x.$ERROR: Failed to set ObfuscatedSyncPlaylistsPath. Error code is 0x%x.$Failed to get Obfuscated File list location. Return Value: %lu.$Failed to get create folder %S. Return Value: %lu.$Failed to get create sync playlist folder %S. Return Value : %lu.$ObfuscatedSyncPlaylistsPath$Software\Microsoft\MediaPlayer\Preferences$syncpl01.xml$syncpl02.xml$syncpl03.xml$syncpl04.xml$syncpl05.xml$syncpl06.xml$syncpl07.xml$syncpl08.xml$syncpl09.xml$syncpl10.xml$syncpl11.xml$syncpl12.xml
                                                                            • API String ID: 1453476894-148328229
                                                                            • Opcode ID: bcf0f6e82770db3c48f0566023fecd04976e4aaa7f5376dd9c70b28eec86702d
                                                                            • Instruction ID: 910efd09aac4bfbd07f5e91843e31ff64cec31d2e38b050da8168bf9bcb5723d
                                                                            • Opcode Fuzzy Hash: bcf0f6e82770db3c48f0566023fecd04976e4aaa7f5376dd9c70b28eec86702d
                                                                            • Instruction Fuzzy Hash: 7D027237A29A4395FB209F25E8842F96361FF44B9CF540132D94DC26A4EFBCE659CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254E998 Relevance: 73.9, APIs: 34, Strings: 8, Instructions: 354registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2753 7ff67254e998-7ff67254ea12 RegOpenKeyExW 2754 7ff67254ea18-7ff67254ea52 RegOpenKeyExW 2753->2754 2755 7ff67254ef53-7ff67254ef82 call 7ff672559d40 2753->2755 2757 7ff67254eb7d-7ff67254eba4 RegOpenKeyExW 2754->2757 2758 7ff67254ea58-7ff67254ea88 RegQueryValueExW 2754->2758 2762 7ff67254ebaa-7ff67254ebdf RegQueryValueExW 2757->2762 2763 7ff67254ecc5-7ff67254ecec RegOpenKeyExW 2757->2763 2760 7ff67254eb58-7ff67254eb65 RegCloseKey 2758->2760 2761 7ff67254ea8e-7ff67254ea97 2758->2761 2760->2757 2764 7ff67254eb67-7ff67254eb78 call 7ff67254cdd8 2760->2764 2761->2760 2767 7ff67254ea9d-7ff67254eaa3 2761->2767 2768 7ff67254ec28-7ff67254ec59 RegQueryValueExW 2762->2768 2769 7ff67254ebe1-7ff67254ebea 2762->2769 2765 7ff67254edfb-7ff67254ee22 RegOpenKeyExW 2763->2765 2766 7ff67254ecf2-7ff67254ed22 RegQueryValueExW 2763->2766 2764->2763 2771 7ff67254ee28-7ff67254ee59 RegQueryValueExW 2765->2771 2772 7ff67254eec1-7ff67254eef2 RegQueryValueExW 2765->2772 2773 7ff67254ed56-7ff67254ed87 RegQueryValueExW 2766->2773 2774 7ff67254ed24-7ff67254ed29 2766->2774 2767->2760 2775 7ff67254eaa9-7ff67254eac5 _wcslwr call 7ff67254d314 2767->2775 2777 7ff67254ec5b-7ff67254ec67 2768->2777 2778 7ff67254ecad 2768->2778 2769->2768 2776 7ff67254ebec-7ff67254ebf2 2769->2776 2781 7ff67254ee5b-7ff67254ee67 2771->2781 2782 7ff67254eeb6-7ff67254eebb RegCloseKey 2771->2782 2788 7ff67254ef48-7ff67254ef4d RegCloseKey 2772->2788 2789 7ff67254eef4-7ff67254eef9 2772->2789 2785 7ff67254edd7-7ff67254edd9 2773->2785 2786 7ff67254ed89-7ff67254ed8e 2773->2786 2774->2773 2783 7ff67254ed2b-7ff67254ed31 2774->2783 2801 7ff67254eac7-7ff67254eacd RegCloseKey 2775->2801 2802 7ff67254ead2-7ff67254eafe RegQueryValueExW 2775->2802 2776->2768 2787 7ff67254ebf4-7ff67254ec14 _wcslwr wcsstr 2776->2787 2777->2778 2790 7ff67254ec69-7ff67254ec6f 2777->2790 2779 7ff67254ecaf-7ff67254ecbf RegDeleteValueW RegCloseKey 2778->2779 2779->2763 2781->2782 2791 7ff67254ee69-7ff67254ee6f 2781->2791 2782->2772 2783->2773 2792 7ff67254ed33-7ff67254ed50 _wcsicmp 2783->2792 2798 7ff67254eddb 2785->2798 2799 7ff67254ede8-7ff67254edf5 RegCloseKey 2785->2799 2786->2785 2794 7ff67254ed90-7ff67254ed96 2786->2794 2787->2768 2795 7ff67254ec16-7ff67254ec22 RegDeleteValueW 2787->2795 2788->2755 2789->2788 2796 7ff67254eefb-7ff67254ef01 2789->2796 2790->2778 2797 7ff67254ec71-7ff67254ec76 2790->2797 2791->2782 2800 7ff67254ee71-7ff67254ee76 2791->2800 2792->2773 2792->2799 2794->2785 2803 7ff67254ed98-7ff67254ed9d 2794->2803 2795->2768 2796->2788 2804 7ff67254ef03 2796->2804 2805 7ff67254ec79-7ff67254ec81 2797->2805 2806 7ff67254eddd-7ff67254ede2 RegDeleteValueW 2798->2806 2799->2765 2799->2788 2807 7ff67254ee79-7ff67254ee81 2800->2807 2801->2788 2808 7ff67254eb55 2802->2808 2809 7ff67254eb00-7ff67254eb0c 2802->2809 2810 7ff67254eda0-7ff67254eda8 2803->2810 2811 7ff67254ef08-7ff67254ef10 2804->2811 2805->2805 2812 7ff67254ec83-7ff67254ecab RegSetValueExW 2805->2812 2806->2799 2807->2807 2813 7ff67254ee83-7ff67254eeb0 RegSetValueExW RegDeleteValueW 2807->2813 2808->2760 2809->2808 2814 7ff67254eb0e-7ff67254eb13 2809->2814 2810->2810 2815 7ff67254edaa-7ff67254edd5 RegSetValueExW 2810->2815 2811->2811 2816 7ff67254ef12-7ff67254ef42 RegSetValueExW RegDeleteValueW 2811->2816 2812->2779 2813->2782 2817 7ff67254eb16-7ff67254eb1e 2814->2817 2815->2806 2816->2788 2817->2817 2818 7ff67254eb20-7ff67254eb53 RegSetValueExW RegDeleteValueW 2817->2818 2818->2760
