Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2zdult23rz.exe

Overview

General Information

Sample name:2zdult23rz.exe
renamed because original name is a hash value
Original sample name:733c1261cf02626f2354e6339baa6717.exe
Analysis ID:1434701
MD5:733c1261cf02626f2354e6339baa6717
SHA1:c9e3599e1d7983fa7439bf2ff122fd7e51a59b93
SHA256:a14041622d7d427f0b7ea24efaa7e80a3b025c211273ce0914ee34b5e71bc8c4
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2zdult23rz.exe (PID: 1948 cmdline: "C:\Users\user\Desktop\2zdult23rz.exe" MD5: 733C1261CF02626F2354E6339BAA6717)
    • schtasks.exe (PID: 2224 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7152 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 6080 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 733C1261CF02626F2354E6339BAA6717)
    • WerFault.exe (PID: 1880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 896 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2996 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 733C1261CF02626F2354E6339BAA6717)
    • WerFault.exe (PID: 6060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 5092 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 733C1261CF02626F2354E6339BAA6717)
    • WerFault.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 733C1261CF02626F2354E6339BAA6717)
    • WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 10 entries

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2zdult23rz.exe, ProcessId: 1948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

Timestamp:05/01/24-16:40:33.992588
SID:2046267
Source Port:58709
Destination Port:49700
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:18.542503
SID:2046266
Source Port:58709
Destination Port:49700
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:34.007377
SID:2046267
Source Port:58709
Destination Port:49701
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:42:16.940552
SID:2046269
Source Port:49701
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:19.140548
SID:2046266
Source Port:58709
Destination Port:49701
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:13.617057
SID:2049060
Source Port:49699
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:42:16.940639
SID:2046269
Source Port:49711
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:42:16.940554
SID:2046269
Source Port:49700
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:33.711799
SID:2046267
Source Port:58709
Destination Port:49699
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:13.812784
SID:2046266
Source Port:58709
Destination Port:49699
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:31.596033
SID:2046266
Source Port:58709
Destination Port:49709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:34.194330
SID:2046267
Source Port:58709
Destination Port:49709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:40:48.719023
SID:2046266
Source Port:58709
Destination Port:49711
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:42:16.940722
SID:2046269
Source Port:49709
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/01/24-16:42:16.940631
SID:2046269
Source Port:49699
Destination Port:58709
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 2zdult23rz.exeAvira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 81%
Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 77%Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 77%Perma Link
Multi AV Scanner detection for submitted file
Source: 2zdult23rz.exeReversingLabs: Detection: 81%
Source: 2zdult23rz.exeVirustotal: Detection: 77%Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: 2zdult23rz.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004D1240
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,9_2_004D1240

Compliance

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\2zdult23rz.exeUnpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 24.2.RageMP131.exe.400000.0.unpack
Source: 2zdult23rz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\2zdult23rz.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0044A4BD FindFirstFileExW,0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0044A4BD FindFirstFileExW,9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,9_2_0042C8B1

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49699 -> 147.45.47.93:58709
Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49699 -> 147.45.47.93:58709
Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49700 -> 147.45.47.93:58709
Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49701 -> 147.45.47.93:58709
Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49709 -> 147.45.47.93:58709
Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49711
Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49711 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Source: global trafficTCP traffic: 192.168.2.6:49699 -> 147.45.47.93:58709
Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,0_2_004D3150
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficHTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global trafficDNS traffic detected: DNS query: ipinfo.io
Source: global trafficDNS traffic detected: DNS query: db-ip.com
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: 2zdult23rz.exe, 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibD
Source: RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/89
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/?
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/I
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Or
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/U
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/X9
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.965
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96F5
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96o#
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/ur
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.968
Source: RageMP131.exe, 00000010.00000002.3355352428.000000000447C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Content-Type:
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/n
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000445F000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000448C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.000000000429F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000445E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96a
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96B
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96E
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000445E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.0000000004277000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000442E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTX
Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004F2150 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,0_2_004F2150

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004DF7900_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00453C300_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042A0400_2_0042A040
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0044F0500_2_0044F050
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0050D0100_2_0050D010
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0052A0800_2_0052A080
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FC0A00_2_004FC0A0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FB0A00_2_004FB0A0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005040A00_2_005040A0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005101400_2_00510140
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005531700_2_00553170
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004371F00_2_004371F0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005411800_2_00541180
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005041A00_2_005041A0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004351B80_2_004351B8
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005472600_2_00547260
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005062100_2_00506210
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005522300_2_00552230
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004D32800_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0054E3400_2_0054E340
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004483140_2_00448314
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005133200_2_00513320
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005233F00_2_005233F0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0050E4500_2_0050E450
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004534500_2_00453450
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FF4500_2_004FF450
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0050C4100_2_0050C410
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0052E5100_2_0052E510
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005025800_2_00502580
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005145A00_2_005145A0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0050F6200_2_0050F620
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004536D00_2_004536D0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0051E6F00_2_0051E6F0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005167300_2_00516730
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0043A8BD0_2_0043A8BD
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FC8B00_2_004FC8B0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004F39100_2_004F3910
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005069200_2_00506920
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_005209F00_2_005209F0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0054B9900_2_0054B990
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00431A300_2_00431A30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00504A900_2_00504A90
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00503BD00_2_00503BD0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00545BF00_2_00545BF0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0043ABFF0_2_0043ABFF
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00553BB00_2_00553BB0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FECA00_2_004FECA0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00506DD00_2_00506DD0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00552DC00_2_00552DC0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00420DB00_2_00420DB0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FBE000_2_004FBE00
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00503E000_2_00503E00
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0044CEA10_2_0044CEA1
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00504FE00_2_00504FE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004DF7909_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00453C309_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042A0409_2_0042A040
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0044F0509_2_0044F050
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0050D0109_2_0050D010
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0052A0809_2_0052A080
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FC0A09_2_004FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FB0A09_2_004FB0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005040A09_2_005040A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005101409_2_00510140
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005531709_2_00553170
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004371F09_2_004371F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005411809_2_00541180
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005041A09_2_005041A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004351B89_2_004351B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005472609_2_00547260
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005062109_2_00506210
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005522309_2_00552230
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004D32809_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0054E3409_2_0054E340
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004483149_2_00448314
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005133209_2_00513320
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005233F09_2_005233F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0050E4509_2_0050E450
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004534509_2_00453450
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FF4509_2_004FF450
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0050C4109_2_0050C410
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0052E5109_2_0052E510
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005025809_2_00502580
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005145A09_2_005145A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0050F6209_2_0050F620
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004536D09_2_004536D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0051E6F09_2_0051E6F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005167309_2_00516730
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0043A8BD9_2_0043A8BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FC8B09_2_004FC8B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004F39109_2_004F3910
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005069209_2_00506920
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_005209F09_2_005209F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0054B9909_2_0054B990
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00431A309_2_00431A30
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00504A909_2_00504A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00503BD09_2_00503BD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00545BF09_2_00545BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0043ABFF9_2_0043ABFF
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00553BB09_2_00553BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FECA09_2_004FECA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00506DD09_2_00506DD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00552DC09_2_00552DC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00420DB09_2_00420DB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004FBE009_2_004FBE00
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00503E009_2_00503E00
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0044CEA19_2_0044CEA1
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00504FE09_2_00504FE0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: String function: 00553960 appears 102 times
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: String function: 0042EC10 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00553960 appears 102 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0042EC10 appears 54 times
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860
Source: 2zdult23rz.exe, 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000000.2064681600.00000000040D8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2092524094.00000000044A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2091633716.00000000044A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exeBinary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engineClassification label: mal100.troj.evad.winEXE@24/58@2/3
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00551490 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_00551490
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00551220 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_00551220
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004F3910 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,0_2_004F3910
Source: C:\Users\user\Desktop\2zdult23rz.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6024
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6080
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1948
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2996
Source: C:\Users\user\Desktop\2zdult23rz.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeCommand line argument: N.E0_2_00452DA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: N.E9_2_00452DA0
Source: 2zdult23rz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2zdult23rz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 2zdult23rz.exeReversingLabs: Detection: 81%
Source: 2zdult23rz.exeVirustotal: Detection: 77%
Source: 2zdult23rz.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\2zdult23rz.exeFile read: C:\Users\user\Desktop\2zdult23rz.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\2zdult23rz.exe "C:\Users\user\Desktop\2zdult23rz.exe"
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860
Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 800
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 776
Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 812
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 896
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 792
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 972
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msimg32.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\2zdult23rz.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
Source: 2zdult23rz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2zdult23rz.exeUnpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 16.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 24.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\2zdult23rz.exeUnpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 24.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042E7E9 push ecx; ret 0_2_0042E7FC
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0040A943 pushad ; iretd 0_2_0040A947
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_05CC5793 pushad ; iretd 0_2_05CC57CA
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_05CC4641 push ebp; retf 0_2_05CC4646
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_05CC7B4C push eax; ret 0_2_05CC7BC0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_05CC7B6F push eax; ret 0_2_05CC7BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042E7E9 push ecx; ret 9_2_0042E7FC
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0040A943 pushad ; iretd 9_2_0040A947
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_05DF7793 pushad ; iretd 9_2_05DF77CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_05DF6641 push ebp; retf 9_2_05DF6646
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_05DF9B4C push eax; ret 9_2_05DF9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_05DF9B6F push eax; ret 9_2_05DF9BC0
Source: C:\Users\user\Desktop\2zdult23rz.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
Source: C:\Users\user\Desktop\2zdult23rz.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
Source: C:\Users\user\Desktop\2zdult23rz.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\2zdult23rz.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found API chain indicative of sandbox detection
Source: C:\ProgramData\MPGPH131\MPGPH131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_9-61112
Source: C:\Users\user\Desktop\2zdult23rz.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-61088
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\2zdult23rz.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-61090
Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_9-61113
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,9_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exeWindow / User API: threadDelayed 946Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 948Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 956Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1299Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1309
Source: C:\Users\user\Desktop\2zdult23rz.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-61749
Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_9-61886
Source: C:\Users\user\Desktop\2zdult23rz.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-61142
Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_9-61166
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236Thread sleep count: 130 > 30Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236Thread sleep count: 946 > 30Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236Thread sleep time: -95546s >= -30000sJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996Thread sleep count: 101 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2308Thread sleep count: 33 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996Thread sleep count: 948 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996Thread sleep time: -95748s >= -30000sJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108Thread sleep count: 31 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108Thread sleep count: 95 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6136Thread sleep count: 31 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108Thread sleep count: 956 > 30Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108Thread sleep time: -96556s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056Thread sleep count: 31 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056Thread sleep count: 1299 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056Thread sleep time: -131199s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372Thread sleep count: 1309 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372Thread sleep time: -132209s >= -30000s
Source: C:\Users\user\Desktop\2zdult23rz.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\2zdult23rz.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h0_2_00550DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h9_2_00550DF0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0044A4BD FindFirstFileExW,0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0044A4BD FindFirstFileExW,9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,9_2_0042C8B1
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00452968 VirtualQuery,GetSystemInfo,0_2_00452968
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.0000000004482000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.0000000004481000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: MPGPH131.exe, 00000009.00000003.2162421913.00000000044C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000018.00000002.3349068373.000000000019A000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}She
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 0000000A.00000003.2168017060.00000000042D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW#
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&S
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: RageMP131.exe, 00000010.00000002.3355352428.0000000004490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: isk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 2zdult23rz.exe, 00000000.00000003.2114743179.0000000004494000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8?
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004332F4
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]0_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004D3280 mov eax, dword ptr fs:[00000030h]0_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004D1380 mov eax, dword ptr fs:[00000030h]0_2_004D1380
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004E2C80 mov eax, dword ptr fs:[00000030h]0_2_004E2C80
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_05CC30A3 push dword ptr fs:[00000030h]0_2_05CC30A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004DF790 mov ecx, dword ptr fs:[00000030h]9_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00453C30 mov eax, dword ptr fs:[00000030h]9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00453C30 mov ecx, dword ptr fs:[00000030h]9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004D3280 mov eax, dword ptr fs:[00000030h]9_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004D1380 mov eax, dword ptr fs:[00000030h]9_2_004D1380
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004E2C80 mov eax, dword ptr fs:[00000030h]9_2_004E2C80
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_05DF50A3 push dword ptr fs:[00000030h]9_2_05DF50A3
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_004FA050
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004332F4
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042EA14
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042EDAD
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_004332F4
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0042EA14
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0042EDAD

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004DB380
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 9_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,9_2_004DB380
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0042E615 cpuid 0_2_0042E615
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0044D3EB
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,0_2_0044D5F0
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_0042C623
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: EnumSystemLocalesW,0_2_0044D6E2
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: EnumSystemLocalesW,0_2_0044D697
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: EnumSystemLocalesW,0_2_0044D77D
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0044D808
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: EnumSystemLocalesW,0_2_00445A41
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,0_2_0044DA5B
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0044DB84
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,0_2_0044DC8A
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0044DD60
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: GetLocaleInfoW,0_2_00445FC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,9_2_0044D3EB
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,9_2_0044D5F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoEx,FormatMessageA,9_2_0042C623
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,9_2_0044D6E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,9_2_0044D697
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,9_2_0044D77D
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_0044D808
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,9_2_00445A41
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,9_2_0044DA5B
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_0044DB84
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,9_2_0044DC8A
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_0044DD60
Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,9_2_00445FC4
Source: C:\Users\user\Desktop\2zdult23rz.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_0043C1FB GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_0043C1FB
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_004479BE GetTimeZoneInformation,0_2_004479BE
Source: C:\Users\user\Desktop\2zdult23rz.exeCode function: 0_2_00551070 GetVersionExA,GetFileAttributesW,GetFileAttributesA,0_2_00551070
Source: C:\Users\user\Desktop\2zdult23rz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Yara detected RisePro Stealer
Source: Yara matchFile source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality

barindex
Yara detected RisePro Stealer
Source: Yara matchFile source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping12
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Command and Scripting Interpreter		1
Scheduled Task/Job		11
Process Injection		2
Obfuscated Files or Information		LSASS Memory1
File and Directory Discovery		Remote Desktop Protocol1
Screen Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		1
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		2
Software Packing		Security Account Manager36
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS261
Security Software Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets12
Virtualization/Sandbox Evasion		SSHKeylogging13
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Process Injection		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434701 Sample: 2zdult23rz.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 45 ipinfo.io 2->45 47 db-ip.com 2->47 55 Snort IDS alert for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 4 other signatures 2->61 8 2zdult23rz.exe 1 9 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 49 147.45.47.93, 49699, 49700, 49701 FREE-NET-ASFREEnetEU Russian Federation 8->49 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->43 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->67 75 3 other signatures 8->75 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 19 16 8->23         started        29 3 other processes 8->29 69 Antivirus detection for dropped file 13->69 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 25 WerFault.exe 19 16 13->25         started        31 2 other processes 13->31 51 ipinfo.io 34.117.186.192, 443, 49710, 49713 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->51 53 db-ip.com 104.26.4.15, 443, 49712, 49716 CLOUDFLARENETUS United States 15->53 33 2 other processes 15->33 27 WerFault.exe 16 17->27         started        35 3 other processes 17->35 file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2zdult23rz.exe82%ReversingLabsWin32.Trojan.Privateloader
2zdult23rz.exe77%VirustotalBrowse
2zdult23rz.exe100%AviraHEUR/AGEN.1313019
2zdult23rz.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraHEUR/AGEN.1313019
C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe82%ReversingLabsWin32.Trojan.Privateloader
C:\ProgramData\MPGPH131\MPGPH131.exe77%VirustotalBrowse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe82%ReversingLabsWin32.Trojan.Privateloader
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe77%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ipinfo.io
34.117.186.192
truefalse
    		high
    db-ip.com
    		104.26.4.15
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://ipinfo.io/widget/demo/149.18.24.96false
        		high
        https://db-ip.com/demo/home.php?s=149.18.24.96false
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://ipinfo.io:443/widget/demo/149.18.24.96MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.winimage.com/zLibD2zdult23rz.exe, 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmpfalse
              		high
              https://db-ip.com/demo/home.php?s=149.18.24.96o#MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://db-ip.com/U2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://db-ip.com/MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://upx.sf.netAmcache.hve.8.drfalse
                      		high
                      https://t.me/RiseProSUPPORT2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000445E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.0000000004277000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000442E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://db-ip.com/OrRageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://ipinfo.io/Mozilla/5.02zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://db-ip.com/89MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ipinfo.io/Content-Type:2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://db-ip.com/demo/home.php?s=149.18.24.965MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t.me/RiseProSUPPORTX2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://db-ip.com/?MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ipinfo.io/RageMP131.exe, 00000010.00000002.3355352428.000000000447C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ipinfo.io:443/widget/demo/149.18.24.96B2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ipinfo.io/widget/demo/149.18.24.96aMPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.maxmind.com/en/locate-my-ip-address2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://db-ip.com:443/demo/home.php?s=149.18.24.9682zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://db-ip.com/demo/home.php?s=149.18.24.96F5MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ipinfo.io:443/widget/demo/149.18.24.96EMPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://db-ip.com:443/demo/home.php?s=149.18.24.96MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.winimage.com/zLibDllRageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ipinfo.io/nMPGPH131.exe, 0000000A.00000002.3355736939.00000000042B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://db-ip.com/I2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://db-ip.com/X9MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://db-ip.com/urRageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                34.117.186.192
                                                                		ipinfo.ioUnited States
                                                                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                147.45.47.93
                                                                		unknownRussian Federation
                                                                		2895FREE-NET-ASFREEnetEUtrue
                                                                104.26.4.15
                                                                		db-ip.comUnited States
                                                                		13335CLOUDFLARENETUSfalse

                                                                General Information

                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                Analysis ID:1434701
                                                                Start date and time:2024-05-01 16:39:23 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 54s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:42
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:2zdult23rz.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:733c1261cf02626f2354e6339baa6717.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@24/58@2/3
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 83%
                                                                • Number of executed functions: 51
                                                                • Number of non-executed functions: 184
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                16:40:12Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                16:40:13Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                16:40:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                16:40:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                16:41:28API Interceptor2140x Sleep call for process: RageMP131.exe modified
                                                                16:41:34API Interceptor1431x Sleep call for process: MPGPH131.exe modified
                                                                16:41:35API Interceptor710x Sleep call for process: 2zdult23rz.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                • ipinfo.io/json
                                                                SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                • ipinfo.io/json
                                                                Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                • ipinfo.io/ip
                                                                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                • ipinfo.io/
                                                                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                • ipinfo.io/
                                                                w.shGet hashmaliciousXmrigBrowse
                                                                • /ip
                                                                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                • ipinfo.io/ip
                                                                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                • ipinfo.io/ip
                                                                uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                • ipinfo.io/ip
                                                                8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                • ipinfo.io/ip
                                                                147.45.47.93file.exeGet hashmaliciousRisePro StealerBrowse
                                                                  WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                    file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                        SecuriteInfo.com.Win32.TrojanX-gen.3413.25873.exeGet hashmaliciousRisePro StealerBrowse
                                                                          file.exeGet hashmaliciousRisePro StealerBrowse
                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                              file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                file.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                  ygm2mXUReY.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    104.26.4.15#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exeGet hashmaliciousNemty, XmrigBrowse
                                                                                    • api.db-ip.com/v2/free/102.129.152.212/countryName