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: Value$Query$CloseDelete$Open$wcsstr$_wcslwr$_wcsicmp
                                                                            • String ID: DefaultIcon$MPlayer2.BAK$MUIVerb$play$shell$shell\play$shell\play\command$unregmp2.exe
                                                                            • API String ID: 1009640946-1394629503
                                                                            • Opcode ID: 09ffb985afd69063be02d85eda9f68b669ab2bd895dcc54a601d1e5a5bef05a9
                                                                            • Instruction ID: 122be3075f9d080dc7a56f9cc3c60d4d87e94bf9dd1d21a912decb45488481f8
                                                                            • Opcode Fuzzy Hash: 09ffb985afd69063be02d85eda9f68b669ab2bd895dcc54a601d1e5a5bef05a9
                                                                            • Instruction Fuzzy Hash: 42025737629A8296FB50CF11F48456AB3A4FB84B98F401535EA8E83B64EF7CD555CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672544260 Relevance: 61.7, APIs: 27, Strings: 8, Instructions: 438memoryregistrycomCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3340 7ff672544260-7ff6725442dd RegCreateKeyExW 3341 7ff672544956-7ff672544987 call 7ff672559d40 3340->3341 3342 7ff6725442e3-7ff672544337 memset RegQueryValueExW 3340->3342 3343 7ff67254433d-7ff672544342 3342->3343 3344 7ff67254494c-7ff672544950 RegCloseKey 3342->3344 3343->3344 3346 7ff672544348-7ff672544350 3343->3346 3344->3341 3346->3344 3348 7ff672544356-7ff672544394 CoInitialize CoCreateInstance 3346->3348 3349 7ff6725448bd-7ff6725448c4 3348->3349 3350 7ff67254439a-7ff6725443b9 3348->3350 3351 7ff6725448c6-7ff6725448c9 3349->3351 3352 7ff6725448d3-7ff6725448da 3349->3352 3350->3349 3358 7ff6725443bf-7ff6725443db 3350->3358 3351->3352 3353 7ff6725448e9-7ff6725448f0 3352->3353 3354 7ff6725448dc-7ff6725448df 3352->3354 3356 7ff6725448ff-7ff672544906 3353->3356 3357 7ff6725448f2-7ff6725448f5 3353->3357 3354->3353 3359 7ff672544908-7ff67254490b 3356->3359 3360 7ff672544915-7ff672544946 CoUninitialize RegSetValueExW 3356->3360 3357->3356 3358->3349 3362 7ff6725443e1-7ff672544400 3358->3362 3359->3360 3360->3344 3362->3349 3364 7ff672544406-7ff67254440d 3362->3364 3364->3352 3365 7ff672544413-7ff67254442f 3364->3365 3367 7ff672544896-7ff6725448ae call 7ff672557dbc 3365->3367 3368 7ff672544435-7ff67254445d SysAllocString 3365->3368 3367->3349 3374 7ff6725448b0-7ff6725448b3 3367->3374 3370 7ff672544477 3368->3370 3371 7ff67254445f-7ff672544475 RaiseException 3368->3371 3373 7ff67254447a-7ff672544492 SysAllocString 3370->3373 3371->3373 3375 7ff6725444ac 3373->3375 3376 7ff672544494-7ff6725444aa RaiseException 3373->3376 3374->3349 3377 7ff6725444af-7ff6725444c7 SysAllocString 3375->3377 3376->3377 3378 7ff6725444c9-7ff6725444e5 RaiseException 3377->3378 3379 7ff6725444e7 3377->3379 3380 7ff6725444ea-7ff672544523 SysFreeString * 3 3378->3380 3379->3380 3382 7ff672544529-7ff67254454e SysAllocString 3380->3382 3383 7ff672544890 3380->3383 3384 7ff672544568 3382->3384 3385 7ff672544550-7ff672544566 RaiseException 3382->3385 3383->3367 3386 7ff67254456b-7ff6725445a8 SysFreeString 3384->3386 3385->3386 3388 7ff672544877-7ff67254487f 3386->3388 3389 7ff6725445ae-7ff6725445d2 3386->3389 3388->3367 3390 7ff672544881-7ff67254488e 3388->3390 3389->3388 3393 7ff6725445d8-7ff6725445de 3389->3393 3390->3367 3394 7ff6725445e4-7ff67254460b 3393->3394 3396 7ff67254483c-7ff672544844 3394->3396 3397 7ff672544611-7ff672544632 3394->3397 3398 7ff672544846-7ff672544849 3396->3398 3399 7ff672544853-7ff67254485b 3396->3399 3397->3396 3403 7ff672544638-7ff67254467e 3397->3403 3398->3399 3401 7ff67254485d-7ff672544860 3399->3401 3402 7ff67254486a-7ff672544871 3399->3402 3401->3402 3402->3388 3402->3394 3405 7ff67254481f-7ff672544829 3403->3405 3406 7ff672544684-7ff67254468a 3403->3406 3407 7ff67254482b 3405->3407 3408 7ff672544831-7ff672544836 VariantClear 3405->3408 3406->3405 3409 7ff672544690-7ff672544697 3406->3409 3407->3408 3408->3396 3409->3408 3410 7ff67254469d-7ff6725446a1 3409->3410 3410->3408 3411 7ff6725446a7-7ff6725446c9 memset call 7ff672541040 3410->3411 3411->3405 3414 7ff6725446cf-7ff6725446e4 wcsrchr 3411->3414 3414->3405 3415 7ff6725446ea-7ff672544712 memset call 7ff672541040 3414->3415 3415->3405 3418 7ff672544718-7ff67254472d call 7ff672541040 3415->3418 3418->3405 3421 7ff672544733-7ff672544737 3418->3421 3422 7ff67254473b-7ff672544743 3421->3422 3422->3422 3423 7ff672544745-7ff672544748 3422->3423 3424 7ff67254474a-7ff672544754 3423->3424 3425 7ff672544770-7ff672544785 call 7ff67254114c 3423->3425 3424->3425 3426 7ff672544756-7ff672544764 3424->3426 3425->3405 3432 7ff67254478b-7ff672544798 GetFileAttributesW 3425->3432 3428 7ff672544988-7ff67254498f call 7ff672559f14 3426->3428 3429 7ff67254476a 3426->3429 3429->3425 3432->3405 3434 7ff67254479e-7ff6725447a3 3432->3434 3434->3405 3435 7ff6725447a5-7ff6725447af 3434->3435 3436 7ff6725447b7-7ff6725447d9 VariantClear SysAllocString 3435->3436 3437 7ff6725447b1 3435->3437 3436->3405 3438 7ff6725447db-7ff67254480b 3436->3438 3437->3436 3438->3405 3440 7ff67254480d-7ff672544815 3438->3440 3440->3405
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ExceptionFreeRaise$memset$ClearCreateValueVariant$AttributesCloseFileInitializeInstanceQueryUninitializewcsrchr
                                                                            • String ID: Created media library for player.$Equals$ObfuscatedSyncPlaylistsPath$PlaylistImportComplete$Software\Microsoft\MediaPlayer\Preferences$SyncOnly$playlist$true
                                                                            • API String ID: 1170084479-386947022
                                                                            • Opcode ID: 234110a245746b744e07fc22c9610017399ff72d38ee70eed925f889e505aa24
                                                                            • Instruction ID: a18fddd734bd8f43a7014a87481f82866c541fa9ea68facb31db1d1cccf25846
                                                                            • Opcode Fuzzy Hash: 234110a245746b744e07fc22c9610017399ff72d38ee70eed925f889e505aa24
                                                                            • Instruction Fuzzy Hash: E3226037B68B8686FB10CF65D8801A967A0FB84B98F504136DE4D97B64EFBCE455CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672544B5C Relevance: 56.2, APIs: 10, Strings: 22, Instructions: 202registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen$EnumQueryValue$_vsnwprintf
                                                                            • String ID: %s\shell\open\command$%s\shell\play\command$Applications\wmplayer.exe\shell\open\command$Applications\wmplayer.exe\shell\play\command$AudioCD\shell\play\command$CLSID\{45597c98-80f6-4549-84ff-752cf55e2d29}\LocalServer32$CLSID\{cdc32574-7521-4124-90c3-8d5605a34933}\LocalServer32$CLSID\{ed1d0fdf-4414-470a-a56d-cfb68623fc58}\LocalServer32$DVD\shell\play\command$Extension.Handler$Extensions$Player.Path$SPDHandler$Software\Clients\Media\Windows Media Player\shell\open\command$Software\Microsoft\Multimedia\WMPlayer$Software\Microsoft\Windows\CurrentVersion\App Paths\mplayer2.exe$Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe$WMP.AudioCD\shell\play\command$WMP.BurnCD\shell\burn\command$WMP.DVD\shell\play\command$WMP.VCD\shell\play\command$WMP11.AssocFile%s
                                                                            • API String ID: 3711395594-4265917110
                                                                            • Opcode ID: b302de5ede8e2be9fec82469cf3200823b7080306e8b08daad3d092f96091158
                                                                            • Instruction ID: cd186737b63a2da58ae03fbb1ee33a073a7d7b7e4f3794c85348f2fd3a1a2354
                                                                            • Opcode Fuzzy Hash: b302de5ede8e2be9fec82469cf3200823b7080306e8b08daad3d092f96091158
                                                                            • Instruction Fuzzy Hash: A1A14277638B5692FB209F15F4906A9A3A4FB85B88F801132DA4D87B59DFBCD115CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672550898 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 119registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen$QueryValue$Enum
                                                                            • String ID: Extension.Handler$Extensions$MediaCenter.WTVFile$SPDHandler$Software\Microsoft\Multimedia\WMPlayer$Stack.Audio$Stack.Image$Stack.Video$WMP11.AssocFile%s
                                                                            • API String ID: 2834868890-1408269384
                                                                            • Opcode ID: d51850350e4b5d2234f329591d1fdb4c2e4d8943a108e3eb35c93de76be4496c
                                                                            • Instruction ID: 814501e62c5532e22e9a0a61468096e6f6595cb7f8570dbf9e560d9780cb2d71
                                                                            • Opcode Fuzzy Hash: d51850350e4b5d2234f329591d1fdb4c2e4d8943a108e3eb35c93de76be4496c