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ipinfo.ioMegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                    • 34.117.186.192
                                                                                    TomeluxGamex.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    TomeluxGamex.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                    • 34.117.186.192
                                                                                    yWOtU2Escv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                    • 34.117.186.192
                                                                                    db-ip.comfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 104.26.5.15
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 104.26.5.15
                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                    • 104.26.4.15
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 104.26.4.15
                                                                                    file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRATBrowse
                                                                                    • 104.26.4.15
                                                                                    SecuriteInfo.com.Win32.TrojanX-gen.3413.25873.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 172.67.75.166
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 104.26.4.15
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 104.26.5.15
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 104.26.4.15
                                                                                    j1zkOQTx4q.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 172.67.75.166

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    GOOGLE-AS-APGoogleAsiaPacificPteLtdSGMegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    MegaUniversesMQ.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    VOrqSh1Fts.exeGet hashmaliciousNeoreklami, PureLog StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                    • 34.117.186.192
                                                                                    TomeluxGamex.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    TomeluxGamex.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    https://vpassz.xu4nblog.com/Get hashmaliciousUnknownBrowse
                                                                                    • 34.117.152.183
                                                                                    FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 147.45.47.93
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 193.233.132.175
                                                                                    fBirvIlaOJ.exeGet hashmaliciousRedLineBrowse
                                                                                    • 147.45.47.36
                                                                                    VOrqSh1Fts.exeGet hashmaliciousNeoreklami, PureLog StealerBrowse
                                                                                    • 193.233.132.234
                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                    • 147.45.47.93
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 193.233.132.47
                                                                                    file.exeGet hashmaliciousLummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                                                    • 147.45.47.93
                                                                                    http://147.45.47.87Get hashmaliciousUnknownBrowse
                                                                                    • 147.45.47.87
                                                                                    Document.doc.scrGet hashmaliciousLockBit ransomware, TrojanRansomBrowse
                                                                                    • 193.233.132.177
                                                                                    http://193.233.132.177/lbb.exeGet hashmaliciousLockBit ransomwareBrowse
                                                                                    • 193.233.132.177
                                                                                    CLOUDFLARENETUSlfY08S61Ig.exeGet hashmaliciousLummaCBrowse
                                                                                    • 104.21.81.139
                                                                                    TET8iWY1w4.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.141.11
                                                                                    Price List MAYQTRA031244PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                    • 104.21.13.139
                                                                                    DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 104.26.12.205
                                                                                    https://lookerstudio.google.com/s/pgWlVLRPJcsGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 172.67.182.192
                                                                                    ET2431000075 & ET2431000076.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                    • 172.67.74.152
                                                                                    https://lp.vp4.me/twfzGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 104.17.64.14
                                                                                    https://content.amanet.org/?m=CiGW.81UwlU3LD6ZH5M4ZoUXv03dAeWfC&r=https://oqiofchbb.cc.rs6.net/tn.jsp?f=001BrGNaLx5EeYT_D9fsttV9hkRaiqNiDYaatz2JV1ZFS38OJIO7WDvwvls52JcOf9z0GAE4dsuLNrEnND6nATJv3j2YQCaUptLy5L9CxqOG_pPtRB4Vlyts4RZlTRfQCbNmVNITwfGgXHfNY6m6WqVC0Xow94NtcEBBj9rVxJNygE==&c=Xts0vtSVfvt9rsVB5GMJrKbHLtDWSm9FdbWu5-xbxK7tN8TvEfkm_Q==&ch=ivuAXLyORIUuV_QkeQerj6L34kBmHi11eQ4csUXdnMhDRyXEYbCfBA====&__=/V5C/ksaffold@stepan.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 104.17.2.184
                                                                                    Play_Now.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 104.17.2.184
                                                                                    https://goo.su/l1bfUYRGet hashmaliciousUnknownBrowse
                                                                                    • 172.67.139.105

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    a0e9f5d64349fb13191bc781f81f42e1lfY08S61Ig.exeGet hashmaliciousLummaCBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    TET8iWY1w4.exeGet hashmaliciousLummaCBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    Categories 30-04-2024.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    Replace.exeGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    WlCIinu0yp.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRATBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    Invoice-939713625-008-5283127-8901604.jsGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    Inquiry HA-22-28199 22-077.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15
                                                                                    QR#Uff7a#Uff70#Uff84#Uff9e#U4f5c#U6210#Uff74#Uff78#Uff7e#Uff99.xlsb.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 34.117.186.192
                                                                                    • 104.26.4.15

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):997376
                                                                                    Entropy (8bit):7.761305403187805
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:6ExQ6yPljU6/viqZ2yM8RTza/GasmzprSd3horG7VoCN2h/:6ExQJNjU6nVZhdhza/Gasmz5S52WyCNs
                                                                                    MD5:733C1261CF02626F2354E6339BAA6717
                                                                                    SHA1:C9E3599E1D7983FA7439BF2FF122FD7E51A59B93
                                                                                    SHA-256:A14041622D7D427F0B7EA24EFAA7E80A3B025C211273CE0914EE34B5E71BC8C4
                                                                                    SHA-512:09ECAB849F20CC7E418CC665446210B1AF870C345649709F57E52B1A520E2A5296110E572523A045EA565EAC393F33A0A14A082CB06EC5D175D232AD10FD93B4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                    • Antivirus: Virustotal, Detection: 77%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................o.....P......Q.....#...........?)U.....k....?)n....Rich....................PE..L...a.Jd.....................r......m@............@..........................p...............................................j..d.......................................8....................`......@`..@............................................text............................... ..`.rdata..Pt.......v..................@..@.data................`..............@....rsrc................H..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:false
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_20878b5b-aecd-41dd-aadc-9fcebe731b12\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9365068796522449
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:XhH8P4lastYqOoA7Rn6tQXIDcQnc6rCcEhcw3rL+HbHg/PB6Heao8Fa99Oy4H9n7:m4wQG056rgjtOZrYPzuiFbZ24IO8u
                                                                                    MD5:6723DFE66B3266C2CB2C85AA6F29B6E9
                                                                                    SHA1:8AF9C9B62187A181949F45CE72FE8EF2A5DC0047
                                                                                    SHA-256:22D8DDA8004E14B592D72FB9F07513E8C11B141CB3286AA7493100F21039E7AE
                                                                                    SHA-512:BB8D1B39397B0DE71BA82B9AE9BD5EFEB9EE3B2C549D29618A1542C19AE6A771578B7E85668628A6B8C94CED7B0F0B082D26B15DBFA6186ECD0AEFE0ACA62F8F
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.4.2.4.0.2.0.4.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.8.7.8.b.5.b.-.a.e.c.d.-.4.1.d.d.-.a.a.d.c.-.9.f.c.e.b.e.7.3.1.b.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.3.d.1.2.a.7.-.4.e.e.5.-.4.f.8.3.-.a.9.8.9.-.7.0.6.6.c.0.4.d.6.c.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.z.d.u.l.t.2.3.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.9.c.-.0.0.0.1.-.0.0.1.5.-.2.1.c.2.-.0.b.7.6.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.b.6.c.0.5.4.8.d.9.5.7.d.7.1.2.f.2.1.7.c.9.6.e.f.f.e.b.d.5.f.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_777a93e1-5691-425a-8add-7dcc282e804c\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9368167181801449
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:l0I4NQG056rgjtOZrYPzuiFbZ24IO8ut:lZ4NQt56rgjlzuiFbY4IO8ut
                                                                                    MD5:7C047205FB8D80C8AF79B4A3F527E668
                                                                                    SHA1:A388C989EAE1F55D51B893E8B3EBE97E26E73729
                                                                                    SHA-256:99A8D28304EE1A2E8D2043224617F54EF7888ABCCAE43109E9163C830D92D4F2
                                                                                    SHA-512:A6F5FDBCD057750FA47289574ED85725DF6B30539ABC44C69D2C44F382292270C8A615E57B05F4AF7B6929185E5561AC549C64A507FCA637C476A0688ED2228D
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.4.6.6.9.6.2.1.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.7.a.9.3.e.1.-.5.6.9.1.-.4.2.5.a.-.8.a.d.d.-.7.d.c.c.2.8.2.e.8.0.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.9.a.5.0.b.7.-.f.1.5.c.-.4.8.e.4.-.9.8.1.a.-.4.6.7.1.f.6.4.e.2.8.7.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.z.d.u.l.t.2.3.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.9.c.-.0.0.0.1.-.0.0.1.5.-.2.1.c.2.-.0.b.7.6.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.b.6.c.0.5.4.8.d.9.5.7.d.7.1.2.f.2.1.7.c.9.6.e.f.f.e.b.d.5.f.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_ff6612eb-39b4-4539-8240-dd31e3304e2f\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9298914215046693
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:tFr2P4GQastYqOoA7Rn6tQXIDcQnc6rCcEhcw3rL+HbHg/PB6Heao8Fa99Oy4H95:TG4GXQG056rgjtOZrY9zuiFbZ24IO8u
                                                                                    MD5:F140BBB3545697EC54F74FFC1F813B87
                                                                                    SHA1:F8094F0533696FFFB54C05CDD0CC805D738A167E
                                                                                    SHA-256:C4AD585D896CDE106501CB81B8A097EDD3869866C002ABBA09E8B4228F0F0555
                                                                                    SHA-512:9F4D30F41F771FC55AD6C4A5FB2FE18F9EA0FD1A4911E622B3C9FC102BA1EF332FFB0194DF2C5A2A355553E053C3AAC8B7F86B69E2D702BCB5B70F30DAE86D6D
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.3.2.9.9.6.8.9.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.6.6.1.2.e.b.-.3.9.b.4.-.4.5.3.9.-.8.2.4.0.-.d.d.3.1.e.3.3.0.4.e.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.7.5.8.d.6.c.-.a.4.4.2.-.4.8.c.f.-.8.f.5.1.-.e.0.b.f.0.8.0.9.a.8.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.z.d.u.l.t.2.3.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.9.c.-.0.0.0.1.-.0.0.1.5.-.2.1.c.2.-.0.b.7.6.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.b.6.c.0.5.4.8.d.9.5.7.d.7.1.2.f.2.1.7.c.9.6.e.f.f.e.b.d.5.f.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_fff45d40-3bb3-47f1-995f-427d72b5da7d\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9165046650011295
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:Dhmyew4CQG056rgjtOZrY3zuiFAZ24IO8u:oG4CQt56rgjtzuiFAY4IO8u
                                                                                    MD5:779FAE53544D7761A8352EDA81C3EF1F
                                                                                    SHA1:ECC72FC5AAE3100AC495C3876212CD6DB00409AE
                                                                                    SHA-256:B625B3DB1E9BA59BAC39C1699F9AD2CDC397302E7FD7C2434DE409F3D8FFA648
                                                                                    SHA-512:32AA48D5CCC0CD3021139B6C240613F72378E4C802AD4B5EC5D22A5B4CA281697AE08B5CA28338009AB21ABCE57F3625908F3AA8075A1153A90D6CA0E331DF7A
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.1.1.6.2.3.5.5.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.f.4.5.d.4.0.-.3.b.b.3.-.4.7.f.1.-.9.9.5.f.-.4.2.7.d.7.2.b.5.d.a.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.8.b.9.5.3.f.-.3.0.8.9.-.4.e.2.c.-.9.b.d.1.-.3.b.c.3.4.1.2.f.a.f.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.z.d.u.l.t.2.3.r.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.9.c.-.0.0.0.1.-.0.0.1.5.-.2.1.c.2.-.0.b.7.6.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.b.6.c.0.5.4.8.d.9.5.7.d.7.1.2.f.2.1.7.c.9.6.e.f.f.e.b.d.5.f.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.2.z.d.u.l.t.2.3.r.z...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_07168908-1ada-4ad9-b8e0-75dfac6a4107\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9418094737040694
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:9QY8Nzy8OG056r96E6jjXZZrMbzuiFbZ24IO8Nj6t:985yjt56rwjGzuiFbY4IO8e
                                                                                    MD5:619606E51BB46BAD36FC541A7803C8ED
                                                                                    SHA1:C7FED2801E2F903678781DED0FC066A718522F65
                                                                                    SHA-256:B6FC7985EA8B9EA5F1CA2AA781366144FEAAA8C7C7BBCA673538AD0E53FFD8C4
                                                                                    SHA-512:EE1D7EB19A6822AB4CB4C0CF24806DFA798B909709CB413EDAFF5E3CDD7DC5A930ECA6385DF0CCE60AAEB42103BCB3B874A8190BE1891706B0D03C8727ACA42B
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.4.5.7.2.2.2.0.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.1.6.8.9.0.8.-.1.a.d.a.-.4.a.d.9.-.b.8.e.0.-.7.5.d.f.a.c.6.a.4.1.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.e.c.c.c.d.e.-.7.4.a.c.-.4.c.a.5.-.a.8.b.5.-.c.b.1.a.b.a.4.c.b.6.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.b.4.-.0.0.0.1.-.0.0.1.5.-.0.5.1.a.-.9.6.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_5a4466b5-e58c-4c08-94b8-4ada0870fa41\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9087674562418081
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:2iX8Nzq8OG056r96E6jjtOZrYFzuiFAZ24IO8Nj6t:w5qjt56rwj/zuiFAY4IO8e
                                                                                    MD5:F91D51827D28DE25A951F5DEEEB6986B
                                                                                    SHA1:AC20E740FE2352F16BD737EB6CED5D6C26C057F5
                                                                                    SHA-256:B63F20ECDE1E27F0BB492004231B74C0B7ED8B2A785C71C57040B8937558800C
                                                                                    SHA-512:E1A4925A7E7005B90F9581FE1F916EA56A96CE0C35B8FABA85A2DA16F219A5B4A4E2E09F81F1F6CBAB0D43808B3CED8FDAEC5505678E1BF02E0707BE6F2E91ED
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.1.6.3.0.1.7.1.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.4.4.6.6.b.5.-.e.5.8.c.-.4.c.0.8.-.9.4.b.8.-.4.a.d.a.0.8.7.0.f.a.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.f.6.c.d.e.b.-.9.e.4.e.-.4.8.1.1.-.9.4.2.c.-.3.f.6.2.4.6.a.8.1.5.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.0.-.0.0.0.1.-.0.0.1.5.-.b.f.8.a.-.5.4.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_79dfc724-9704-4183-b4b9-469da4028e4f\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9489417878884037
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:uyX8Nzi8OG056r96E6jjtOZrYKzuiFbZ24IO8Nj6t:a5ijt56rwjgzuiFbY4IO8e
                                                                                    MD5:D5146F5B2C17EA09C9D754D8EE91C7E6
                                                                                    SHA1:4013032101CB0596679A2E38534B7443469CE57F
                                                                                    SHA-256:1CE0C6056F7427025C71718FEC37BEC115117551D704BA6B5F326C1DFB463C6B
                                                                                    SHA-512:7B34265A37E16AF4BA196CB798781393BFAF0A399545D13B26E60AE396600F662E588DF4E5E058330BFCB41F2D197CFF6BAA94285F2B313CA3C6683D1F6CD703
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.4.5.4.9.8.3.4.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.d.f.c.7.2.4.-.9.7.0.4.-.4.1.8.3.-.b.4.b.9.-.4.6.9.d.a.4.0.2.8.e.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.f.5.5.4.6.7.-.9.b.e.b.-.4.f.c.e.-.a.5.6.7.-.3.f.7.f.f.d.4.7.a.9.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.0.-.0.0.0.1.-.0.0.1.5.-.b.f.8.a.-.5.4.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_d7856789-e655-4e86-98a2-61bad8289a4e\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9420143000845581
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:qY8NzF8OG056r96E6jjXZZrMbzuiFbZ24IO8Nj6t:K5Fjt56rwjGzuiFbY4IO8e
                                                                                    MD5:AA27407294A5FCF5D9A6EE6739603735
                                                                                    SHA1:DB7F54A96AD7E2FB8908652181E4BFB1E3AEEC95
                                                                                    SHA-256:30C8CD7DA2E8B351B9B3A94839713274BCE622A1186C6377FCB1FE183E0BEBB9
                                                                                    SHA-512:3DB04BBDDE49A04CBE1D16D76A8B0DB93D1A3180A21319C5CC476736590F2461022A2C6C92231AD4EBE2D8CCBD7B932B781CD7AD35C57A9F3FECD039E39B8F2D
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.3.6.3.0.2.8.9.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.8.5.6.7.8.9.-.e.6.5.5.-.4.e.8.6.-.9.8.a.2.-.6.1.b.a.d.8.2.8.9.a.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.8.f.8.8.a.9.-.5.1.c.1.-.4.9.4.c.-.a.9.d.1.-.6.b.6.e.3.a.8.5.0.7.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.b.4.-.0.0.0.1.-.0.0.1.5.-.0.5.1.a.-.9.6.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_df7456cb-df9e-4b59-93ca-82804b0c1b09\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9019127937641843
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:1+Y8Nzw8OG056r96E6jjXZZrMCzuiFAZ24IO8Nj6t:1u5wjt56rwjHzuiFAY4IO8e
                                                                                    MD5:36F465E0F61B0B46B26B6123562BFDF7
                                                                                    SHA1:F434BEBBCF7A772E53D4ABBF614199F7F2E07ABC
                                                                                    SHA-256:B7009D2CD14760BD727514CA600779E35014EC5B82CD60140126B54A159AE7B2
                                                                                    SHA-512:4FE98F0A89534DB55197DC2BFEB04AB53E27C07042BBA907717D60F4DBF1DF60E4862EA05DB31368E5CE50EA13909B87339715180398FFDBA953A1AED34C1628
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.1.6.9.4.1.9.5.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.7.4.5.6.c.b.-.d.f.9.e.-.4.b.5.9.-.9.3.c.a.-.8.2.8.0.4.b.0.c.1.b.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.6.3.b.3.5.2.-.d.8.1.6.-.4.7.5.0.-.9.d.f.d.-.1.0.e.e.b.2.a.6.9.c.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.b.4.-.0.0.0.1.-.0.0.1.5.-.0.5.1.a.-.9.6.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_f4c77b85-3516-4f65-b357-332c4a00e2d9\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9289505171052448
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:/MpX8NzBz8OG056r96E6jjtOZrYCzuiFbZ24IO8Nj6t:b5Vjt56rwjYzuiFbY4IO8e
                                                                                    MD5:4AF21D15D9BD6DABE05E0DEE0943E66A
                                                                                    SHA1:48C8F2B889986620335C0337ADC308463693F6D1
                                                                                    SHA-256:3C615B9F05CF836267BC3997802AB37C599451CC36DA7BA4082C9FDF5A22EF38
                                                                                    SHA-512:D66472778122E5AC9B8FAB2DC3AA05E9172AABF7344025916F2563FB7B7CADE4EE64131EE5DFC3D3C0174516B5E504FA904A53433830F45A7BDBA5A4D29D3EAA
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.3.6.2.3.0.3.4.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.c.7.7.b.8.5.-.3.5.1.6.-.4.f.6.5.-.b.3.5.7.-.3.3.2.c.4.a.0.0.e.2.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.2.0.2.7.5.2.-.4.7.5.6.-.4.3.c.8.-.9.5.4.7.-.e.b.6.b.b.5.3.c.d.f.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.c.0.-.0.0.0.1.-.0.0.1.5.-.b.f.8.a.-.5.4.7.9.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.3.6.b.e.9.c.1.f.9.7.5.a.b.3.8.7.c.9.1.c.5.0.e.1.5.6.3.9.8.4.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.M.P.G.P.H.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.M.P.G.P.H.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_1f2b9adf-cd60-4ea4-9ed5-476865d40b3f\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9084740188087858
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:2fswsx1E34/FG056r4jXZZrMCzuiFbZ24IO8nr:2fwx1E3oFt56r4jHzuiFbY4IO8n
                                                                                    MD5:49FE6F2F29BBA02657F9F444840AE947
                                                                                    SHA1:3EB46BC5F74448033916E5A2DE186069F7AD51FD
                                                                                    SHA-256:25A280B8C1A097FDAEC654602A57E05C1CCCF9161821D529A0942833948CBBB6
                                                                                    SHA-512:E0FD9F3F10317F08FC8CA0EDA93B58A0871B469BBBA21A6C0EFFB467EB35D5D81381BBA6B88E944B9D1F725FB06932233A3E6E7E8C8BE16B4FFF5F799414A8D2
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.4.5.5.8.9.2.6.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.2.b.9.a.d.f.-.c.d.6.0.-.4.e.a.4.-.9.e.d.5.-.4.7.6.8.6.5.d.4.0.b.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.8.7.4.0.5.6.-.e.4.d.5.-.4.0.1.c.-.b.7.d.0.-.5.3.b.d.e.6.3.d.3.2.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.8.8.-.0.0.0.1.-.0.0.1.5.-.f.6.f.e.-.f.3.8.6.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.e.e.d.8.e.7.9.6.a.2.c.5.3.e.a.c.5.f.f.4.e.7.d.e.3.4.b.d.f.e.e.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_8da1b8ba-8b09-428f-ba51-74f2c7ba8b7d\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.9552208988537024
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:xPU6B+3MsyYqOoA7Rn6tQXIDcQnc6rCcEhcw3rD+HbHg/PB6Heao8Fa99Oy4H9nJ:xDE3MFG056r4jtOZrYKzuiFbZ24IO8n
                                                                                    MD5:8D27D6464FCA56641B04705372437AC3
                                                                                    SHA1:26048CC4C4EACE6A55FDA198B4A590BA1F3870C6
                                                                                    SHA-256:AFCFFCADCE39C0F70AB5941C24FCE7AF393C8BFFAC739AA89FF608F6F679EA38
                                                                                    SHA-512:1669F46E7A4E3C0218F674A1A0DB743B37606B42409B0366E13969CFD98937F38623EA29D9993DA1029C9F0AA0EA2000447BE8F43C1C051CCC2D618F7C7727BB
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.3.6.5.5.9.3.0.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.a.1.b.8.b.a.-.8.b.0.9.-.4.2.8.f.-.b.a.5.1.-.7.4.f.2.c.7.b.a.8.b.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.e.3.7.a.5.d.-.1.1.f.7.-.4.6.3.2.-.9.c.f.d.-.a.a.b.7.8.f.9.b.f.b.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.4.-.0.0.0.1.-.0.0.1.5.-.b.0.2.d.-.d.8.8.0.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.e.e.d.8.e.7.9.6.a.2.c.5.3.e.a.c.5.f.f.4.e.7.d.e.3.4.b.d.f.e.e.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_b7bd9140-c855-4d7b-8dcf-9b68772ee563\Report.wer