                                                                            • Instruction Fuzzy Hash: C6512333628B5686F7508F55F8806AA7365FB84B88F500136EA8D83B58EFBCD545CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672545AA0 Relevance: 6.0, APIs: 4, Instructions: 42comfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile$AttributesDeleteFromInstanceItemNameParsing
                                                                            • String ID:
                                                                            • API String ID: 4099635410-0
                                                                            • Opcode ID: ee572537c406273b136cca259e84a0dbf7d1a33a1e3592525d2f38a3a1e02bfc
                                                                            • Instruction ID: c955d7c34ae8e47c92b258685b61e3f3c8875cacccc73f35daca3206ceef549b
                                                                            • Opcode Fuzzy Hash: ee572537c406273b136cca259e84a0dbf7d1a33a1e3592525d2f38a3a1e02bfc
                                                                            • Instruction Fuzzy Hash: A911DA67A68B4682FB049F66E884169B771FB88F98B544032DE4E83774DFBDD448CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254D480 Relevance: 94.9, APIs: 40, Strings: 14, Instructions: 368registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2358 7ff67254d480-7ff67254d4f5 ExpandEnvironmentStringsW _wcslwr 2359 7ff67254d4f7-7ff67254d505 call 7ff67254d314 2358->2359 2360 7ff67254d542-7ff67254d570 call 7ff672541040 wcsstr 2358->2360 2365 7ff67254d507-7ff67254d513 call 7ff67254d374 2359->2365 2366 7ff67254d515 2359->2366 2367 7ff67254d65b-7ff67254d661 2360->2367 2368 7ff67254d576-7ff67254d593 wcschr 2360->2368 2365->2366 2373 7ff67254d517-7ff67254d541 call 7ff672559d40 2366->2373 2370 7ff67254d66a-7ff67254d681 call 7ff672541040 2367->2370 2371 7ff67254d663-7ff67254d665 2367->2371 2368->2367 2369 7ff67254d599-7ff67254d5ac wcschr 2368->2369 2374 7ff67254d63b-7ff67254d63d 2369->2374 2375 7ff67254d5b2-7ff67254d5dc call 7ff672541040 wcschr 2369->2375 2384 7ff67254d69b 2370->2384 2385 7ff67254d683-7ff67254d699 2370->2385 2371->2373 2374->2367 2382 7ff67254d63f-7ff67254d64d GetFileAttributesW 2374->2382 2375->2367 2387 7ff67254d5de-7ff67254d5e5 2375->2387 2382->2366 2386 7ff67254d653-7ff67254d655 2382->2386 2388 7ff67254d6a2-7ff67254d6e6 call 7ff67254114c * 2 RegOpenKeyExW 2384->2388 2385->2388 2386->2366 2386->2367 2389 7ff67254d5e9-7ff67254d5f0 2387->2389 2388->2366 2398 7ff67254d6ec-7ff67254d72b RegQueryValueExW 2388->2398 2389->2389 2391 7ff67254d5f2-7ff67254d5f6 2389->2391 2391->2367 2393 7ff67254d5f8-7ff67254d607 iswalpha 2391->2393 2393->2367 2395 7ff67254d609-7ff67254d615 2393->2395 2395->2367 2397 7ff67254d617-7ff67254d623 2395->2397 2397->2367 2399 7ff67254d625-7ff67254d639 call 7ff672541040 2397->2399 2400 7ff67254d75b-7ff67254d785 RegOpenKeyExW 2398->2400 2401 7ff67254d72d-7ff67254d731 2398->2401 2399->2374 2402 7ff67254d787-7ff67254d7bc RegQueryValueExW 2400->2402 2403 7ff67254d803-7ff67254d83b RegQueryValueExW 2400->2403 2401->2400 2405 7ff67254d733-7ff67254d749 _wcsicmp 2401->2405 2406 7ff67254d7f8-7ff67254d7fd RegCloseKey 2402->2406 2407 7ff67254d7be-7ff67254d7c2 2402->2407 2408 7ff67254d85b-7ff67254d896 RegQueryValueExW 2403->2408 2409 7ff67254d83d-7ff67254d841 2403->2409 2405->2400 2411 7ff67254d74b-7ff67254d756 RegCloseKey 2405->2411 2406->2403 2407->2406 2412 7ff67254d7c4-7ff67254d7f3 RegCloseKey * 2 _wcsicmp 2407->2412 2414 7ff67254d89c-7ff67254d8a0 2408->2414 2415 7ff67254d94f-7ff67254d984 RegQueryValueExW 2408->2415 2409->2408 2413 7ff67254d843-7ff67254d857 _wcsicmp 2409->2413 2411->2371 2412->2373 2413->2408 2414->2415 2418 7ff67254d8a6-7ff67254d8b1 _wcslwr 2414->2418 2416 7ff67254d98a-7ff67254d98e 2415->2416 2417 7ff67254dae7 2415->2417 2416->2417 2419 7ff67254d994-7ff67254d997 2416->2419 2421 7ff67254dae9-7ff67254daee RegCloseKey 2417->2421 2420 7ff67254d8b6-7ff67254d8dd call 7ff672541040 wcschr 2418->2420 2422 7ff67254d9cd-7ff67254d9e5 _wcslwr * 2 2419->2422 2423 7ff67254d999-7ff67254d9ad _wcsicmp 2419->2423 2429 7ff67254d8e2-7ff67254d8f8 _wcsicmp 2420->2429 2430 7ff67254d8df 2420->2430 2426 7ff67254d9ea-7ff67254da11 call 7ff672541040 wcschr 2422->2426 2423->2417 2425 7ff67254d9b3-7ff67254d9c7 _wcsicmp 2423->2425 2425->2417 2425->2422 2435 7ff67254da16-7ff67254da30 wcsstr 2426->2435 2436 7ff67254da13 2426->2436 2431 7ff67254d8fa-7ff67254d910 _wcsicmp 2429->2431 2432 7ff67254d912 2429->2432 2430->2429 2431->2432 2434 7ff67254d915-7ff67254d92c wcsstr 2431->2434 2432->2434 2434->2421 2439 7ff67254d932-7ff67254d944 wcschr 2434->2439 2437 7ff67254da6b-7ff67254da75 2435->2437 2438 7ff67254da32-7ff67254da35 2435->2438 2436->2435 2437->2417 2442 7ff67254da77-7ff67254da84 iswalnum 2437->2442 2440 7ff67254daca-7ff67254dadc wcschr 2438->2440 2441 7ff67254da3b-7ff67254da51 _wcsicmp 2438->2441 2439->2415 2443 7ff67254d946-7ff67254d94a 2439->2443 2440->2421 2446 7ff67254dade-7ff67254dae2 2440->2446 2441->2437 2444 7ff67254da53-7ff67254da69 _wcsicmp 2441->2444 2442->2417 2445 7ff67254da86-7ff67254da92 2442->2445 2443->2420 2444->2437 2444->2440 2445->2440 2447 7ff67254da94-7ff67254dac8 call 7ff6725412f0 wcsstr 2445->2447 2446->2426 2447->2417 2447->2440