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):65536
                                                                                    Entropy (8bit):0.91533099383943
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:amB+3KsyYqOoA7Rn6tQXIDcQnc6rCcEhcw3rD+HbHg/PB6Heao8Fa99Oy4H9nFix:7E3KFG056r4jtOZrYFzuiFbZ24IO8n
                                                                                    MD5:DFD9FB88EAC3AE50DD67F8A229189769
                                                                                    SHA1:2634436994DAA32640524FC80EEEBCF4D5E10C5E
                                                                                    SHA-256:85232F3C1F3472B59266E303578D160A1DBBBF997AAFAC5109C0CF61D5C581D1
                                                                                    SHA-512:45B4CA5DB3A56083C0619A85F6096DBC7A62254189B9C07B0E536DCB0DD5CB7F77EAF60E99F7CB75D292698D70F41D02823A5A812771B31291DEF5D1D1EF9543
                                                                                    Malicious:false
                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.4.8.0.2.7.7.1.2.8.9.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.b.d.9.1.4.0.-.c.8.5.5.-.4.d.7.b.-.8.d.c.f.-.9.b.6.8.7.7.2.e.e.5.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.1.e.b.6.7.8.-.6.e.f.5.-.4.8.4.7.-.9.3.9.8.-.7.d.d.4.3.9.d.9.6.c.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.4.-.0.0.0.1.-.0.0.1.5.-.b.0.2.d.-.d.8.8.0.d.5.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.e.e.d.8.e.7.9.6.a.2.c.5.3.e.a.c.5.f.f.4.e.7.d.e.3.4.b.d.f.e.e.0.0.0.0.0.a.1.6.!.0.0.0.0.c.9.e.3.5.9.9.e.1.d.7.9.8.3.f.a.7.4.3.9.b.f.2.f.f.1.2.2.f.d.7.e.5.1.a.5.9.b.9.3.!.R.a.g.e.M.P.1.3.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.1.:.0.7.:.5.8.:.4.0.!.0.!.R.a.g.e.M.P.1.3.1...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER136.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6404
                                                                                    Entropy (8bit):3.7228884548738597
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJVu06TXYvcr6pBH89b13sf4Knm:R6lXJP6DYkrl18f4z
                                                                                    MD5:7E76A23C1A6FF876D79003C25D1A5BC8
                                                                                    SHA1:4F95133A2571621FD7745A0BFA33D27B27403C34
                                                                                    SHA-256:259AE2B083D26B40A45AF67ADCBF913B34B2B821E62DA43E4B1C21D3F70135FF
                                                                                    SHA-512:AC21395C5F811E3542649EDCA27B3D959F5C615837239E648F2CCDFECCC8DE3F6E5C0C1D93A0BDADA52B500F21AB6EAF65B69F504DDF4BEAE03BFE1BF4F2A6FC
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.9.6.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER156.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.481533194739572
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zs4Jg77aI9S1WpW8VYyGPYm8M4J9NtF+b+q8vHNirTo6nMdd:uIjf+I78E7VnGSJ9gKHsrTo2Mdd
                                                                                    MD5:769EFF6B5C40C2712D988A86CF294384
                                                                                    SHA1:623381F02D626304BE4EE1B8982052C0AFE027EE
                                                                                    SHA-256:301418C8B9F9BD8BEA0620F1A86A3CAFB09C3B2E49634859351B217616D4214E
                                                                                    SHA-512:A496E8EB4E80C15E37E4529959AA0229866DF5EC9855C6CB3A4B5BD8F10DFB94EB9CF2BF56663A0FADAC68D99C8982956283BA4E4AE26DF4ABF19BDA382800AA
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304182" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B04.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:27 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):59910
                                                                                    Entropy (8bit):2.304113653085472
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:42Az4wK0mlNTv4jhlSesS8EKoM8BjsH8FaGTpVNz81fV3a:gz1PmlNTvug7qhpVNwV3
                                                                                    MD5:9F76CA39FB9D899E719D15D2BE646B0E
                                                                                    SHA1:1FCD35279CCCB8F4532C0F34A1AA18FCB8227EC9
                                                                                    SHA-256:6C001553473D637CE3D1D5E4E6CF15CDF7842246E2D19450E02EA1267E63894D
                                                                                    SHA-512:EFBF65F04EC2DC22DFC4590EDCF32D20FB0BA8730CF773A0334B4920D7B4B2691F2623D9CBFAFA6650E60AE96A51D8D0E7892908C95C0DA8507D936758E4EBD7
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......[T2f........................(...........$................/..........`.......8...........T...........@ ..............$...........................................................................................eJ..............GenuineIntel............T...........YT2f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BA2.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8430
                                                                                    Entropy (8bit):3.6965219930807716
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJQT6Pf6Y2Dr1SUTqgmf2r6pBM89bWcsfSSm:R6lXJ06X6YsSUTqgmf2rkWvfu
                                                                                    MD5:D906F905A024F375296DCE602EF04749
                                                                                    SHA1:739B5D4DF29CFDD9A384D5B27CEC1379885899F6
                                                                                    SHA-256:BB576BECB72C1BACA00262E18A5ED41CBA6A1A6503345537B3FD53FBA4752AB4
                                                                                    SHA-512:B8842C73EF818F0FE3F10DA5813D1A8C645C846D27468E0B3CACCAE8922238E6CDD93E0EFB3D48566F62EF666B62DC4F5BEFE4D2466A31F6C4E7A68787958536
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.9.2.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BD1.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4717
                                                                                    Entropy (8bit):4.4741303057872885
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYmYm8M4J3NtFp+q8vTN9Lwmad:uIjfJI78E7V6J3jKTzLwmad
                                                                                    MD5:0858802352B28DBC69D891FC8B70ADC9
                                                                                    SHA1:882AA8680B09C3B768D44548FD99DE2F2DCA03E3
                                                                                    SHA-256:0E6D4AFE9200F88A63F02BA918737E24A629E45D58D287E445A1F45AD1C35F17
                                                                                    SHA-512:09CCE180EE4413E0D3755FA9E861586F57FB2091E4F9B0A5778128EE11CB4203AFE4737E863E9C7C24AD77A5A7746A1A353405AF5CACA6FD608799637959FB53
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4524.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:35 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):75124
                                                                                    Entropy (8bit):2.397766773076656
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:37TH5gnZNTv11eMdmwlYC8JdyvJW3YNoM8zn8saAvS0XL5e1triFXH:rTZmZNTv/GItovLaftrit
                                                                                    MD5:020FD1C5E75D0B7EF2C1A9DA12006C15
                                                                                    SHA1:8E8056822D28CD6C154509EF4D468C749A792316
                                                                                    SHA-256:0879BC716021FEED75FD1DD556A117C08E954EE7093E148C6F2A6023306F96A8
                                                                                    SHA-512:68A82838835E7499B7B0BB0F6B4D75818A1ED5074D9DFAD652550D87B1B309CAED39DF25BB592FE80ED906C83112D017BAE8C1EE888EA56484B7C8180AE6DC0B
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......cT2f........................l...........<...t............4..........`.......8...........T............%..........................................................................................................eJ......4.......GenuineIntel............T...........GT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER498A.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8436
                                                                                    Entropy (8bit):3.6972303841181193
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJNZ6EYR6Y2D4SUZ5Tgmfvr6pB089bF9sfK3m:R6lXJj6EYR6YFSUZ5TgmfvrMF2fD
                                                                                    MD5:F88464A339CD22349096C1E23FA8BCE6
                                                                                    SHA1:EAD9BC693A25AD07DB24351A41C3E3A8C5B552D3
                                                                                    SHA-256:F6DC9A40E1858C20047870EEA3B0F94D2546D5C43F6AC3A0A2B48DFA0A7ADB1C
                                                                                    SHA-512:E661E29772CD4D8A26B23631078FD87E329C7D60111197EFA8B022BB8AFE63D6BEF463C163181DFA3F78C05B7007770A3CE203B88D065B171233E6464612CE0A
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.4.8.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AA4.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4722
                                                                                    Entropy (8bit):4.477455907684335
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYbYm8M4JNNtFdT+q8vaN6ydmTBxd:uIjfJI78E7VHJNDTKaM1TBxd
                                                                                    MD5:7447152905ED15904182157E66E58F3F
                                                                                    SHA1:823BBE02004838159C7FEFB7A950C30899C300D1
                                                                                    SHA-256:C1EED0E1F1C0BFDEA95201509DAE5AD2558B60DCD9E4ECCD143166C2D46FAB1F
                                                                                    SHA-512:85D0EB57AF449B04B73627ACF67EB583201B1973AC92D18007EDDC215EB3625167596BE3102013684DAA8D111F6386FDC4567147C116DEB36D85DEC3D12065A3
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C29.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:36 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):74444
                                                                                    Entropy (8bit):2.391283151802473
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:07H7AAvrNTvU+i3O1mDmfR/B/Otbz0EFywoP2oM8og8Fa5iuEf3jwXqO:07HE4rNTvXmDuR/BmaDySZdXT
                                                                                    MD5:E213CE1A7AAF99E6D03BDAB811B233E0
                                                                                    SHA1:1B1C2D16AD5C890B99CD418B47A5C0633511FBD9
                                                                                    SHA-256:3E194C94B66ED1A6DBA0D42909C9E2CBB1FF94C09D504526D2064F49BEA778CC
                                                                                    SHA-512:A9ECED5858B78D234114899BCF925ADA12D433BEB52880A7C3A6BA8DAC25DC3501B019E4B9DED7411DBE276C60C15516A5902E0B8C29905D963BC06E1B8FA957
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......dT2f........................l...........<...t.......4....4..........`.......8...........T...........($..........................................................................................................eJ......4.......GenuineIntel............T...........LT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C77.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:36 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):79266
                                                                                    Entropy (8bit):2.2877184466916183
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:oK1663YoJTvO6n39bB7LbZr/0E5Jy87IGoI8MN8ldY25+DYNJEDo:oK16poJTvO6DL1C+6q2xNJE0
                                                                                    MD5:B66FCA5A846FF0E8C7E0D19AFDC1CABC
                                                                                    SHA1:B37C9BB39E2CCD1AF5DEF15939BFE9402B8CA0AE
                                                                                    SHA-256:F92639D17F30CFFDE5D43218B4E340073703CF470B5CD07BE25C89FACEA998E1
                                                                                    SHA-512:D1F24C7C63CC952179DAF9E3E3A82438D9A0854720D6BECC5537497D03919CC011AB0A4DB5061720663CCBC164783AF2EBAEF5D82D1CC876FD12A2AB71E0991C
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......dT2f............$...........D...8.......<...|.......t....8..........`.......8...........T............#..........................................................................................................eJ......<.......GenuineIntel............T...........MT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E2D.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6408
                                                                                    Entropy (8bit):3.7205004405478173
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJXuWb6fdqPYvcr6pB689buCIcsfWam:R6lXJfb64YkrmuCIvfi
                                                                                    MD5:36CE52E236715C4368CF1A9C241D4D23
                                                                                    SHA1:DD958B52602CC54D6A03FCC95EBEF7AC6D53D161
                                                                                    SHA-256:2083766314C5E20FC92B51F19731CF0E4DB1F915134DD0E3BEF4B3C836053F02
                                                                                    SHA-512:041EBADE8BA98AEFCFC4AF9B275F78A68376C6C983DA3D24CC5F8BD0E0470919E9C5CE9EC024A7198B6FDC31DFBDEEB1820ACFB230C0E92479780023F8C28829
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.8.0.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E5B.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:37 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):79884
                                                                                    Entropy (8bit):2.3012170382614903
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:kqaY0ffkmNTvXGz3SbLfNPmvpzPxdyWcAo48fca8FNGipVNzJvNkTDoKo:kO0fMmNTv22brRm83qRpVNYDpo
                                                                                    MD5:E6321AD28467981F43F7BC28F12C7403
                                                                                    SHA1:FF6D456222F0E9E7C20386E2A55CE72903A644F8
                                                                                    SHA-256:D35CF7BFABA7796683E046E9A8A76253C7560130F171F1DFDAEEB0E43D584771
                                                                                    SHA-512:230461F4EC36C29225F437CFF8EEC6F4306A4DDD6CD85E368DF675EA33021AD98BEF67147AEFB470A7DA7768940D92E391C1C1E30F8AE66A379F58F319C5C5AE
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......eT2f............$...............8.......<................9..........`.......8...........T............%..............$...........................................................................................eJ..............GenuineIntel............T...........YT2f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E5C.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6408
                                                                                    Entropy (8bit):3.7213040280364176
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:RSIU6o7wVetbVuf6bYv2npFXaQlngaMOUu89bu3sfWam:R6l7wVeJVuf6bYvcr6pBu89bu3sfWam
                                                                                    MD5:5C666647FD7843C132C33BEAD56A461C
                                                                                    SHA1:42071D8306E6E21D4FB0EB488AC5F5794EFB3767
                                                                                    SHA-256:6A6CD03E91D04B29BF8F3B73F6CEB40C2ED7DA2A6093ED2D4305499DE372F4FF
                                                                                    SHA-512:4761FDDD23578F69C2316137AB26311193A21D600B944727D8A424AEC55DC0BEAFCED744027A10E0A29FD91D36AC4DEA1ED6E6AB24455F63F0E782B3E0CE7A9E
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.9.6.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E7C.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.485328785477721
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYLYm8M4J9NtFMGVm+q8vHNbTo6nMid:uIjfJI78E7VHJ9+dKHpTo2Mid
                                                                                    MD5:7B6053A284656AC46EE8DB84F4D8BA7D
                                                                                    SHA1:A4AFBF83A31F993397E53F69290B89E692F9A32C
                                                                                    SHA-256:5D05525A4FEF752F4C2D5E533BB8D42D3BBE3958885872FE175029ED4827BE29
                                                                                    SHA-512:793A96AC38C0ED5709D13F54B121080525B464173D9E2C8CC8FB63EF553C25B864D2A9AC3EC23250123C6F1387CC8704B69D10216645CEF9771FCD50879A555D
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F28.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.481531954027711
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYfYm8M4J9NtFkh+q8vHNirTo6nMdd:uIjfJI78E7VLJ9WhKHsrTo2Mdd
                                                                                    MD5:D3137B0EBAF01386BB46786487CF6779
                                                                                    SHA1:C45DE479B5A9570690BD29C7000682E7D4409711
                                                                                    SHA-256:E8586E4E31670841E054A62D04831383084F0594E2B9D5448D682FA71ABBF826
                                                                                    SHA-512:E29E03C8082B30A91A1CE8C6C80F0C4BB8AB6A3AC7CF7853E56544047A976D9466A14A6E88A86A7ED7E79C7C85CA034599C723CD57F122254552FB88742DA280
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5012.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8434
                                                                                    Entropy (8bit):3.69589850732452
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJQG6r6Y2DKSU5Zgmf2r6pBs89b3csfLdm:R6lXJJ6r6YXSU5Zgmf2r83vf8
                                                                                    MD5:3777355B26F0585DB6AF71741C0D87EC
                                                                                    SHA1:330450EEAD047A29932F077C6C22E5FD4F850020
                                                                                    SHA-256:D9303212475EBC636E35C773B53DA3D0C4D70E2D0F8AECD29D9F02573A8C1B69
                                                                                    SHA-512:E14DF876417542C5EA6BEF09025127D2377C73FE845D3326C675045F6E8BC957918CB7C4765C16A31BA6B5C92DA130582CFF3B81D3D0E37EB3D4FFD2F14C75AC
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.9.2.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5090.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4717
                                                                                    Entropy (8bit):4.473634117684972
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYwYm8M4J3NtFEg+q8vTN9Lwmad:uIjfJI78E7VoJ3jKTzLwmad
                                                                                    MD5:B96B39D7D76FDEA475FB5E231DC80E31
                                                                                    SHA1:120192DBE4AD4950809279D7DA6CB4E606899DCF
                                                                                    SHA-256:29954F63A8C7F738962B7A26DE34911167CA66D3AC9894CF761745E24AC1E8D8
                                                                                    SHA-512:506F2AD89761CEA342DFA1BECC882854B7E4A8B64B593537ACAD9785A7DFF704F304F06D5648A5F1C9B2A5790BBDFE66FE3A0278B691250F8EC3D57B820D1A62
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6445.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:44 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):87296
                                                                                    Entropy (8bit):2.2711976993720717
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:JYnhcwAGJNTvjL+QOjZy37QyOu148JdyvJW3YNoM8zn8saAvS0kLaamWePbkY:JiShGJNTv/mSOztovLaBeDk
                                                                                    MD5:DDEFF98E8E9F704CC7767819034EADFC
                                                                                    SHA1:40A5007B5843243B5329A7D67FE05BAA96BE3598
                                                                                    SHA-256:AE06BDF1668EF1CB7EC723A0A20AAC9C5DE6568EB3A5DF17368F134E8FF77DC8
                                                                                    SHA-512:0AB2C01A5C02A44D5E0769ABB9E77AFB0A5F91CF272594D2C5C4B2D054719D142D376C920720E7028593B3A0D137F4EEA80E8AD6557567BB862262113F1A80CD
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......lT2f............T...............h.......<...@............;..........`.......8...........T............&..............|...........h...............................................................................eJ..............GenuineIntel............T...........GT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C06.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8438
                                                                                    Entropy (8bit):3.6930815463905127
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJN36/6Y2DnSUS2gmfvr6pBI89bL9sfuZm:R6lXJN6/6YaSUS2gmfvrAL2fh
                                                                                    MD5:8F4233CC6ADE4450B3A0B69F603BBEAF
                                                                                    SHA1:3EFCCB3F31CC9D9740CFD47A940EBD92A6023AB7
                                                                                    SHA-256:D2E0219E48E9A1D39273033A31A8EACDBDF83B0C6E1E44169D60D53F9AA4E08B
                                                                                    SHA-512:4EF66B38939F4AB7B6F3EFDC8EB1E029EF7198B45E78F035D60655445B0ECC3CD29F1531F44BBFF504B13C7F7E6A0E819954AAF84D9F2BEB437F1EDB7FAE49AE
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.4.8.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CC2.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4722
                                                                                    Entropy (8bit):4.476587574448641
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYzAoYm8M4JNNtF2U7+q8vaN6ydmTBxd:uIjfJI78E7VQoJNf7KaM1TBxd
                                                                                    MD5:D5017D87A4D223CA763191606A234362
                                                                                    SHA1:0E3DE4B0E5DC1CA2F847AE501096552A141DC487
                                                                                    SHA-256:5188CF6CAFBFA12BA3C5F76278432A60DA2D593364FAA61E5EBE7D12B757473D
                                                                                    SHA-512:5D4E2A9DE7D70162ADE3E8E5B261B3B333E820A0508CF8090E22D15532242C81D7F28CEE32EDE5131002436FF229C7CAE448CDB406F730531A83E086D53B987D
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER706A.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:46 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):85278
                                                                                    Entropy (8bit):2.236671312469981
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:3TWL90+cNTvYnrOqi3ufvoP9GvdybzSEFywoP2oM8og8Fa5iuESuaA8f8VX:3TWL2+cNTvYfnoP9AdDySZqZ
                                                                                    MD5:AC0A05FFAFA2F0C07F1DC9981A4E73FC
                                                                                    SHA1:F24C6E0356B50DF3E742562BA87E5B204D745D69
                                                                                    SHA-256:DDCECF87A82399A7B690F8FAF562314472AB40F8A9FA5D9CD5AAEB2082AD951B
                                                                                    SHA-512:2C7CD2DAB50BBB98C98986A7C13A6FBA33A34C8677CD1AAA58E9DEAC3695B56B4FD05BB1A9F0FEB8821B9E082017E72E6704E44D548063F437ACA75644058653
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......nT2f............T...............h.......<................<..........`.......8...........T............$..V(..........T...........@...............................................................................eJ..............GenuineIntel............T...........LT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7125.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:45 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):59554
                                                                                    Entropy (8bit):2.299899954807134
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:ZoncfGJTvCeqBsxpRKoM8oDy8Fa3T5xz7mEq/PYl:ZocfGJTvcBsPqoTqX/Al
                                                                                    MD5:5B58179CB24D5B9A2A71B7EEDFD30911
                                                                                    SHA1:40AD0C5BCADECDD5182F79B16BA8B616274472E1
                                                                                    SHA-256:148A90D291C4942C124D5B7C3E57B9208B2AE0D2BD912AC2B3CD51E57610C306
                                                                                    SHA-512:D790553261FAB3F0D855F634EE892A60E32F8CEE061B2245C4901CB6B9FCD8FA77F9258C1CD669E2965F648527FF4C11880B1F7127E59370E666977C137A13E3
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......mT2f....................................$...............(/..........`.......8...........T...........(...z.......................................................................................................eJ......<.......GenuineIntel............T...........cT2f............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7174.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:46 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):98770
                                                                                    Entropy (8bit):2.3074308344241845
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:K6PLMDwEJTvGlIM2R3VbbyqPLrJ+4g5JyC7IGoI8MkN8ldY65SnuDeUU8SLe2O:K6PLywEJTvGlt2iqjrJhGG6q6dnEe2O
                                                                                    MD5:2FC8ED14A1266082BF8830915F4BEA22
                                                                                    SHA1:DB9F314F346979A31983BFDF0003CC8FFF639B57
                                                                                    SHA-256:17A0CFAED22A95435C97D9968107E6F38C3BFB6D6F88093C89652C0D8A413B08
                                                                                    SHA-512:5D01B2F1EC50BBA5A8E40739236CA4718AFA50B63416722437D7EE43F3A781ED645AA1055619B1CFB9D59C03982AF1681BCC01393EC1F42AD6B1EBEDD9199201
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......nT2f........................D...........<................>..........`.......8...........T............*...W......................................................................................................eJ..............GenuineIntel............T...........MT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER729D.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8434
                                                                                    Entropy (8bit):3.694145581426758
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJOjz6t6Y2D/SUi3gmf2r6pBF89bZYsf0fsdzm:R6lXJAz6t6YCSUi3gmf2r3ZLf0f/
                                                                                    MD5:6D75F8A040F8762ECBFB8A89EBB7979E
                                                                                    SHA1:639325662E55A075EB503BC655205260D1FAC428
                                                                                    SHA-256:789651D3CFEB73C4D9F2CFE200DEAB9774590B67E6B4183504A31BA8EB42E5EC
                                                                                    SHA-512:FEED9461997111AF36AC05FECFC1EE14B98DE38BE7F1FF4C934B78DA0C73EEFDCDC193A0C78AA6284A9D30D70C387ACCD499FCD66956D802E244D9EB20F90A37
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.2.4.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER72ED.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4717
                                                                                    Entropy (8bit):4.474687164690792
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYYYm8M4J3NtFS/N+q8vTNC9LwmKd:uIjfJI78E7V0J3YFKTcLwmKd
                                                                                    MD5:2FB60D7DBD7D1E5D0FC9686FEA769C36
                                                                                    SHA1:A85A651D8E1A6F9297FF6C4D173D2C75B0F6A75C
                                                                                    SHA-256:8E89F541BA98D851846AAEF3FDC5E9711F7E069B1EC1F8E73F3660DB4B90CC38
                                                                                    SHA-512:8D0E4B86477E4E75EF84F2F5958C8F2EECED356CFBA95171AD0AE99E8E02118E8BF245D6682AB666233D129692DF3FD59FEA81C4632BBF474BE44905C87BDF05
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7359.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6408
                                                                                    Entropy (8bit):3.7220483066244388
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJXuw6Pt5yYvcr6pBM89bZCIcsfGqzm:R6lXJh6PWYkrsZCIvfm
                                                                                    MD5:4CCF1628A9765FA0D86AE06912B4296C
                                                                                    SHA1:C90A3479E550C541D86A34F46D7E7EC9A549C92A
                                                                                    SHA-256:4C5C33573465257921CDFC409F36813053EBFC25A365CE304132BB862AADAD1F
                                                                                    SHA-512:4CA295786918D4D126A6669AF0B52E9DD4C70097790EADB276579721FA7940A29943372B63B04D37BEEBA2F09A926C2657F49402E7FBA5E21C81FAA578601548
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.8.0.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER73D7.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.484209298738292
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYwYm8M4J9NtFs3+q8vHNbTo6nMid:uIjfJI78E7VEJ9i3KHpTo2Mid
                                                                                    MD5:1BC5227BD8B90A3E24D6E49451F6CE58
                                                                                    SHA1:85E8F45255FFE194F0E7E606B2868F73F807327F
                                                                                    SHA-256:BB3B6D003D35E43A782BBBB63543803491D58A5B86A19F92E8491A5BEF806DA8
                                                                                    SHA-512:B763BD687352C14853C53B34017FBDEBD62DEB8E94D42E83CAD24A6E7F1D80625A363F2F01071D9DC4931CBC477BA8F410FB2D8C5026D9F9D931ED2BFB3DCD41
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7424.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6408
                                                                                    Entropy (8bit):3.719165959514013
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJVug6YDYvcr6pBRv89bZ3sf/zm:R6lXJT6UYkrKQZ8fS
                                                                                    MD5:B9F0E9F9F1042F55DC959765A7C16CA2
                                                                                    SHA1:09E6A89A31742A542014A82ADD5C2D3FD5D4FC93
                                                                                    SHA-256:BAA47A89A8360E6EF3BA340C4F7287AEEEBCEF621D14780EECABA0D774D948BB
                                                                                    SHA-512:D229BB23BDBB0D3DB2C9C890A584871BE8CE3E15604C2565E47A03C5923C22EE96C2C4DECCD26282D58771D3C8718E06FD78BAA7A9C46D5676D2B1ABFCD4BBD6
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.9.6.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7473.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.479628565866061
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYsYm8M4J9NtFl+q8vHNirTo6nMdd:uIjfJI78E7VsJ9zKHsrTo2Mdd
                                                                                    MD5:C02ACCE3E6BFD668A9FDFB1F2B861D55
                                                                                    SHA1:CB4713828B6DCF45A81C088D325D07CAD4CAC2F5
                                                                                    SHA-256:B1F4B735811FC618D53825F6666E33621CF68427545EB698EBB937AB403E5C08
                                                                                    SHA-512:6DAC05C28AD30D2B03CB1046160D4917A9BDC59F4BCF4F17663733A353DAE76AF6ABA1F43E22F61301EC0B36C33624E1AB28BC53A89EDC48DF2A54E060143182
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER751D.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:47 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):86872
                                                                                    Entropy (8bit):2.2821606270224186
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:uhcwATNTvblQXJCU3PQ5Mu1b8JdyvJW3YNoM8zn8saAvS0qLK3azyFvn/uoDpC1:uShTNTvblIOMetovLanzyFv/Hg
                                                                                    MD5:4E134B4153B8F300CC6F2B565283F7B9
                                                                                    SHA1:303A9951B5007EE0F2D930B6CC6F3FF51A6D7248
                                                                                    SHA-256:885CF1810BE71D5FB83C695E422C86C378E9C8D0F8E4552DE6B53393C6F1E69C
                                                                                    SHA-512:07E99787BBBEBD3B38B5CBB12A30219BF4F399AB394986CA73336A499ECAD7C7E69BEE8A38CB57C6D292226122D900326A97F5D85F429FEB098D600FAD9F95DA
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......oT2f............T...............h.......<...@............;..........`.......8...........T............&...,..........|...........h...............................................................................eJ..............GenuineIntel............T...........GT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D1D.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8436
                                                                                    Entropy (8bit):3.6962559026975472
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJNx6nO86Y2DTSUr8qBgmfvr6pBZ89bn9sfwfNm:R6lXJL6nl6Y+SUr8qBgmfvrrn2fwI
                                                                                    MD5:2BCA9ADDF49E3C1BF28FEED5B42E2AB3
                                                                                    SHA1:CC000E7BE2E29919E0E9BB2AA35B393887A19A41
                                                                                    SHA-256:311098C3705FBCA605BFAB4D89FBB1F5B6DBDF822FD9730D9C9CD61D12D9B359
                                                                                    SHA-512:A0A5E193C53B35182B1BEFE0C832C1D689ABE3C896F94DFB4D67F151D360F25CAF1E04B8E0C7993CCBFF0BC477A956C04C57C34B6AD0B82146C24CECD841E1A3
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.4.8.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DAB.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4722
                                                                                    Entropy (8bit):4.476947652189872
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zsnJg77aI9S1WpW8VYMYm8M4JNNtFT+q8vaN6ydmTBxd:uIjfJI78E7VoJNdKaM1TBxd
                                                                                    MD5:EAE8A99E4CB0C880EE9EF5F7038647AA
                                                                                    SHA1:C89232AE5C189DB354CDC345CFA336F8DC791D22
                                                                                    SHA-256:CC06D40DDF7B034B661A325DAF719CB9F69F37A2B6747829ECB05210674EDE1F
                                                                                    SHA-512:FDF46B4B6F5B6DB8B7CCAA7CC933EB25CCBC414CC6452423F4DA97744E973E3FEE6E090D24B5A492A6F5C049880B76316B29A3F51531F2BF171165459AB31BEF
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:17 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):59312
                                                                                    Entropy (8bit):2.2923021231966936
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:m8J8NJTv+1abngePB2KoI8BtY8ldY25hG8:m8iNJTvWa76q2V
                                                                                    MD5:33DAC73DC6E4697D5FA43A16AE7E8832
                                                                                    SHA1:295EBA3609FF7B4F6E260AD671CA517720567CAF
                                                                                    SHA-256:CC9D8C9BA4DE38CF63059DFD3FB86A2A13389AAEE0BE86AF43141FD629354726
                                                                                    SHA-512:9A59EAE42CBD55CA163858E1286FDB432DC0F93A139D39C265661EFC03F361F8D56C312F656E5919A1538097DACCA7B50AF8B2FFF26690CD2A87F80BF3AB5FF2
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......QT2f....................................$...............&/..........`.......8...........T.......................................................................................................................eJ......<.......GenuineIntel............T...........MT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC07.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:11 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):61036
                                                                                    Entropy (8bit):2.3246616207032935
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:OYC2+y4NTvhT31asYTeTTlLKoM8gUa8saAvS0PELYHO5BKt:fCNy4NTvhTlao6vLab5BG
                                                                                    MD5:02536188F269630545ACA5909932716F
                                                                                    SHA1:4DF8F42C154E880E5EE87A531FC53851EA01357D
                                                                                    SHA-256:EAF503A8B1202B1632F1EB2547DAEB76EF6B7147F45F509C13533E0B265896BA
                                                                                    SHA-512:E9E531B278DA9284207DDD20489FEFEAF2641D69FFACEFB540A54AB6DB96A060D8FB516F577E319A0980A5FDA844126EA5634BB29F5A58A8EC22B759FAFEA6B4
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......KT2f....................................$...l...........:0..........`.......8...........T............!..t.......................|...............................................................................eJ..............GenuineIntel............T...........GT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERECC4.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8434
                                                                                    Entropy (8bit):3.6978056362041514
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJNn6tos6Y2DbSUMZVgmfvr6pBG89bD9sfWy+Bm:R6lXJ96B6Y2SUYVgmfvryD2fW6
                                                                                    MD5:E04E8EFBE425377DC1B4EB831D90891B
                                                                                    SHA1:6368DA57A9D6EC043CD74DB7963C96EF939686A3
                                                                                    SHA-256:E4D020CCC9DA235CBA9664C1E2BD96A73E8A8E8666C5469368DDB5B954F6B0BD
                                                                                    SHA-512:F3DCE740D0CB9563AFF1F6032D15A17A0A724F1B3CFA48C4EE63A4D12B15C007D6047FA3E76A6DABEE0B4ECDF7A2E7E4ED8298D1FD2202EC26A4141AE014FCA8
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.4.8.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERED23.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4722
                                                                                    Entropy (8bit):4.477582945511748
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zs4Jg77aI9S1WpW8VYIYm8M4JNNtFk7+q8vaN6ydmTBxd:uIjf+I78E7VoJNW7KaM1TBxd
                                                                                    MD5:72306B7F839B296F52FB9A3C3890804C
                                                                                    SHA1:B5E4427E0CD19A17649DEB414E707A1C4F6C9754
                                                                                    SHA-256:699242D4CCC2C985BCA216314FA76BB97986C02E1BAEC23970BACF92EF111406
                                                                                    SHA-512:2B9C2B2B6609CAC1AB695ACE830E958A3913DDE617FBF5BCC20186D8593AECCDC132E8658EDD7F2FDB7E2E534C3C87CB7234066886AC89EC6A911606DAF5E07A
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304182" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE47.tmp.dmp

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, Wed May 1 14:40:16 2024, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):59728
                                                                                    Entropy (8bit):2.2982178484628424
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:Ker6sXGNTvla4tC9XTme761KoM88Al8Fa5iuEqACg0s:frvXGNTvllo9yySZK
                                                                                    MD5:FDE1CF3A256FAFF54177A4D561129CBC
                                                                                    SHA1:2DDE2BF76653FE3E1D484B58813E4E89C7356655
                                                                                    SHA-256:561F1F90C3DE460779A31EA09E5A814DF616CE76C0B4EFFCE71AD76A4C9CCFB3
                                                                                    SHA-512:0398877D10D5CF63CEC0E48E272229FD8F293B3133EDFB391CAB0C2DDCF75DF671A7C6A5DB33089107515B7E590C7CCD1E10D2337F5D121DEDEC4D9B8FD9E279
                                                                                    Malicious:false
                                                                                    Preview:MDMP..a..... .......PT2f........................(...........$................/..........`.......8...........T...........................$...........................................................................................eJ..............GenuineIntel............T...........LT2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF61.tmp.WERInternalMetadata.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):6404
                                                                                    Entropy (8bit):3.721432874191362
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:R6l7wVeJXu762Yvcr6pBO89bsCIcsfckm:R6lXJC62YkrasCIvf2
                                                                                    MD5:D745CA2E2AF5E7B8E176BF91B736CE93
                                                                                    SHA1:4C61D58E768B9CC7D67BEBD9B269BAB38430B900
                                                                                    SHA-256:7DD75B651510A306133350044DC80FBC1690EDFB0DB8B255D49AB97A3D299F7D
                                                                                    SHA-512:C6688C5E92393AC804F05955A7428684B3F27C05A07F5B81B5A21DFEFC247A6F12C8A7A59C98C989CDCC8FA62E1E74964016CDFCEAB7864BDD2523C8D27F5244
                                                                                    Malicious:false
                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.8.0.<./.P.i.