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: wcsstr$_wcsicmp$wcschr$CloseQueryValue$_wcslwr$Open$AttributesEnvironmentExpandFileStringsiswalnumiswalpha
                                                                            • String ID: *.*$.exe$AllowOwnership$DisableExtensionTakeover$ReplaceApps$Software\Microsoft\Multimedia\WMPlayer$SuperiorApps$UserApprovedOwning$\%s$\Devices\$\Extensions\$\MIME Types\$yes$|
                                                                            • API String ID: 2681333987-4088420840
                                                                            • Opcode ID: 6ba2fcb62bf061d3db22c8510b204173ab9fdbd59526cfad855711f52d3e1bd3
                                                                            • Instruction ID: 3ef1f909f12dd63a60f9857e76fd04fc6d409e8f0b4dba312a245d1e9d053f59
                                                                            • Opcode Fuzzy Hash: 6ba2fcb62bf061d3db22c8510b204173ab9fdbd59526cfad855711f52d3e1bd3
                                                                            • Instruction Fuzzy Hash: 04024673639A8395FBA08F11D8906F9A360FB84B5CF405136D94E87668EFBCD659CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6725426A8 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 146registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile$Value$Create$BackslashDeletePath$Close
                                                                            • String ID: %ProgramFiles%\Windows Media Player\wmplayer.exe$%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe$Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess$WindowsMediaPlayer$WindowsMediaPlayer32$mplayer2.exe$wmplayer.exe
                                                                            • API String ID: 378844212-742766417
                                                                            • Opcode ID: b25ba243a731064f6772cb82e9b7b8baca18a23685743e156376c3c7cdc1cb10
                                                                            • Instruction ID: 990eaab190e7fef2f9c19a24bda83f89466f3b5acf1e94837a655d1447cf9bd1
                                                                            • Opcode Fuzzy Hash: b25ba243a731064f6772cb82e9b7b8baca18a23685743e156376c3c7cdc1cb10
                                                                            • Instruction Fuzzy Hash: 92615333A28B5682F7109F11E88426AB371FB84B68F504231D95DC3AA9EFBCE555CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672550588 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 131registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: Delete$CloseOpenQueryValue_wcsicmp$_vsnwprintf
                                                                            • String ID: %s\shell\Enqueue$%s\shell\Enqueue\command$%s\shell\Play$%s\shell\Play\command$DelegateExecute${45597c98-80f6-4549-84ff-752cf55e2d29}${ed1d0fdf-4414-470a-a56d-cfb68623fc58}
                                                                            • API String ID: 2502574255-1960170796
                                                                            • Opcode ID: 202890c0f5fce742ff9078f9626df36ab3d8adb7a592ced5d2d7e9953fa0e41b
                                                                            • Instruction ID: 8e98a06f0a6871ccbcfbaff9ea458f0a67a5b4075f436ce5457c719b0d1b097f
                                                                            • Opcode Fuzzy Hash: 202890c0f5fce742ff9078f9626df36ab3d8adb7a592ced5d2d7e9953fa0e41b
                                                                            • Instruction Fuzzy Hash: 7C512472639B8195F750CF11E8946AA73A5FB84B88F905131EA8D87768EF7CD644CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672557E8C Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 226registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesDirectoryFile$CreateEnvironmentExpandStrings$CloseErrorLastLoadOpenQueryStringValueWindowswcsstr
                                                                            • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
                                                                            • API String ID: 3203054436-2366109166
                                                                            • Opcode ID: 890fd54da8484c0e6cb1468df9a7f20542965f317c03e2eca3a4b2e96b3add9b
                                                                            • Instruction ID: 78907058ae14922cf2626157b0ce52610e29410c1e8eaaba6d33e8d7a994ff89
                                                                            • Opcode Fuzzy Hash: 890fd54da8484c0e6cb1468df9a7f20542965f317c03e2eca3a4b2e96b3add9b
                                                                            • Instruction Fuzzy Hash: 7FA1B523A29A8291FB60DF15D8882F963A1FF84798F504131DA4ED76A4EF7DE5C5CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672554584 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 222registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$AttributesCloseEnvironmentExpandFileOpenStrings_vsnwprintfwcsstr
                                                                            • String ID: "%s$%s\Protocols\%s$Icon$MIMEType$RequiredFile$Software\Microsoft\Multimedia\WMPlayer$Source Filter
                                                                            • API String ID: 4002066692-166142108
                                                                            • Opcode ID: 69096bd305b23a8dd0c5367d0c2b5f8399f9daf95ae4f5e829074f07962fda3f
                                                                            • Instruction ID: 71a35a6c4ef7c32f4c8e03d149ff2eaf1e51050a95675279a03289e173c3a060
                                                                            • Opcode Fuzzy Hash: 69096bd305b23a8dd0c5367d0c2b5f8399f9daf95ae4f5e829074f07962fda3f
                                                                            • Instruction Fuzzy Hash: 6FA19573628B8696F750CF11E4806EA63A1FB84798F905135EA8D87B98DF7CE545CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672541EAC Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 118registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$Value$CloseDeleteOpenQuery_wcslwrwcsstr
                                                                            • String ID: .windowsmedia.com$MediaGuideURL$Partner$RadioGuideURL$Software\Policies\Microsoft\WindowsMediaPlayer\onlinePages
                                                                            • API String ID: 2371507429-4249708993
                                                                            • Opcode ID: d520286d1374cb922e39d5d9809b4506bb608c94e4fe52d4ab1ba1e4acde438f
                                                                            • Instruction ID: 25468321f548df7add204667f78a0c33477c4c50cbf980b6d6bc81456fab5022
                                                                            • Opcode Fuzzy Hash: d520286d1374cb922e39d5d9809b4506bb608c94e4fe52d4ab1ba1e4acde438f
                                                                            • Instruction Fuzzy Hash: 0C519633628B8286FB108F10E4906B973A4FF84B88F545135EA4E87768DF7DE545CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672554958 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 221registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$AttributesCloseEnvironmentExpandFileOpenStrings_vsnwprintfwcsstr
                                                                            • String ID: "%s$%s\Devices\%s$DefaultIcon$RequiredFile$Software\Microsoft\Multimedia\WMPlayer
                                                                            • API String ID: 4002066692-2580472211
                                                                            • Opcode ID: 82c85dc13458a6e81bcfcc3edb1bc5d53b3babda1a9f81181676942dfc9930d6
                                                                            • Instruction ID: 5742ac9ff1147f8ef1c7871bef2c271d9a2190840910cbc6c483181e61aa75cc
                                                                            • Opcode Fuzzy Hash: 82c85dc13458a6e81bcfcc3edb1bc5d53b3babda1a9f81181676942dfc9930d6
                                                                            • Instruction Fuzzy Hash: FBA1947362878286FB109F52E4802EA7361FB84798F905131EA8D97A99DFBCE545CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF6725432B4 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 159fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: Filememset$AttributesBackslashPath$CreateDeleteDirectoryHardLinkSystem
                                                                            • String ID: %s%s%s$Server$Windows Media\