                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFA1.tmp.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4712
                                                                                    Entropy (8bit):4.483134434477087
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwWl8zs4Jg77aI9S1WpW8VYHYm8M4J9NtF+s+q8vHNbTo6nMid:uIjf+I78E7VbJ9pKHpTo2Mid
                                                                                    MD5:306F3611C35635EB0FFBC1A2CAA437A9
                                                                                    SHA1:7EDC9AF4FCC012779AA2A4BD1FD46B12A5744F8F
                                                                                    SHA-256:9F62EB8B8C6F7211B184087929AFC90858CE2A1D1289AC3131903304E7158E81
                                                                                    SHA-512:2333D06B701E71BA369574D4DBA4B4780843FDB3B7B8FDD37BCB918FDB6EBC2C00F900034ADC18267C9A324882394F4E138F73910C56AA48C273D5BCEAD60339
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304182" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):997376
                                                                                    Entropy (8bit):7.761305403187805
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:6ExQ6yPljU6/viqZ2yM8RTza/GasmzprSd3horG7VoCN2h/:6ExQJNjU6nVZhdhza/Gasmz5S52WyCNs
                                                                                    MD5:733C1261CF02626F2354E6339BAA6717
                                                                                    SHA1:C9E3599E1D7983FA7439BF2FF122FD7E51A59B93
                                                                                    SHA-256:A14041622D7D427F0B7EA24EFAA7E80A3B025C211273CE0914EE34B5E71BC8C4
                                                                                    SHA-512:09ECAB849F20CC7E418CC665446210B1AF870C345649709F57E52B1A520E2A5296110E572523A045EA565EAC393F33A0A14A082CB06EC5D175D232AD10FD93B4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                    • Antivirus: Virustotal, Detection: 77%, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................o.....P......Q.....#...........?)U.....k....?)n....Rich....................PE..L...a.Jd.....................r......m@............@..........................p...............................................j..d.......................................8....................`......@`..@............................................text............................... ..`.rdata..Pt.......v..................@..@.data................`..............@....rsrc................H..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:false
                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                    C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):13
                                                                                    Entropy (8bit):2.8150724101159437
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:LtWw:0w
                                                                                    MD5:144CC877A0C2CF482E7AE4DE9BEA10C0
                                                                                    SHA1:F8AA8CE7E90D15065A8AEEC9FDC9F8CA526F6A01
                                                                                    SHA-256:E07A83F90C72C98A0EC4CF4078C41AA6F25816B691B1A13E6ACECE56DA619DDE
                                                                                    SHA-512:5E0272CA778C901131238F0A55731C99EB1210284D4FB58ABD0F5E24873130493C7A4F0BB5DD7C27CA9C28C1F3AA453715F41067BE76F3190D2A99680C3E20E6
                                                                                    Malicious:false
                                                                                    Preview:1714580515092

                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):1835008
                                                                                    Entropy (8bit):4.471292231776426
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:dzZfpi6ceLPx9skLmb0fWZWSP3aJG8nAgeiJRMMhA2zX4WABluuNajDH5S:1ZHtWZWOKnMM6bFpQj4
                                                                                    MD5:BB8CCCD2FB008F2664DCD620A6C60DBE
                                                                                    SHA1:AB360B649411C223B7FD3B9F63B94BBB15C4E871
                                                                                    SHA-256:8CD83EF4615C3EA25AA8142353562748DB7150A18D1B11086DE9F7B04B337BAE
                                                                                    SHA-512:6929198462C726139A1826A3D1D16C201701EF85C4CB6EC64049CF7F31870474DAB561BD3DE834FFC9BE4E05480E5892C5B292055BAD3C85CDCB75123FA5C87F
                                                                                    Malicious:false
                                                                                    Preview:regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.U.x...............................................................................................................................................................................................................................................................................................................................................e..L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.761305403187805
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:2zdult23rz.exe
                                                                                    File size:997'376 bytes
                                                                                    MD5:733c1261cf02626f2354e6339baa6717
                                                                                    SHA1:c9e3599e1d7983fa7439bf2ff122fd7e51a59b93
                                                                                    SHA256:a14041622d7d427f0b7ea24efaa7e80a3b025c211273ce0914ee34b5e71bc8c4
                                                                                    SHA512:09ecab849f20cc7e418cc665446210b1af870c345649709f57e52b1a520e2a5296110e572523a045ea565eac393f33a0a14a082cb06ec5d175d232ad10fd93b4
                                                                                    SSDEEP:24576:6ExQ6yPljU6/viqZ2yM8RTza/GasmzprSd3horG7VoCN2h/:6ExQJNjU6nVZhdhza/Gasmz5S52WyCNs
                                                                                    TLSH:94251200B6D0C936E6B71B321CB3D644063EFE655A3188372398964EEEB51E04B357BB
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................o.......P.......Q.......#.............?)U.......k.....?)n.....Rich....................PE..L...a.Jd...........

                                                                                    File Icon

                                                                                    Icon Hash:cd0d3d2e4e054d05

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x40406d
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x644A8961 [Thu Apr 27 14:40:33 2023 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:9f06483be0cb3e943a20251385e705a2

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007F3004D38B28h
                                                                                    jmp 00007F3004D32EF5h
                                                                                    push 00000014h
                                                                                    push 004166A8h
                                                                                    call 00007F3004D36072h
                                                                                    call 00007F3004D37C33h
                                                                                    movzx esi, ax
                                                                                    push 00000002h
                                                                                    call 00007F3004D38ABBh
                                                                                    pop ecx
                                                                                    mov eax, 00005A4Dh
                                                                                    cmp word ptr [00400000h], ax
                                                                                    je 00007F3004D32EF6h
                                                                                    xor ebx, ebx
                                                                                    jmp 00007F3004D32F25h
                                                                                    mov eax, dword ptr [0040003Ch]
                                                                                    cmp dword ptr [eax+00400000h], 00004550h
                                                                                    jne 00007F3004D32EDDh
                                                                                    mov ecx, 0000010Bh
                                                                                    cmp word ptr [eax+00400018h], cx
                                                                                    jne 00007F3004D32ECFh
                                                                                    xor ebx, ebx
                                                                                    cmp dword ptr [eax+00400074h], 0Eh
                                                                                    jbe 00007F3004D32EFBh
                                                                                    cmp dword ptr [eax+004000E8h], ebx
                                                                                    setne bl
                                                                                    mov dword ptr [ebp-1Ch], ebx
                                                                                    call 00007F3004D35EE8h
                                                                                    test eax, eax
                                                                                    jne 00007F3004D32EFAh
                                                                                    push 0000001Ch
                                                                                    call 00007F3004D32FD1h
                                                                                    pop ecx
                                                                                    call 00007F3004D355C9h
                                                                                    test eax, eax
                                                                                    jne 00007F3004D32EFAh
                                                                                    push 00000010h
                                                                                    call 00007F3004D32FC0h
                                                                                    pop ecx
                                                                                    call 00007F3004D3797Ch
                                                                                    and dword ptr [ebp-04h], 00000000h
                                                                                    call 00007F3004D36FD5h
                                                                                    test eax, eax
                                                                                    jns 00007F3004D32EFAh
                                                                                    push 0000001Bh
                                                                                    call 00007F3004D32FA6h
                                                                                    pop ecx
                                                                                    call dword ptr [004100D0h]
                                                                                    mov dword ptr [040D776Ch], eax
                                                                                    call 00007F3004D38B0Fh
                                                                                    mov dword ptr [004E6720h], eax
                                                                                    call 00007F3004D3870Ch
                                                                                    test eax, eax
                                                                                    jns 00007F3004D32EFAh

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ASM] VS2013 build 21005
                                                                                    • [ C ] VS2013 build 21005
                                                                                    • [C++] VS2013 build 21005
                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                    • [RES] VS2013 build 21005
                                                                                    • [LNK] VS2013 UPD5 build 40629

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x16adc0x64.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3cd80000xeea8.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x102000x38.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x160880x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x160400x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x100000x198.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000xe4130xe6001bc7c92a67f4b4a1ee59f8901b6c14fcFalse0.602156929347826data6.687317669995655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x100000x74500x7600cad4a79147b5958598b6e035215e9ec9False0.3894994703389831data4.891024909888555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x180000x3cbf7840xce80008cbfa7ecb757f3d96aafa7dc4f02276unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x3cd80000xeea80xf000bee25c7a862d4071b940f9cc423571a6False0.47342122395833336data5.127157311164671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x3cd85700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRomanianRomania0.4853411513859275
                                                                                    RT_ICON0x3cd94180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRomanianRomania0.5961191335740073
                                                                                    RT_ICON0x3cd9cc00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRomanianRomania0.6497695852534562
                                                                                    RT_ICON0x3cda3880x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRomanianRomania0.6473988439306358
                                                                                    RT_ICON0x3cda8f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RomanianRomania0.3899377593360996
                                                                                    RT_ICON0x3cdce980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096RomanianRomania0.5086772983114447
                                                                                    RT_ICON0x3cddf400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304RomanianRomania0.5856557377049181
                                                                                    RT_ICON0x3cde8c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RomanianRomania0.6773049645390071
                                                                                    RT_ICON0x3cdeda80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.40671641791044777
                                                                                    RT_ICON0x3cdfc500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.4368231046931408
                                                                                    RT_ICON0x3ce04f80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.5374423963133641
                                                                                    RT_ICON0x3ce0bc00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.41040462427745666
                                                                                    RT_ICON0x3ce11280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.45363070539419087
                                                                                    RT_ICON0x3ce36d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.47115384615384615
                                                                                    RT_ICON0x3ce47780x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.4905737704918033
                                                                                    RT_ICON0x3ce51000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5452127659574468
                                                                                    RT_DIALOG0x3ce57c80x52data0.8780487804878049
                                                                                    RT_STRING0x3ce58200x432dataRomanianRomania0.45251396648044695
                                                                                    RT_STRING0x3ce5c580x4d4dataRomanianRomania0.44660194174757284
                                                                                    RT_STRING0x3ce61300x13adataRomanianRomania0.5286624203821656
                                                                                    RT_STRING0x3ce62700x30adataRomanianRomania0.47429305912596403
                                                                                    RT_STRING0x3ce65800x638dataRomanianRomania0.43027638190954776
                                                                                    RT_STRING0x3ce6bb80x2ecdataRomanianRomania0.47058823529411764
                                                                                    RT_GROUP_ICON0x3cded300x76dataRomanianRomania0.6610169491525424
                                                                                    RT_GROUP_ICON0x3ce55680x76dataRomanianRomania0.6694915254237288
                                                                                    RT_VERSION0x3ce55e00x1e4data0.5371900826446281

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllGetUserDefaultLCID, AddConsoleAliasW, CreateHardLinkA, GetTickCount, EnumTimeFormatsW, GetUserDefaultLangID, FindResourceExA, GetVolumeInformationA, GetCompressedFileSizeA, GetTempPathW, SetThreadLocale, SetLastError, GetProcAddress, CreateTimerQueueTimer, SetFileAttributesA, LocalCompact, LoadLibraryA, WriteConsoleA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, GetExitCodeThread, RemoveDirectoryW, AddAtomA, SetNamedPipeHandleState, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, LoadLibraryExA, ReadConsoleInputW, GetWindowsDirectoryW, AddConsoleAliasA, FindFirstChangeNotificationW, GetLocaleInfoA, BuildCommDCBW, GetComputerNameA, WriteConsoleW, OutputDebugStringW, GetLastError, HeapFree, EncodePointer, DecodePointer, ReadFile, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, IsDebuggerPresent, HeapAlloc, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, SetFilePointerEx, GetConsoleMode, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, WriteFile, GetModuleFileNameW, LoadLibraryExW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, HeapReAlloc, LCMapStringW, SetStdHandle, GetConsoleCP, FlushFileBuffers, CreateFileW
                                                                                    GDI32.dllGetCharacterPlacementW
                                                                                    ADVAPI32.dllDeregisterEventSource
                                                                                    WINHTTP.dllWinHttpConnect

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    RomanianRomania

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    05/01/24-16:40:33.992588TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949700147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:18.542503TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949700147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:34.007377TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949701147.45.47.93192.168.2.6
                                                                                    05/01/24-16:42:16.940552TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970158709192.168.2.6147.45.47.93
                                                                                    05/01/24-16:40:19.140548TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949701147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:13.617057TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4969958709192.168.2.6147.45.47.93
                                                                                    05/01/24-16:42:16.940639TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971158709192.168.2.6147.45.47.93
                                                                                    05/01/24-16:42:16.940554TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970058709192.168.2.6147.45.47.93
                                                                                    05/01/24-16:40:33.711799TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949699147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:13.812784TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949699147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:31.596033TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949709147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:34.194330TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949709147.45.47.93192.168.2.6
                                                                                    05/01/24-16:40:48.719023TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949711147.45.47.93192.168.2.6
                                                                                    05/01/24-16:42:16.940722TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970958709192.168.2.6147.45.47.93
                                                                                    05/01/24-16:42:16.940631TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4969958709192.168.2.6147.45.47.93

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 1, 2024 16:40:13.406466961 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:13.609577894 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:13.609698057 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:13.617057085 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:13.812783957 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:13.873215914 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:13.955691099 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:16.940587044 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:17.186428070 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:18.126161098 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.334325075 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:18.334430933 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.389303923 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.542503119 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:18.639256001 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:18.658863068 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.728030920 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.932456017 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:18.936094999 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:18.946038961 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:19.140547991 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:19.201437950 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:19.205708981 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:21.674609900 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:21.935975075 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:22.252996922 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:22.498404980 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:31.189016104 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:31.392445087 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:31.392528057 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:31.403351068 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:31.596033096 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:31.656075001 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:31.705787897 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:33.711798906 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:33.752621889 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:33.958870888 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:33.992588043 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.002573013 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.007376909 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.033839941 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.049483061 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.194329977 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.237039089 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.342899084 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.393189907 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.405524015 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.441570044 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.455753088 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.487099886 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.601336002 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.639328957 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.643320084 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.690196037 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.717175007 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:34.718092918 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.768333912 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:34.966950893 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:35.309360981 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:35.560983896 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:35.609370947 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:35.857661963 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:38.086884975 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:38.344419003 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:45.711493015 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:45.967067957 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:47.662230015 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:47.662275076 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:47.662334919 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:47.836097002 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:47.836139917 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.038634062 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.038714886 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.043462992 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.043473959 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.043762922 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.221343040 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.310096979 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:48.340424061 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.384126902 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.472321033 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.472428083 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.472501040 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.476672888 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.476690054 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.476701975 CEST49710443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:48.476707935 CEST4434971034.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:48.514645100 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:48.514731884 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:48.719022989 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:48.783830881 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:49.090692043 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:49.342317104 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:50.026005983 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.026062965 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.026132107 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.026834011 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.026849031 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.229818106 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.229895115 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.232676983 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.232702971 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.232949018 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.235002041 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.280133963 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.504689932 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.504791021 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.504853964 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.505954981 CEST49712443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:50.505987883 CEST44349712104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:50.506782055 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:50.763887882 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:51.257883072 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:51.514117956 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:52.018311977 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:52.156872034 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.156924009 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.156989098 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.158513069 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.158529043 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.266288042 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:52.326271057 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.326324940 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.326395035 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.328397036 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.328408957 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.356431961 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.356537104 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.357739925 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.357749939 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.357989073 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.404206991 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.442193985 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.442234039 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.442295074 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.443552017 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.443566084 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.529742002 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.529825926 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.639683962 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.639867067 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.641577005 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.641587019 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.641836882 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:52.815206051 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:52.815206051 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:53.028459072 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:53.028492928 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:53.032452106 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:53.060908079 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:53.244116068 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:53.246048927 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:54.659032106 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:54.920216084 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:55.853950024 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:55.896150112 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:55.979419947 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:55.979542017 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:55.979612112 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:55.979991913 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:55.980015039 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:55.980029106 CEST49715443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:55.980036020 CEST4434971534.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:55.987473011 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:55.987515926 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:55.987574100 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:55.988044977 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:55.988063097 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.088957071 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.136121988 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.139206886 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.184118986 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.192856073 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.192979097 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.196459055 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.196466923 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.196743011 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.198489904 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.220849991 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.220978022 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.221036911 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.221416950 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.221436024 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.221446991 CEST49714443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.221452951 CEST4434971434.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.223203897 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.223228931 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.223315954 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.223625898 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.223639965 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.244111061 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.262618065 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.262739897 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.262914896 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.263598919 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.263626099 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.263639927 CEST49713443192.168.2.634.117.186.192
                                                                                    May 1, 2024 16:40:56.263647079 CEST4434971334.117.186.192192.168.2.6
                                                                                    May 1, 2024 16:40:56.265722990 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.265760899 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.265861988 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.266153097 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.266164064 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.422470093 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.422596931 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.423880100 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.423897982 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.424165964 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.428342104 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.462177992 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.462284088 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.462364912 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.462647915 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.462667942 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.462678909 CEST49716443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.462685108 CEST44349716104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.463849068 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:56.464394093 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.464467049 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.465758085 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.465769053 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.466028929 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.468152046 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.476121902 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.516110897 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.703900099 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.704015970 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.704065084 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.704328060 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.704348087 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.704359055 CEST49717443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.704375982 CEST44349717104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.704719067 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:56.717180014 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:56.744729996 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.744827986 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.744884014 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.745176077 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.745196104 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.745208025 CEST49718443192.168.2.6104.26.4.15
                                                                                    May 1, 2024 16:40:56.745213032 CEST44349718104.26.4.15192.168.2.6
                                                                                    May 1, 2024 16:40:56.745475054 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:40:56.966988087 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:40:56.998262882 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:17.643412113 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:17.888777018 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:21.000361919 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:21.030756950 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:21.046509981 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:21.049509048 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:21.080746889 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:21.096363068 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:21.123740911 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:21.174479008 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:23.862763882 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:24.107878923 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:24.113233089 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:24.174623966 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:24.358016014 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:24.420156956 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:27.284049034 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:27.545398951 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:43.065279007 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:43.311022043 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:45.893429995 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:46.138859987 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:53.246398926 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:53.246530056 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:53.246797085 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:53.498250008 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:53.498274088 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:53.498289108 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:56.565397024 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:56.810817957 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:41:59.502845049 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:41:59.748514891 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:02.919315100 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:03.170397997 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:05.846586943 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:05.846781015 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:05.909095049 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:05.909270048 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:06.091794014 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:06.107512951 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:06.154558897 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:06.154582024 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:09.512830019 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:09.764159918 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:13.100471020 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:13.100581884 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:13.101147890 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:13.101227045 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:13.101319075 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:13.357620001 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:13.357644081 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:13.357656956 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:13.357671022 CEST5870949700147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:13.357683897 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:16.940551996 CEST4970158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:16.940553904 CEST4970058709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:16.940630913 CEST4969958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:16.940639019 CEST4971158709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:16.940721989 CEST4970958709192.168.2.6147.45.47.93
                                                                                    May 1, 2024 16:42:17.185717106 CEST5870949709147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:17.185739994 CEST5870949701147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:17.185751915 CEST5870949699147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:17.185765028 CEST5870949711147.45.47.93192.168.2.6
                                                                                    May 1, 2024 16:42:17.201354027 CEST5870949700147.45.47.93192.168.2.6

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 1, 2024 16:40:47.284815073 CEST6517353192.168.2.61.1.1.1
                                                                                    May 1, 2024 16:40:47.383929968 CEST53651731.1.1.1192.168.2.6
                                                                                    May 1, 2024 16:40:49.925873995 CEST5991553192.168.2.61.1.1.1
                                                                                    May 1, 2024 16:40:50.024710894 CEST53599151.1.1.1192.168.2.6

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    May 1, 2024 16:40:47.284815073 CEST192.168.2.61.1.1.10xefd6Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                    May 1, 2024 16:40:49.925873995 CEST192.168.2.61.1.1.10x8554Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    May 1, 2024 16:40:47.383929968 CEST1.1.1.1192.168.2.60xefd6No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                    May 1, 2024 16:40:50.024710894 CEST1.1.1.1192.168.2.60x8554No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                    May 1, 2024 16:40:50.024710894 CEST1.1.1.1192.168.2.60x8554No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                    May 1, 2024 16:40:50.024710894 CEST1.1.1.1192.168.2.60x8554No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • https:
                                                                                      • ipinfo.io
                                                                                    • db-ip.com

                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.64971034.117.186.1924435092C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:48 UTC237OUTGET /widget/demo/149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Referer: https://ipinfo.io/
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: ipinfo.io
                                                                                    2024-05-01 14:40:48 UTC513INHTTP/1.1 200 OK
                                                                                    server: nginx/1.24.0
                                                                                    date: Wed, 01 May 2024 14:40:48 GMT
                                                                                    content-type: application/json; charset=utf-8
                                                                                    Content-Length: 959
                                                                                    access-control-allow-origin: *
                                                                                    x-frame-options: SAMEORIGIN
                                                                                    x-xss-protection: 1; mode=block
                                                                                    x-content-type-options: nosniff
                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                    x-envoy-upstream-service-time: 2
                                                                                    via: 1.1 google
                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                    Connection: close
                                                                                    2024-05-01 14:40:48 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                    Data Ascii: { "input": "149.18.24.96", "data": { "ip": "149.18.24.96", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                    2024-05-01 14:40:48 UTC217INData Raw: 64 64 72 65 73 73 22 3a 20 22 55 53 2c 20 4e 59 2c 20 47 72 65 65 6e 6c 61 77 6e 2c 20 35 35 20 42 72 6f 61 64 77 61 79 2c 20 23 36 38 36 2c 20 31 31 37 34 30 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 6c 6f 67 69 63 77 65 62 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 34 39 2e 31 38 2e 30 2e 30 2f 31 36 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 33 34 37 2d 32 31 32 2d 35 30 34 37 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                    Data Ascii: ddress": "US, NY, Greenlawn, 55 Broadway, #686, 11740", "country": "US", "email": "abuse@logicweb.com", "name": "Abuse", "network": "149.18.0.0/16", "phone": "+1-347-212-5047" } }}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.649712104.26.4.154435092C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:50 UTC261OUTGET /demo/home.php?s=149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: db-ip.com
                                                                                    2024-05-01 14:40:50 UTC656INHTTP/1.1 200 OK
                                                                                    Date: Wed, 01 May 2024 14:40:50 GMT
                                                                                    Content-Type: application/json
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-iplb-request-id: AC46AE97:23FE_93878F2E:0050_66325472_AF918F9:7B63
                                                                                    x-iplb-instance: 59128
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zK%2Ban8f2TSS4j2%2Bw2hxolTjwBKqdigASL8GdQ18jGmG9jzqmIVD%2Bf5TUWU6FbPfo1zbFbnC%2FUyVSflAvDOhA30kzZdnpOCUJBMjolUiVRBHJWKFOQsqNYYWYoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 87d0876b099b8221-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-01 14:40:50 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                    2024-05-01 14:40:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.64971534.117.186.1924432996C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:55 UTC237OUTGET /widget/demo/149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Referer: https://ipinfo.io/
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: ipinfo.io
                                                                                    2024-05-01 14:40:55 UTC513INHTTP/1.1 200 OK
                                                                                    server: nginx/1.24.0
                                                                                    date: Wed, 01 May 2024 14:40:55 GMT
                                                                                    content-type: application/json; charset=utf-8
                                                                                    Content-Length: 959
                                                                                    access-control-allow-origin: *
                                                                                    x-frame-options: SAMEORIGIN
                                                                                    x-xss-protection: 1; mode=block
                                                                                    x-content-type-options: nosniff
                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                    x-envoy-upstream-service-time: 2
                                                                                    via: 1.1 google
                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                    Connection: close
                                                                                    2024-05-01 14:40:55 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                    Data Ascii: { "input": "149.18.24.96", "data": { "ip": "149.18.24.96", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                    2024-05-01 14:40:55 UTC217INData Raw: 64 64 72 65 73 73 22 3a 20 22 55 53 2c 20 4e 59 2c 20 47 72 65 65 6e 6c 61 77 6e 2c 20 35 35 20 42 72 6f 61 64 77 61 79 2c 20 23 36 38 36 2c 20 31 31 37 34 30 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 6c 6f 67 69 63 77 65 62 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 34 39 2e 31 38 2e 30 2e 30 2f 31 36 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 33 34 37 2d 32 31 32 2d 35 30 34 37 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                    Data Ascii: ddress": "US, NY, Greenlawn, 55 Broadway, #686, 11740", "country": "US", "email": "abuse@logicweb.com", "name": "Abuse", "network": "149.18.0.0/16", "phone": "+1-347-212-5047" } }}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.64971434.117.186.1924436080C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:56 UTC237OUTGET /widget/demo/149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Referer: https://ipinfo.io/
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: ipinfo.io
                                                                                    2024-05-01 14:40:56 UTC513INHTTP/1.1 200 OK
                                                                                    server: nginx/1.24.0
                                                                                    date: Wed, 01 May 2024 14:40:56 GMT
                                                                                    content-type: application/json; charset=utf-8
                                                                                    Content-Length: 959
                                                                                    access-control-allow-origin: *
                                                                                    x-frame-options: SAMEORIGIN
                                                                                    x-xss-protection: 1; mode=block
                                                                                    x-content-type-options: nosniff
                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                    x-envoy-upstream-service-time: 2
                                                                                    via: 1.1 google
                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                    Connection: close
                                                                                    2024-05-01 14:40:56 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                    Data Ascii: { "input": "149.18.24.96", "data": { "ip": "149.18.24.96", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                    2024-05-01 14:40:56 UTC217INData Raw: 64 64 72 65 73 73 22 3a 20 22 55 53 2c 20 4e 59 2c 20 47 72 65 65 6e 6c 61 77 6e 2c 20 35 35 20 42 72 6f 61 64 77 61 79 2c 20 23 36 38 36 2c 20 31 31 37 34 30 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 6c 6f 67 69 63 77 65 62 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 34 39 2e 31 38 2e 30 2e 30 2f 31 36 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 33 34 37 2d 32 31 32 2d 35 30 34 37 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                    Data Ascii: ddress": "US, NY, Greenlawn, 55 Broadway, #686, 11740", "country": "US", "email": "abuse@logicweb.com", "name": "Abuse", "network": "149.18.0.0/16", "phone": "+1-347-212-5047" } }}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.64971334.117.186.1924431948C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:56 UTC237OUTGET /widget/demo/149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Referer: https://ipinfo.io/
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: ipinfo.io
                                                                                    2024-05-01 14:40:56 UTC513INHTTP/1.1 200 OK
                                                                                    server: nginx/1.24.0
                                                                                    date: Wed, 01 May 2024 14:40:56 GMT
                                                                                    content-type: application/json; charset=utf-8
                                                                                    Content-Length: 959
                                                                                    access-control-allow-origin: *
                                                                                    x-frame-options: SAMEORIGIN
                                                                                    x-xss-protection: 1; mode=block
                                                                                    x-content-type-options: nosniff
                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                    x-envoy-upstream-service-time: 2
                                                                                    via: 1.1 google
                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                    Connection: close
                                                                                    2024-05-01 14:40:56 UTC742INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 34 39 2e 31 38 2e 32 34 2e 39 36 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65
                                                                                    Data Ascii: { "input": "149.18.24.96", "data": { "ip": "149.18.24.96", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS212238 Datacamp Limited", "postal": "20004", "timezone
                                                                                    2024-05-01 14:40:56 UTC217INData Raw: 64 64 72 65 73 73 22 3a 20 22 55 53 2c 20 4e 59 2c 20 47 72 65 65 6e 6c 61 77 6e 2c 20 35 35 20 42 72 6f 61 64 77 61 79 2c 20 23 36 38 36 2c 20 31 31 37 34 30 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 6c 6f 67 69 63 77 65 62 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 34 39 2e 31 38 2e 30 2e 30 2f 31 36 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 33 34 37 2d 32 31 32 2d 35 30 34 37 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                                                    Data Ascii: ddress": "US, NY, Greenlawn, 55 Broadway, #686, 11740", "country": "US", "email": "abuse@logicweb.com", "name": "Abuse", "network": "149.18.0.0/16", "phone": "+1-347-212-5047" } }}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.649716104.26.4.154432996C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:56 UTC261OUTGET /demo/home.php?s=149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: db-ip.com
                                                                                    2024-05-01 14:40:56 UTC652INHTTP/1.1 200 OK
                                                                                    Date: Wed, 01 May 2024 14:40:56 GMT
                                                                                    Content-Type: application/json
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-iplb-request-id: AC4687B6:CB36_93878F2E:0050_66325478_AFD5EDE:4F34
                                                                                    x-iplb-instance: 59215
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BFw0TmERv7n2zgenA3gK7jFdnz%2BPwrjY3BATUNFCBIO169MCkQJlxWGlEhFb2hBGSK2A0ts8OvPIYlrAOG6anpoKOJ4AILNPpMVCNnnYSQX1n66g5D0H8ML4vA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 87d087905bcd7fbe-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-01 14:40:56 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                    2024-05-01 14:40:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.649717104.26.4.154436080C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:56 UTC261OUTGET /demo/home.php?s=149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: db-ip.com
                                                                                    2024-05-01 14:40:56 UTC666INHTTP/1.1 200 OK
                                                                                    Date: Wed, 01 May 2024 14:40:56 GMT
                                                                                    Content-Type: application/json
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-iplb-request-id: A29E4FA3:F7DE_93878F2E:0050_66325478_AF91A15:7B63
                                                                                    x-iplb-instance: 59128
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvABRLD8smqf2iw9eF1vxR6Ko%2FOdPO5Ngoh%2BvjvoIi5lGaIkGu4fSRo%2FGlc7%2BvERkGJnPi%2BsLRjyT1a%2Bo%2BtWLrnNCrQ4QvYLytr%2B1uB99Ms1pT%2BzMUJ4kL5ScQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 87d08791c80657c7-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-01 14:40:56 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                    2024-05-01 14:40:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.649718104.26.4.154431948C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-05-01 14:40:56 UTC261OUTGET /demo/home.php?s=149.18.24.96 HTTP/1.1
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                    Host: db-ip.com
                                                                                    2024-05-01 14:40:56 UTC660INHTTP/1.1 200 OK
                                                                                    Date: Wed, 01 May 2024 14:40:56 GMT
                                                                                    Content-Type: application/json
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-iplb-request-id: AC462621:B8A6_93878F2E:0050_66325478_AFD5EEF:4F34
                                                                                    x-iplb-instance: 59215
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TKC%2FXQJSce93uJptAEy0ctpGw4h2%2BhgKwm%2BBTGJtHAprbESnvQNKX0OzXnbCJoYg1Dt%2BA7xJewKlTEcGoRjnNlKkBahxk88x%2F4fLi8qIsWNLH54An96qZP%2Fv0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 87d087920c01394c-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-05-01 14:40:56 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                    2024-05-01 14:40:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:16:40:07
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Users\user\Desktop\2zdult23rz.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\2zdult23rz.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:997'376 bytes
                                                                                    MD5 hash:733C1261CF02626F2354E6339BAA6717
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:16:40:10
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                    Imagebase:0x290000
                                                                                    File size:187'904 bytes
                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:16:40:10
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff66e660000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:16:40:10
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                    Imagebase:0x290000
                                                                                    File size:187'904 bytes
                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:16:40:10
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff66e660000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:16:40:11
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:16:40:12
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    Imagebase:0x400000
                                                                                    File size:997'376 bytes
                                                                                    MD5 hash:733C1261CF02626F2354E6339BAA6717
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 82%, ReversingLabs
                                                                                    • Detection: 77%, Virustotal, Browse
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:16:40:13
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                    Imagebase:0x400000
                                                                                    File size:997'376 bytes
                                                                                    MD5 hash:733C1261CF02626F2354E6339BAA6717
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:16:40:16
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 800
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:16:40:16
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 776
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:16:40:25
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:997'376 bytes
                                                                                    MD5 hash:733C1261CF02626F2354E6339BAA6717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Antivirus matches:
                                                                                    • Detection: 82%, ReversingLabs
                                                                                    • Detection: 77%, Virustotal, Browse
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:16:40:27
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 812
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:16:40:32
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:24
                                                                                    Start time:16:40:35
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:997'376 bytes
                                                                                    MD5 hash:733C1261CF02626F2354E6339BAA6717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:16:40:35