                                                                            • API String ID: 3414309303-3203484422
                                                                            • Opcode ID: ef1c10bb514a34ba6ea66cb5f94cbc20fc0be91e5c48e381d2fcd51e64f0f9eb
                                                                            • Instruction ID: a6297146005c9928364ef23e55f4e4e79c852f8d75f652327c8d671f8c433fdf
                                                                            • Opcode Fuzzy Hash: ef1c10bb514a34ba6ea66cb5f94cbc20fc0be91e5c48e381d2fcd51e64f0f9eb
                                                                            • Instruction Fuzzy Hash: CD916C22A28AC299F3218F24D8812F97370FF5875CF545232DA4C96569FFBCE695CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254409C Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 107registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCloseCreateQueryValueWrite
                                                                            • String ID: Checking for Playlist Obfuscation.$ObfuscatedSyncPlaylistsPath$Obfuscation for Playlist location failed.$Obfuscation for Playlist location succeeded.$Playlist location already obfuscated.$Playlist location not obfuscated. Doing Obfuscation now.$Software\Microsoft\MediaPlayer\Preferences$\
                                                                            • API String ID: 10626330-2755703853
                                                                            • Opcode ID: 79ddd558a7f9341ff505346e26f6e88056d1d748f241692e7b6074fb02d97f1b
                                                                            • Instruction ID: dc5b85a87389b12eab492f6dea33c10df6d9df7ecc6cdd9f91192b207d54804b
                                                                            • Opcode Fuzzy Hash: 79ddd558a7f9341ff505346e26f6e88056d1d748f241692e7b6074fb02d97f1b
                                                                            • Instruction Fuzzy Hash: AC51CB77628B8182FB108F14E8801AAB3B5FB94B98F505235DA5D93798DFBCE655CF00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672544990 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 113registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CloseOpenQuerywcsstr
                                                                            • String ID: "%ProgramFiles%\Windows Media Player\wmplayer.exe"$"%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe"$.exe$Path update failed '%S' - 0x%x.$wmplayer.exe
                                                                            • API String ID: 3404521029-1582037001
                                                                            • Opcode ID: 96915beba08db31e68ed27102084f36fd82d318cd3c7061aede056b8f2fd22f3
                                                                            • Instruction ID: 8844ca6b54d8ebfe44336086426a043488c320067750030d99cadb6750a4f3f6
                                                                            • Opcode Fuzzy Hash: 96915beba08db31e68ed27102084f36fd82d318cd3c7061aede056b8f2fd22f3
                                                                            • Instruction Fuzzy Hash: 5341A673629B4286FB608F11E8807AAB3A4FF84B98F844136DA4D87794EF7CD555CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF672558494 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesDirectoryFile$CreateFolderFromListLocationMallocPathSpecialWindows
                                                                            • String ID: \$\All Users\Application Data
                                                                            • API String ID: 3677476678-111678211
                                                                            • Opcode ID: dbd7983f458979f795c7e84da877023af6fe6e714b1a061c3e1bd4a95f9725bb
                                                                            • Instruction ID: f843863455ef65fea58be140a141cade86f13eba17877061d2281530e01fcc46
                                                                            • Opcode Fuzzy Hash: dbd7983f458979f795c7e84da877023af6fe6e714b1a061c3e1bd4a95f9725bb
                                                                            • Instruction Fuzzy Hash: E361B523628A4291FB209F16D8842B963E2FB58B9CF540531DA4E877A4EF7CE5C5CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254787C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CloseCreateQuery_wcsicmp
                                                                            • String ID: AppName$Software\Microsoft\MediaPlayer\Setup\CreatedLinks