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:16:40:35
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 896
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:27
                                                                                    Start time:16:40:35
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:29
                                                                                    Start time:16:40:37
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:33
                                                                                    Start time:16:40:44
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 928
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:34
                                                                                    Start time:16:40:44
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 792
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:37
                                                                                    Start time:16:40:45
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:40
                                                                                    Start time:16:40:46
                                                                                    Start date:01/05/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 972
                                                                                    Imagebase:0x370000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.1%
                                                                                      Dynamic/Decrypted Code Coverage:1.1%
                                                                                      Signature Coverage:21.8%
                                                                                      Total number of Nodes:1082
                                                                                      Total number of Limit Nodes:14
                                                                                      execution_graph 60828 453c30 61058 42efb0 60828->61058 60832 453c4f 61063 43bb47 60832->61063 60838 453c97 __fread_nolock __Strxfrm 61075 4032a0 60838->61075 60844 453d39 60845 4032a0 43 API calls 60844->60845 60846 453d67 60845->60846 60847 413fa0 41 API calls 60846->60847 60848 453d72 60847->60848 60849 4031c0 std::_Throw_Cpp_error 41 API calls 60848->60849 60850 453d7e 60849->60850 60851 4032a0 43 API calls 60850->60851 60852 453db1 60851->60852 60853 413fa0 41 API calls 60852->60853 60854 453dbc 60853->60854 60855 4031c0 std::_Throw_Cpp_error 41 API calls 60854->60855 60856 453dc8 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter 60855->60856 61087 45a5c0 GetCursorPos 60856->61087 60858 453dea SetThreadExecutionState 60860 453e13 60858->60860 60861 4f80f0 GetSystemTimeAsFileTime 60860->60861 60862 453e1a 60861->60862 60863 433e2c 41 API calls 60862->60863 60864 453e20 LoadLibraryA 60863->60864 60865 45412a __fread_nolock 60864->60865 60866 45413e GetModuleFileNameA 60865->60866 61095 403260 60866->61095 60870 45417c 61108 4f3350 60870->61108 60872 45418d __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60873 454675 GetProcessId 60872->60873 60874 45474f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60873->60874 60875 454d28 SetThreadExecutionState 60874->60875 60876 454d4b GetPEB 60875->60876 60877 454e10 LoadLibraryA 60876->60877 61128 4fa570 GetProcAddress 60877->61128 60880 454f81 60881 45517d CreateThread FindCloseChangeNotification 60880->60881 60882 455268 60881->60882 61744 4d23c0 60881->61744 60883 403260 std::_Throw_Cpp_error 43 API calls 60882->60883 60884 45532c GetTempPathA 60883->60884 60886 4f2470 43 API calls 60884->60886 60887 45536f 60886->60887 60888 403260 std::_Throw_Cpp_error 43 API calls 60887->60888 60889 45543b 60888->60889 60890 417fd0 43 API calls 60889->60890 60891 45544f 60890->60891 60892 418040 43 API calls 60891->60892 60893 455460 60892->60893 60894 413fa0 41 API calls 60893->60894 60895 45546e 60894->60895 60896 4031c0 std::_Throw_Cpp_error 41 API calls 60895->60896 60897 45547a 60896->60897 60898 4031c0 std::_Throw_Cpp_error 41 API calls 60897->60898 60899 455486 60898->60899 60900 4031c0 std::_Throw_Cpp_error 41 API calls 60899->60900 60901 455492 60900->60901 60902 403260 std::_Throw_Cpp_error 43 API calls 60901->60902 60903 45555e 60902->60903 60904 417fd0 43 API calls 60903->60904 60905 455572 60904->60905 60906 418040 43 API calls 60905->60906 60907 455583 60906->60907 60908 4031c0 std::_Throw_Cpp_error 41 API calls 60907->60908 60909 455592 60908->60909 60910 4031c0 std::_Throw_Cpp_error 41 API calls 60909->60910 60911 45559e 60910->60911 60912 4f2cd0 53 API calls 60911->60912 60913 4555af 60912->60913 60914 4f2cd0 53 API calls 60913->60914 60915 4555d7 60914->60915 60916 4555fa CreateDirectoryA 60915->60916 60917 455619 60916->60917 60918 455627 CreateDirectoryA 60917->60918 60919 4556ac 60918->60919 60920 4556b8 GetPEB 60919->60920 60921 4556d0 SetCurrentDirectoryA 60920->60921 60923 413f70 43 API calls 60921->60923 60924 45577f 60923->60924 60925 4df790 50 API calls 60924->60925 60926 455784 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60925->60926 60927 417f00 43 API calls 60926->60927 60928 455bd6 60927->60928 60929 418040 43 API calls 60928->60929 60930 455be2 60929->60930 60931 4081e0 46 API calls 60930->60931 60932 455bf2 60931->60932 60933 4031c0 std::_Throw_Cpp_error 41 API calls 60932->60933 60934 455c05 60933->60934 60935 4031c0 std::_Throw_Cpp_error 41 API calls 60934->60935 60936 455c11 60935->60936 60937 4d3280 53 API calls 60936->60937 60938 455cf9 60937->60938 60939 413f70 43 API calls 60938->60939 60940 455d0d 60939->60940 60941 403260 std::_Throw_Cpp_error 43 API calls 60940->60941 60942 455f28 60941->60942 60943 403260 std::_Throw_Cpp_error 43 API calls 60942->60943 60944 455fec 60943->60944 60945 403260 std::_Throw_Cpp_error 43 API calls 60944->60945 60946 4560b0 60945->60946 60947 403260 std::_Throw_Cpp_error 43 API calls 60946->60947 60948 456174 60947->60948 60949 403260 std::_Throw_Cpp_error 43 API calls 60948->60949 60950 456238 60949->60950 60951 403260 std::_Throw_Cpp_error 43 API calls 60950->60951 60952 4562fc 60951->60952 60953 403260 std::_Throw_Cpp_error 43 API calls 60952->60953 60954 4563c0 60953->60954 60955 403260 std::_Throw_Cpp_error 43 API calls 60954->60955 60956 456484 60955->60956 60957 403260 std::_Throw_Cpp_error 43 API calls 60956->60957 60958 456548 60957->60958 60959 403260 std::_Throw_Cpp_error 43 API calls 60958->60959 60960 45660c 60959->60960 60961 410c00 102 API calls 60960->60961 60962 456639 60961->60962 60963 4567e4 OutputDebugStringA 60962->60963 60964 4d20b0 47 API calls 60963->60964 60965 4567f6 60964->60965 60966 4d1f60 47 API calls 60965->60966 60967 4573ed 60966->60967 60968 403260 std::_Throw_Cpp_error 43 API calls 60967->60968 60969 4573fe 60968->60969 60970 403260 std::_Throw_Cpp_error 43 API calls 60969->60970 60971 45740f 60970->60971 60972 403260 std::_Throw_Cpp_error 43 API calls 60971->60972 60973 457420 60972->60973 60974 415520 43 API calls 60973->60974 60975 457458 60974->60975 60976 4f60d0 43 API calls 60975->60976 60977 458d38 60976->60977 60978 4d2120 47 API calls 60977->60978 61019 458db4 60977->61019 60980 458d4d 60978->60980 60979 4031c0 std::_Throw_Cpp_error 41 API calls 60983 45a248 60979->60983 60981 4d2040 47 API calls 60980->60981 60984 458d52 60981->60984 60982 4119d0 43 API calls 60985 45a1ce 60982->60985 60986 4031c0 std::_Throw_Cpp_error 41 API calls 60983->60986 60987 4d1fd0 47 API calls 60984->60987 60988 4119d0 43 API calls 60985->60988 60989 45a254 60986->60989 60996 458d57 60987->60996 60990 45a1dd 60988->60990 60991 4031c0 std::_Throw_Cpp_error 41 API calls 60989->60991 60992 4119d0 43 API calls 60990->60992 60993 45a260 60991->60993 60994 45a1ec 60992->60994 60995 410cb0 41 API calls 60993->60995 60997 4119d0 43 API calls 60994->60997 60998 45a26c 60995->60998 61001 410e60 41 API calls 60996->61001 60999 45a1fb 60997->60999 61000 410d10 41 API calls 60998->61000 61002 4119d0 43 API calls 60999->61002 61003 45a278 61000->61003 61005 458d6b OutputDebugStringA 61001->61005 61006 45a20a 61002->61006 61004 4031c0 std::_Throw_Cpp_error 41 API calls 61003->61004 61007 45a284 61004->61007 61008 410e60 41 API calls 61005->61008 61009 4119d0 43 API calls 61006->61009 61010 4031c0 std::_Throw_Cpp_error 41 API calls 61007->61010 61011 458d7c CreateThread CreateThread 61008->61011 61012 45a219 61009->61012 61013 45a290 OutputDebugStringA 61010->61013 61014 408980 LoadLibraryA 61011->61014 61015 414090 std::_Throw_Cpp_error 43 API calls 61012->61015 61017 45a2ac 61013->61017 61018 45a521 Sleep shutdown closesocket 61013->61018 61014->61019 61016 45a22b 61015->61016 61016->60979 61017->61018 61021 4119d0 43 API calls 61017->61021 61022 45a569 61018->61022 61023 45a55a 61018->61023 61019->60982 61019->61016 61024 45a2c3 61021->61024 61026 4031c0 std::_Throw_Cpp_error 41 API calls 61022->61026 61023->61022 61025 45a55e 61023->61025 61027 4119d0 43 API calls 61024->61027 61028 45a560 Sleep 61025->61028 61029 45a577 61026->61029 61030 45a2d2 61027->61030 61028->61028 61031 4031c0 std::_Throw_Cpp_error 41 API calls 61029->61031 61032 4119d0 43 API calls 61030->61032 61033 45a583 61031->61033 61034 45a2e1 61032->61034 61035 4031c0 std::_Throw_Cpp_error 41 API calls 61033->61035 61037 4119d0 43 API calls 61034->61037 61036 45a58f 61035->61036 61039 4031c0 std::_Throw_Cpp_error 41 API calls 61036->61039 61038 45a2f0 61037->61038 61040 4119d0 43 API calls 61038->61040 61041 45a5ab 61039->61041 61042 45a2ff 61040->61042 61043 4119d0 43 API calls 61042->61043 61044 45a30e 61043->61044 61045 414090 std::_Throw_Cpp_error 43 API calls 61044->61045 61046 45a320 61045->61046 61046->61018 61047 417f70 43 API calls 61046->61047 61048 45a3f8 61047->61048 61049 45a402 CreateMutexA 61048->61049 61050 4031c0 std::_Throw_Cpp_error 41 API calls 61049->61050 61051 45a419 GetLastError 61050->61051 61051->61022 61052 45a42a Sleep 61051->61052 61053 403260 std::_Throw_Cpp_error 43 API calls 61052->61053 61054 45a4f9 61053->61054 61055 4d2190 117 API calls 61054->61055 61056 45a4fe 61055->61056 61056->61018 61057 45a510 Sleep 61056->61057 61057->61018 61057->61057 61059 42efc4 Sleep 61058->61059 61060 4e2fa0 61059->61060 61138 42d8f9 61060->61138 61062 4e2fa6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61062->60832 61064 43bb5a ___std_exception_copy 61063->61064 61146 437f35 61064->61146 61066 43bb74 61156 43322c 61066->61156 61069 4f80f0 61176 43c1fb GetSystemTimeAsFileTime 61069->61176 61071 453c8c 61072 433e2c 61071->61072 61178 4446d2 GetLastError 61072->61178 61223 4034e0 61075->61223 61077 4032c5 61078 413fa0 61077->61078 61079 413fb3 61078->61079 61080 413fae 61078->61080 61082 4031c0 61079->61082 61081 4031c0 std::_Throw_Cpp_error 41 API calls 61080->61081 61081->61079 61083 4031cb 61082->61083 61084 4031e6 std::ios_base::_Ios_base_dtor 61082->61084 61083->61084 61085 433500 std::_Throw_Cpp_error 41 API calls 61083->61085 61084->60844 61086 40320a 61085->61086 61088 45a5d5 GetCursorPos 61087->61088 61089 45a6a8 GetPEB 61088->61089 61092 45a5e7 61088->61092 61089->61092 61090 45a5f3 GetPEB 61090->61092 61091 45a71d Sleep 61091->61088 61092->61089 61092->61090 61092->61091 61092->61092 61093 45a668 Sleep GetCursorPos 61092->61093 61094 45a747 61092->61094 61093->61089 61093->61092 61094->60858 61096 403283 61095->61096 61096->61096 61097 4034e0 std::_Throw_Cpp_error 43 API calls 61096->61097 61098 403295 61097->61098 61099 414090 61098->61099 61100 4140b8 61099->61100 61101 41412c 61100->61101 61105 4140c2 61100->61105 61277 403110 43 API calls 2 library calls 61101->61277 61103 4140c7 61103->60870 61104 414131 61104->60870 61105->61103 61106 4036f0 std::_Throw_Cpp_error 43 API calls 61105->61106 61107 41410a __Strxfrm 61106->61107 61107->60870 61109 42df02 std::_Facet_Register 43 API calls 61108->61109 61110 4f339b 61109->61110 61278 4340b0 61110->61278 61114 4f3526 std::ios_base::_Ios_base_dtor 61114->60872 61116 4f34fa 61116->61114 61118 433500 std::_Throw_Cpp_error 41 API calls 61116->61118 61120 4f354a 61118->61120 61121 437e86 68 API calls 61122 4f34a7 61121->61122 61124 4f34c0 61122->61124 61293 416930 61122->61293 61304 43c92f 61124->61304 61129 4fa73d 61128->61129 61130 4fa6f8 GetProcAddress 61128->61130 61132 4fa82b 61129->61132 61133 4fa7eb GetProcAddress 61129->61133 61130->61129 61134 4fa919 61132->61134 61135 4fa8d9 GetProcAddress 61132->61135 61133->61132 61136 4faa07 GetProcAddress 61134->61136 61137 4fa9c7 GetProcAddress 61134->61137 61135->61134 61137->61136 61141 42dead 61138->61141 61142 42dee9 GetSystemTimeAsFileTime 61141->61142 61143 42dedd GetSystemTimePreciseAsFileTime 61141->61143 61144 42d907 61142->61144 61143->61144 61144->61062 61162 437709 61146->61162 61148 437f8f 61154 437fb3 61148->61154 61170 438a60 41 API calls 2 library calls 61148->61170 61149 437f47 61149->61148 61150 437f5c 61149->61150 61155 437f77 _strftime 61149->61155 61169 433473 41 API calls 2 library calls 61150->61169 61154->61155 61171 437724 44 API calls 2 library calls 61154->61171 61155->61066 61157 433238 61156->61157 61159 43324f 61157->61159 61174 4332d7 41 API calls 2 library calls 61157->61174 61161 433262 61159->61161 61175 4332d7 41 API calls 2 library calls 61159->61175 61161->61069 61163 437721 61162->61163 61164 43770e 61162->61164 61163->61149 61172 43bf8f 14 API calls __dosmaperr 61164->61172 61166 437713 61173 4334f0 41 API calls ___std_exception_copy 61166->61173 61168 43771e 61168->61149 61169->61155 61170->61154 61171->61154 61172->61166 61173->61168 61174->61159 61175->61161 61177 43c234 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61176->61177 61177->61071 61179 4446ee 61178->61179 61180 4446e8 61178->61180 61184 4446f2 SetLastError 61179->61184 61206 445f2b 6 API calls _unexpected 61179->61206 61205 445eec 6 API calls _unexpected 61180->61205 61183 44470a 61183->61184 61207 444eea 61183->61207 61187 444787 61184->61187 61188 433e36 61184->61188 61220 43ea56 41 API calls 2 library calls 61187->61220 61188->60838 61191 444727 61214 445f2b 6 API calls _unexpected 61191->61214 61192 444738 61215 445f2b 6 API calls _unexpected 61192->61215 61194 44478c 61196 444735 61217 4458aa 14 API calls __dosmaperr 61196->61217 61197 444744 61198 44475f 61197->61198 61199 444748 61197->61199 61218 444500 14 API calls __dosmaperr 61198->61218 61216 445f2b 6 API calls _unexpected 61199->61216 61203 44476a 61219 4458aa 14 API calls __dosmaperr 61203->61219 61205->61179 61206->61183 61213 444ef7 _strftime 61207->61213 61208 444f37 61222 43bf8f 14 API calls __dosmaperr 61208->61222 61209 444f22 RtlAllocateHeap 61211 44471f 61209->61211 61209->61213 61211->61191 61211->61192 61213->61208 61213->61209 61221 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61213->61221 61214->61196 61215->61197 61216->61196 61217->61184 61218->61203 61219->61184 61220->61194 61221->61213 61222->61211 61224 4034f2 61223->61224 61225 403568 61223->61225 61228 4034f7 __Strxfrm 61224->61228 61231 4036f0 61224->61231 61245 403110 43 API calls 2 library calls 61225->61245 61227 40356d 61227->61077 61228->61077 61230 403543 __Strxfrm 61230->61077 61232 403702 61231->61232 61236 403726 61231->61236 61233 403709 61232->61233 61234 40373f 61232->61234 61246 42df02 61233->61246 61257 403070 43 API calls 2 library calls 61234->61257 61235 403738 61235->61230 61236->61235 61238 42df02 std::_Facet_Register 43 API calls 61236->61238 61241 403730 61238->61241 61240 40370f 61242 403718 61240->61242 61258 433500 61240->61258 61241->61230 61242->61230 61245->61227 61249 42df07 61246->61249 61248 42df21 61248->61240 61249->61248 61251 403070 Concurrency::cancel_current_task 61249->61251 61263 43cc7c 61249->61263 61272 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61249->61272 61252 42df2d 61251->61252 61270 42fc4b RaiseException 61251->61270 61252->61252 61254 40308c 61271 42f3a5 42 API calls 2 library calls 61254->61271 61256 4030b3 61256->61240 61257->61240 61275 43343c 41 API calls ___std_exception_copy 61258->61275 61260 43350f 61276 43351d 11 API calls _unexpected 61260->61276 61262 43351c 61265 445924 _strftime 61263->61265 61264 445962 61274 43bf8f 14 API calls __dosmaperr 61264->61274 61265->61264 61267 44594d RtlAllocateHeap 61265->61267 61273 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61265->61273 61267->61265 61268 445960 61267->61268 61268->61249 61270->61254 61271->61256 61272->61249 61273->61265 61274->61268 61275->61260 61276->61262 61277->61104 61313 433fee 61278->61313 61281 437e86 61282 437e99 ___std_exception_copy 61281->61282 61366 437bdd 61282->61366 61285 43322c ___std_exception_copy 41 API calls 61286 437ebb 61285->61286 61287 433c3b 61286->61287 61288 433c4e ___std_exception_copy 61287->61288 61504 433551 61288->61504 61291 43322c ___std_exception_copy 41 API calls 61292 433c66 61291->61292 61292->61121 61294 416981 61293->61294 61298 416952 __fread_nolock 61293->61298 61295 416990 61294->61295 61296 416a86 61294->61296 61299 4036f0 std::_Throw_Cpp_error 43 API calls 61295->61299 61555 403110 43 API calls 2 library calls 61296->61555 61298->61124 61302 4169d6 __fread_nolock __Strxfrm 61299->61302 61300 433500 std::_Throw_Cpp_error 41 API calls 61301 416a90 61300->61301 61302->61300 61303 416a3d std::ios_base::_Ios_base_dtor __fread_nolock __Strxfrm 61302->61303 61303->61124 61556 43c94c 61304->61556 61307 437938 61308 43794b ___std_exception_copy 61307->61308 61677 437813 61308->61677 61310 437957 61311 43322c ___std_exception_copy 41 API calls 61310->61311 61312 437963 61311->61312 61312->61116 61316 433ffa __FrameHandler3::FrameUnwindToState 61313->61316 61314 434001 61338 43bf8f 14 API calls __dosmaperr 61314->61338 61316->61314 61318 434021 61316->61318 61317 434006 61339 4334f0 41 API calls ___std_exception_copy 61317->61339 61320 434033 61318->61320 61321 434026 61318->61321 61330 44517f 61320->61330 61340 43bf8f 14 API calls __dosmaperr 61321->61340 61323 434011 61323->61116 61323->61281 61326 434043 61341 43bf8f 14 API calls __dosmaperr 61326->61341 61327 434050 61342 43408e LeaveCriticalSection __fread_nolock 61327->61342 61331 44518b __FrameHandler3::FrameUnwindToState 61330->61331 61343 43eadb EnterCriticalSection 61331->61343 61333 445199 61344 445223 61333->61344 61338->61317 61339->61323 61340->61323 61341->61323 61342->61323 61343->61333 61352 445246 61344->61352 61345 44529e 61346 444eea __dosmaperr 14 API calls 61345->61346 61347 4452a7 61346->61347 61362 4458aa 14 API calls __dosmaperr 61347->61362 61350 4452b0 61356 4451a6 61350->61356 61363 446084 6 API calls _unexpected 61350->61363 61352->61345 61352->61356 61360 43bae0 EnterCriticalSection 61352->61360 61361 43baf4 LeaveCriticalSection 61352->61361 61354 4452cf 61364 43bae0 EnterCriticalSection 61354->61364 61357 4451df 61356->61357 61365 43eb23 LeaveCriticalSection 61357->61365 61359 43403c 61359->61326 61359->61327 61360->61352 61361->61352 61362->61350 61363->61354 61364->61356 61365->61359 61369 437be9 __FrameHandler3::FrameUnwindToState 61366->61369 61367 437bef 61387 433473 41 API calls 2 library calls 61367->61387 61369->61367 61371 437c32 61369->61371 61370 437c0a 61370->61285 61377 43bae0 EnterCriticalSection 61371->61377 61373 437c3e 61378 437d60 61373->61378 61375 437c54 61388 437c7d LeaveCriticalSection __fread_nolock 61375->61388 61377->61373 61379 437d73 61378->61379 61380 437d86 61378->61380 61379->61375 61389 437c87 61380->61389 61382 437da9 61386 437e37 61382->61386 61393 434321 61382->61393 61386->61375 61387->61370 61388->61370 61390 437c98 61389->61390 61392 437cf0 61389->61392 61390->61392 61402 43ce8d 43 API calls 2 library calls 61390->61402 61392->61382 61394 434361 61393->61394 61395 43433a 61393->61395 61399 43cecd 61394->61399 61395->61394 61403 444a79 61395->61403 61397 434356 61410 443f08 