                                                                            • API String ID: 140215022-2247878072
                                                                            • Opcode ID: a163c009f7496384a09927d33716e524bea6f07c96b70c26a50d3ccf2e2ff2c1
                                                                            • Instruction ID: 6bd4bdf91860152391347847d5fcba0f84b8ad7cf9b0a22ad7a394fb3ba24085
                                                                            • Opcode Fuzzy Hash: a163c009f7496384a09927d33716e524bea6f07c96b70c26a50d3ccf2e2ff2c1
                                                                            • Instruction Fuzzy Hash: BE313433628B8185F7608F65F48465AB7A4F7887A8F400235EA9D83B58DFBCD554CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254D278 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: IconsVisible$Software\Clients\Media\Windows Media Player\InstallInfo
                                                                            • API String ID: 3677997916-538100551
                                                                            • Opcode ID: b1e5adf97f3746ae0f8392c1a3e604261061288b1e05a3c370d67e8b85f3c388
                                                                            • Instruction ID: d9471d4e58341ca312dd35d5746cfa7e5678c9611d5876dc42098a23a8460168
                                                                            • Opcode Fuzzy Hash: b1e5adf97f3746ae0f8392c1a3e604261061288b1e05a3c370d67e8b85f3c388
                                                                            • Instruction Fuzzy Hash: 73112137625A51CBEB608F30D89059837A4FB04B5CF841335EA4D82A68EF78D554CB44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254B688 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00007FF672545A35), ref: 00007FF67254B6CB
                                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00007FF672545A35), ref: 00007FF67254B6F7
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00007FF672545A35), ref: 00007FF67254B702
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateValue
                                                                            • String ID: DefaultPlayerBitness$Software\Microsoft\MediaPlayer\Setup\UserOptions
                                                                            • API String ID: 1818849710-1236355342
                                                                            • Opcode ID: 800d1e7c6da8d10d60edb391758b93d934e583f5e0854e2cdb4512a9fc2d5a2f
                                                                            • Instruction ID: 6a8059ff32c46fe17b7717d46c5dbac540d305e22234a063baef8e3cda9737d9
                                                                            • Opcode Fuzzy Hash: 800d1e7c6da8d10d60edb391758b93d934e583f5e0854e2cdb4512a9fc2d5a2f
                                                                            • Instruction Fuzzy Hash: 64018473A38B41C6E7108F10E48876D77A5F784B88F800235D65C46A64DFBDD548CF04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00007FF67254BDAC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000023.00000002.497297155.00007FF672541000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF672540000, based on PE: true
                                                                            • Associated: 00000023.00000002.497273394.00007FF672540000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497411896.00007FF67257B000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497420537.00007FF67257D000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                            • Associated: 00000023.00000002.497448100.00007FF67257F000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_35_2_7ff672540000_unregmp2.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
                                                                            • API String ID: 3677997916-3057196482
                                                                            • Opcode ID: ee0a3b43cf1a9e4b2f4ff27e082502b8c36d36d2d7c890cda06c205eb740069b
                                                                            • Instruction ID: 12134613b3b4676cf93bdf3fb047200181f2d8271dc8a44cec281e11e89ada04
                                                                            • Opcode Fuzzy Hash: ee0a3b43cf1a9e4b2f4ff27e082502b8c36d36d2d7c890cda06c205eb740069b
                                                                            • Instruction Fuzzy Hash: 4EF03137628A41C2E7208F14F48576A7774F78579CFA00221EB8C46A68EF7DD554CF04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%