61397->61410 61480 43cdac 61399->61480 61401 43cee6 61401->61386 61402->61392 61404 444a85 61403->61404 61405 444a9a 61403->61405 61421 43bf8f 14 API calls __dosmaperr 61404->61421 61405->61397 61407 444a8a 61422 4334f0 41 API calls ___std_exception_copy 61407->61422 61409 444a95 61409->61397 61411 443f14 __FrameHandler3::FrameUnwindToState 61410->61411 61412 443f55 61411->61412 61414 443f9b 61411->61414 61420 443f1c 61411->61420 61452 433473 41 API calls 2 library calls 61412->61452 61423 448f52 EnterCriticalSection 61414->61423 61416 443fa1 61417 443fbf 61416->61417 61424 444019 61416->61424 61453 444011 LeaveCriticalSection __wsopen_s 61417->61453 61420->61394 61421->61407 61422->61409 61423->61416 61425 444041 61424->61425 61428 444064 __wsopen_s 61424->61428 61426 444045 61425->61426 61429 4440a0 61425->61429 61461 433473 41 API calls 2 library calls 61426->61461 61428->61417 61430 4440be 61429->61430 61431 43cecd __wsopen_s 43 API calls 61429->61431 61454 443b5e 61430->61454 61431->61430 61434 4440d6 61438 444105 61434->61438 61439 4440de 61434->61439 61435 44411d 61436 444186 WriteFile 61435->61436 61437 444131 61435->61437 61436->61428 61442 4441a8 GetLastError 61436->61442 61440 444172 61437->61440 61441 444139 61437->61441 61463 44372f 47 API calls 5 library calls 61438->61463 61439->61428 61462 443af6 6 API calls __wsopen_s 61439->61462 61466 443bdb 7 API calls 2 library calls 61440->61466 61444 44415e 61441->61444 61445 44413e 61441->61445 61442->61428 61465 443d9f 8 API calls 3 library calls 61444->61465 61445->61428 61448 444147 61445->61448 61464 443cb6 7 API calls 2 library calls 61448->61464 61450 444118 61450->61428 61452->61420 61453->61420 61467 44e474 61454->61467 61456 443bd4 61456->61434 61456->61435 61457 443b70 61457->61456 61460 443b9e 61457->61460 61476 438a60 41 API calls 2 library calls 61457->61476 61459 443bb8 GetConsoleMode 61459->61456 61460->61456 61460->61459 61461->61428 61462->61428 61463->61450 61464->61428 61465->61450 61466->61450 61468 44e481 61467->61468 61469 44e48e 61467->61469 61477 43bf8f 14 API calls __dosmaperr 61468->61477 61472 44e49a 61469->61472 61478 43bf8f 14 API calls __dosmaperr 61469->61478 61471 44e486 61471->61457 61472->61457 61474 44e4bb 61479 4334f0 41 API calls ___std_exception_copy 61474->61479 61476->61460 61477->61471 61478->61474 61479->61471 61486 4491ce 61480->61486 61482 43cdbe 61483 43cdda SetFilePointerEx 61482->61483 61485 43cdc6 __wsopen_s 61482->61485 61484 43cdf2 GetLastError 61483->61484 61483->61485 61484->61485 61485->61401 61487 4491f0 61486->61487 61488 4491db 61486->61488 61492 449215 61487->61492 61501 43bf7c 14 API calls __dosmaperr 61487->61501 61499 43bf7c 14 API calls __dosmaperr 61488->61499 61491 4491e0 61500 43bf8f 14 API calls __dosmaperr 61491->61500 61492->61482 61493 449220 61502 43bf8f 14 API calls __dosmaperr 61493->61502 61496 4491e8 61496->61482 61497 449228 61503 4334f0 41 API calls ___std_exception_copy 61497->61503 61499->61491 61500->61496 61501->61493 61502->61497 61503->61496 61505 43355d __FrameHandler3::FrameUnwindToState 61504->61505 61506 433585 61505->61506 61507 433564 61505->61507 61515 43bae0 EnterCriticalSection 61506->61515 61519 433473 41 API calls 2 library calls 61507->61519 61510 43357d 61510->61291 61511 433590 61516 433660 61511->61516 61515->61511 61521 433692 61516->61521 61518 43359f 61520 4335c7 LeaveCriticalSection __fread_nolock 61518->61520 61519->61510 61520->61510 61522 4336a1 61521->61522 61523 4336c9 61521->61523 61538 433473 41 API calls 2 library calls 61522->61538 61525 444a79 __fread_nolock 41 API calls 61523->61525 61527 4336d2 61525->61527 61526 4336bc __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61526->61518 61535 43ce6f 61527->61535 61530 43377c 61539 4339fe 46 API calls 4 library calls 61530->61539 61532 433793 61532->61526 61540 433833 45 API calls 2 library calls 61532->61540 61533 43378b 61533->61526 61541 43cc87 61535->61541 61538->61526 61539->61533 61540->61526 61544 43cc93 __FrameHandler3::FrameUnwindToState 61541->61544 61542 4336f0 61542->61526 61542->61530 61542->61532 61543 43ccd6 61553 433473 41 API calls 2 library calls 61543->61553 61544->61542 61544->61543 61546 43cd1c 61544->61546 61552 448f52 EnterCriticalSection 61546->61552 61548 43cd22 61549 43cd43 61548->61549 61550 43cdac __fread_nolock 43 API calls 61548->61550 61554 43cda4 LeaveCriticalSection __wsopen_s 61549->61554 61550->61549 61552->61548 61553->61542 61554->61542 61555->61302 61557 43c958 __FrameHandler3::FrameUnwindToState 61556->61557 61558 43c9a2 61557->61558 61559 43c96b __fread_nolock 61557->61559 61568 43c947 61557->61568 61569 43bae0 EnterCriticalSection 61558->61569 61583 43bf8f 14 API calls __dosmaperr 61559->61583 61562 43c9ac 61570 43c756 61562->61570 61563 43c985 61584 4334f0 41 API calls ___std_exception_copy 61563->61584 61568->61307 61569->61562 61573 43c768 __fread_nolock 61570->61573 61576 43c785 61570->61576 61571 43c775 61651 43bf8f 14 API calls __dosmaperr 61571->61651 61573->61571 61573->61576 61579 43c7c6 __fread_nolock 61573->61579 61574 43c77a 61652 4334f0 41 API calls ___std_exception_copy 61574->61652 61585 43c9e1 LeaveCriticalSection __fread_nolock 61576->61585 61577 43c8f1 __fread_nolock 61654 43bf8f 14 API calls __dosmaperr 61577->61654 61579->61576 61579->61577 61580 444a79 __fread_nolock 41 API calls 61579->61580 61586 4431a0 61579->61586 61653 43777b 41 API calls 4 library calls 61579->61653 61580->61579 61583->61563 61584->61568 61585->61568 61587 4431b2 61586->61587 61588 4431ca 61586->61588 61655 43bf7c 14 API calls __dosmaperr 61587->61655 61589 44350c 61588->61589 61594 44320d 61588->61594 61674 43bf7c 14 API calls __dosmaperr 61589->61674 61591 4431b7 61656 43bf8f 14 API calls __dosmaperr 61591->61656 61593 443511 61675 43bf8f 14 API calls __dosmaperr 61593->61675 61596 4431bf 61594->61596 61598 443218 61594->61598 61604 443248 61594->61604 61596->61579 61657 43bf7c 14 API calls __dosmaperr 61598->61657 61599 443225 61676 4334f0 41 API calls ___std_exception_copy 61599->61676 61601 44321d 61658 43bf8f 14 API calls __dosmaperr 61601->61658 61605 443261 61604->61605 61606 44329c 61604->61606 61607 44326e 61604->61607 61605->61607 61640 44328a 61605->61640 61662 445924 15 API calls 3 library calls 61606->61662 61659 43bf7c 14 API calls __dosmaperr 61607->61659 61609 443273 61660 43bf8f 14 API calls __dosmaperr 61609->61660 61612 44e474 __fread_nolock 41 API calls 61615 4433e8 61612->61615 61613 4432ad 61663 4458aa 14 API calls __dosmaperr 61613->61663 61614 44327a 61661 4334f0 41 API calls ___std_exception_copy 61614->61661 61618 44345c 61615->61618 61622 443401 GetConsoleMode 61615->61622 61621 443460 ReadFile 61618->61621 61619 4432b6 61664 4458aa 14 API calls __dosmaperr 61619->61664 61624 4434d4 GetLastError 61621->61624 61625 443478 61621->61625 61622->61618 61626 443412 61622->61626 61623 4432bd 61627 4432c7 61623->61627 61628 4432e2 61623->61628 61629 4434e1 61624->61629 61630 443438 61624->61630 61625->61624 61631 443451 61625->61631 61626->61621 61632 443418 ReadConsoleW 61626->61632 61665 43bf8f 14 API calls __dosmaperr 61627->61665 61667 43ce8d 43 API calls 2 library calls 61628->61667 61672 43bf8f 14 API calls __dosmaperr 61629->61672 61649 443285 __fread_nolock 61630->61649 61668 43bf35 14 API calls __dosmaperr 61630->61668 61644 4434b4 61631->61644 61645 44349d 61631->61645 61631->61649 61632->61631 61637 443432 GetLastError 61632->61637 61637->61630 61638 4432cc 61666 43bf7c 14 API calls __dosmaperr 61638->61666 61639 4434e6 61673 43bf7c 14 API calls __dosmaperr 61639->61673 61640->61612 61647 4434cd 61644->61647 61644->61649 61670 442eb2 46 API calls 3 library calls 61645->61670 61671 442cf8 44 API calls __fread_nolock 61647->61671 61669 4458aa 14 API calls __dosmaperr 61649->61669 61650 4434d2 61650->61649 61651->61574 61652->61576 61653->61579 61654->61574 61655->61591 61656->61596 61657->61601 61658->61599 61659->61609 61660->61614 61661->61649 61662->61613 61663->61619 61664->61623 61665->61638 61666->61649 61667->61640 61668->61649 61669->61596 61670->61649 61671->61650 61672->61639 61673->61649 61674->61593 61675->61599 61676->61596 61678 43781f __FrameHandler3::FrameUnwindToState 61677->61678 61679 437829 61678->61679 61680 43784c 61678->61680 61703 433473 41 API calls 2 library calls 61679->61703 61687 437844 61680->61687 61688 43bae0 EnterCriticalSection 61680->61688 61683 43786a 61689 4378aa 61683->61689 61685 437877 61704 4378a2 LeaveCriticalSection __fread_nolock 61685->61704 61687->61310 61688->61683 61690 4378b7 61689->61690 61691 4378da 61689->61691 61716 433473 41 API calls 2 library calls 61690->61716 61693 434321 ___scrt_uninitialize_crt 66 API calls 61691->61693 61694 4378d2 61691->61694 61695 4378f2 61693->61695 61694->61685 61705 4458e4 61695->61705 61698 444a79 __fread_nolock 41 API calls 61699 437906 61698->61699 61709 4435bc 61699->61709 61703->61687 61704->61687 61706 4378fa 61705->61706 61707 4458fb 61705->61707 61706->61698 61707->61706 61718 4458aa 14 API calls __dosmaperr 61707->61718 61710 4435e5 61709->61710 61715 43790d 61709->61715 61711 443634 61710->61711 61713 44360c 61710->61713 61727 433473 41 API calls 2 library calls 61711->61727 61719 44352b 61713->61719 61715->61694 61717 4458aa 14 API calls __dosmaperr 61715->61717 61716->61694 61717->61694 61718->61706 61720 443537 __FrameHandler3::FrameUnwindToState 61719->61720 61728 448f52 EnterCriticalSection 61720->61728 61722 443545 61724 443576 61722->61724 61729 44368f 61722->61729 61742 4435b0 LeaveCriticalSection __wsopen_s 61724->61742 61726 443599 61726->61715 61727->61715 61728->61722 61730 4491ce __wsopen_s 41 API calls 61729->61730 61732 44369f 61730->61732 61731 4436a5 61743 44913d 15 API calls 2 library calls 61731->61743 61732->61731 61734 4491ce __wsopen_s 41 API calls 61732->61734 61741 4436d7 61732->61741 61736 4436ce 61734->61736 61735 4491ce __wsopen_s 41 API calls 61737 4436e3 FindCloseChangeNotification 61735->61737 61738 4491ce __wsopen_s 41 API calls 61736->61738 61737->61731 61739 4436ef GetLastError 61737->61739 61738->61741 61739->61731 61740 4436fd __wsopen_s 61740->61724 61741->61731 61741->61735 61742->61726 61743->61740 61745 4d2870 61744->61745 61763 4d23fe std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61744->61763 61746 4d2447 setsockopt recv WSAGetLastError 61746->61745 61746->61763 61748 42d8f9 __Xtime_get_ticks 2 API calls 61748->61763 61749 4d285b Sleep 61749->61745 61749->61763 61750 4d27c8 recv 61751 4d284d Sleep 61750->61751 61751->61749 61752 416930 43 API calls 61753 4d24d8 recv 61752->61753 61754 4d24f9 recv 61753->61754 61753->61763 61754->61763 61756 416930 43 API calls 61759 4d2561 setsockopt recv 61756->61759 61757 414090 std::_Throw_Cpp_error 43 API calls 61757->61763 61758 4d2885 61760 433500 std::_Throw_Cpp_error 41 API calls 61758->61760 61759->61763 61761 4d288a 61760->61761 61763->61746 61763->61748 61763->61749 61763->61750 61763->61751 61763->61752 61763->61756 61763->61757 61763->61758 61764 4d3150 WSAStartup 61763->61764 61777 4d2890 61763->61777 61859 4081e0 61763->61859 61765 4d3256 61764->61765 61766 4d3188 61764->61766 61765->61763 61766->61765 61767 4d31be getaddrinfo 61766->61767 61768 4d3206 61767->61768 61769 4d3250 WSACleanup 61767->61769 61770 4d3264 freeaddrinfo 61768->61770 61772 4d3214 socket 61768->61772 61769->61765 61770->61769 61771 4d3270 61770->61771 61771->61763 61772->61769 61773 4d322a connect 61772->61773 61774 4d323c closesocket 61773->61774 61775 4d3260 61773->61775 61774->61772 61776 4d3246 freeaddrinfo 61774->61776 61775->61770 61776->61769 61778 4d2946 61777->61778 61779 4d28e3 61777->61779 61781 4d294e 61778->61781 61782 4d2970 61778->61782 61780 4081e0 46 API calls 61779->61780 61792 4d2909 61780->61792 61871 413df0 43 API calls 3 library calls 61781->61871 61783 4d299d 61782->61783 61784 4d2978 61782->61784 61787 4d29cc 61783->61787 61788 4d29a5 61783->61788 61872 413df0 43 API calls 3 library calls 61784->61872 61789 4d29d4 61787->61789 61790 4d29f2 61787->61790 61788->61792 61873 413df0 43 API calls 3 library calls 61788->61873 61793 43bb47 44 API calls 61789->61793 61790->61792 61795 4d2f16 61790->61795 61796 4d2a12 61790->61796 61794 4d2941 std::ios_base::_Ios_base_dtor 61792->61794 61798 433500 std::_Throw_Cpp_error 41 API calls 61792->61798 61793->61792 61794->61763 61799 4d2f1e 61795->61799 61800 4d2f54 61795->61800 61874 404b10 50 API calls std::_Throw_Cpp_error 61796->61874 61801 4d30bd 61798->61801 61920 4186a0 48 API calls 61799->61920 61803 4d2f5c 61800->61803 61804 4d2f92 61800->61804 61806 433500 std::_Throw_Cpp_error 41 API calls 61801->61806 61922 4186a0 48 API calls 61803->61922 61807 4d2f9a 61804->61807 61808 4d2fd0 61804->61808 61812 4d30c2 setsockopt 61806->61812 61924 4186a0 48 API calls 61807->61924 61814 4d300e 61808->61814 61815 4d2fd8 61808->61815 61809 4d2f3b 61921 411960 43 API calls 61809->61921 61810 4d2f79 61923 411960 43 API calls 61810->61923 61811 4d2efe 61917 42d43a 61811->61917 61812->61763 61817 4d304c 61814->61817 61818 4d3016 61814->61818 61926 4186a0 48 API calls 61815->61926 61817->61792 61930 453390 46 API calls 3 library calls 61817->61930 61928 4186a0 48 API calls 61818->61928 61821 4d2fb7 61925 411960 43 API calls 61821->61925 61825 4d2ff5 61927 411960 43 API calls 61825->61927 61826 4d3033 61929 411960 43 API calls 61826->61929 61827 4034e0 std::_Throw_Cpp_error 43 API calls 61836 4d2a34 std::ios_base::_Ios_base_dtor 61827->61836 61831 4d3066 61832 413fa0 41 API calls 61831->61832 61833 4d3071 61832->61833 61835 4031c0 std::_Throw_Cpp_error 41 API calls 61833->61835 61835->61792 61836->61801 61836->61811 61836->61827 61837 4d2c75 61836->61837 61875 41c4c0 61836->61875 61838 4032a0 43 API calls 61837->61838 61839 4d2c96 61838->61839 61914 4e2cc0 43 API calls 3 library calls 61839->61914 61841 4d2ca7 61842 4031c0 std::_Throw_Cpp_error 41 API calls 61841->61842 61843 4d2cb6 61842->61843 61844 4d2d7c 61843->61844 61845 4d2d54 GetCurrentProcess 61843->61845 61848 4340b0 43 API calls 61844->61848 61846 414090 std::_Throw_Cpp_error 43 API calls 61845->61846 61847 4d2d6d 61846->61847 61915 4db380 56 API calls 3 library calls 61847->61915 61850 4d2e18 61848->61850 61858 4d2e4a 61850->61858 61916 43beb8 69 API calls ___std_exception_copy 61850->61916 61851 4d2d74 61851->61858 61853 4d2e44 61854 437938 71 API calls 61853->61854 61854->61858 61855 4031c0 std::_Throw_Cpp_error 41 API calls 61855->61811 61856 4031c0 std::_Throw_Cpp_error 41 API calls 61856->61858 61857 4d2ea0 std::ios_base::_Ios_base_dtor 61857->61801 61857->61855 61858->61856 61858->61857 61860 414090 std::_Throw_Cpp_error 43 API calls 61859->61860 61863 40822d 61860->61863 61861 4031c0 std::_Throw_Cpp_error 41 API calls 61862 408392 61861->61862 61864 416930 43 API calls 61862->61864 61866 4083dd __Strxfrm 61862->61866 61863->61861 61864->61866 61865 4084b0 GetModuleHandleA GetProcAddress WSASend 61865->61866 61867 40859e std::ios_base::_Ios_base_dtor 61865->61867 61866->61865 61866->61867 61868 433500 std::_Throw_Cpp_error 41 API calls 61867->61868 61869 40860a std::ios_base::_Ios_base_dtor 61867->61869 61870 408637 61868->61870 61869->61763 61871->61792 61872->61792 61873->61792 61874->61836 61876 41c55d 61875->61876 61882 41c4e2 __Strxfrm 61875->61882 61877 41c64c 61876->61877 61878 41c56c 61876->61878 61931 403110 43 API calls 2 library calls 61877->61931 61881 4036f0 std::_Throw_Cpp_error 43 API calls 61878->61881 61880 433500 std::_Throw_Cpp_error 41 API calls 61885 41c656 61880->61885 61883 41c5b1 __Strxfrm 61881->61883 61882->61836 61883->61880 61900 41c60c std::ios_base::_Ios_base_dtor __Strxfrm 61883->61900 61906 41c6b2 61885->61906 61912 41c6d4 61885->61912 61932 4254c0 43 API calls 5 library calls 61885->61932 61886 41c85c 61887 41c911 61886->61887 61888 41c8d5 61886->61888 61889 41c8f5 61886->61889 61890 41c8b9 61886->61890 61891 41c91e 61886->61891 61892 41c877 61886->61892 61941 41d3c0 43 API calls 61887->61941 61939 41cb60 43 API calls 61888->61939 61940 41cb60 43 API calls 61889->61940 61938 41cb60 43 API calls 61890->61938 61942 41cc10 43 API calls __dosmaperr 61891->61942 61892->61836 61900->61836 61901 41c90b 61901->61836 61902 41c918 61902->61836 61903 41c925 61903->61836 61904 41c8cf 61904->61836 61905 41c8ef 61905->61836 61910 41c748 61906->61910 61906->61912 61933 4254c0 43 API calls 5 library calls 61906->61933 61908 41c7bc 61908->61886 61908->61892 61936 41d1e0 43 API calls 61908->61936 61937 4254c0 43 API calls 5 library calls 61908->61937 61909 41c764 61909->61836 61910->61909 61934 41dd20 43 API calls 61910->61934 61912->61909 61935 41cad0 43 API calls 61912->61935 61914->61841 61915->61851 61916->61853 61918 42d446 ReleaseSRWLockExclusive 61917->61918 61919 42d454 61917->61919 61918->61919 61919->61792 61920->61809 61921->61792 61922->61810 61923->61792 61924->61821 61925->61792 61926->61825 61927->61792 61928->61826 61929->61792 61930->61831 61931->61883 61932->61906 61933->61910 61934->61912 61935->61908 61936->61908 61937->61908 61938->61904 61939->61905 61940->61901 61941->61902 61942->61903 61943 447223 61944 447230 61943->61944 61947 447248 61943->61947 61998 43bf8f 14 API calls __dosmaperr 61944->61998 61946 447235 61999 4334f0 41 API calls ___std_exception_copy 61946->61999 61951 4472a7 61947->61951 61957 447240 61947->61957 61963 447f13 61947->61963 61950 444a79 __fread_nolock 41 API calls 61952 4472c0 61950->61952 61951->61950 61968 443087 61952->61968 61955 444a79 __fread_nolock 41 API calls 61956 4472f9 61955->61956 61956->61957 61958 444a79 __fread_nolock 41 API calls 61956->61958 61959 447307 61958->61959 61959->61957 61960 444a79 __fread_nolock 41 API calls 61959->61960 61961 447315 61960->61961 61962 444a79 __fread_nolock 41 API calls 61961->61962 61962->61957 61964 444eea __dosmaperr 14 API calls 61963->61964 61965 447f30 61964->61965 62000 4458aa 14 API calls __dosmaperr 61965->62000 61967 447f3a 61967->61951 61969 443093 __FrameHandler3::FrameUnwindToState 61968->61969 61970 44309b 61969->61970 61972 4430b6 61969->61972 62002 43bf7c 14 API calls __dosmaperr 61970->62002 61974 4430cd 61972->61974 61977 443108 61972->61977 61973 4430a0 62003 43bf8f 14 API calls __dosmaperr 61973->62003 62004 43bf7c 14 API calls __dosmaperr 61974->62004 61979 443126 61977->61979 61980 443111 61977->61980 61978 4430d2 62005 43bf8f 14 API calls __dosmaperr 61978->62005 62001 448f52 EnterCriticalSection 61979->62001 62007 43bf7c 14 API calls __dosmaperr 61980->62007 61984 44312c 61987 443160 61984->61987 61988 44314b 61984->61988 61985 4430da 62006 4334f0 41 API calls ___std_exception_copy 61985->62006 61986 443116 62008 43bf8f 14 API calls __dosmaperr 61986->62008 61992 4431a0 __fread_nolock 53 API calls 61987->61992 62009 43bf8f 14 API calls __dosmaperr 61988->62009 61994 44315b 61992->61994 61993 443150 62010 43bf7c 14 API calls __dosmaperr 61993->62010 62011 443198 LeaveCriticalSection __wsopen_s 61994->62011 61997 4430a8 61997->61955 61997->61957 61998->61946 61999->61957 62000->61967 62001->61984 62002->61973 62003->61997 62004->61978 62005->61985 62006->61997 62007->61986 62008->61985 62009->61993 62010->61994 62011->61997 62012 5cc3026 62013 5cc3035 62012->62013 62016 5cc37c6 62013->62016 62021 5cc37e1 62016->62021 62017 5cc37ea CreateToolhelp32Snapshot 62018 5cc3806 Module32First 62017->62018 62017->62021 62019 5cc303e 62018->62019 62020 5cc3815 62018->62020 62023 5cc3485 62020->62023 62021->62017 62021->62018 62024 5cc34b0 62023->62024 62025 5cc34f9 62024->62025 62026 5cc34c1 VirtualAlloc 62024->62026 62025->62025 62026->62025 62027 44550f 62032 4452e5 62027->62032 62030 44554e 62033 445304 62032->62033 62034 445317 62033->62034 62041 44532c 62033->62041 62052 43bf8f 14 API calls __dosmaperr 62034->62052 62036 44531c 62053 4334f0 41 API calls ___std_exception_copy 62036->62053 62038 445327 62038->62030 62049 43d543 62038->62049 62040 4454fd 62058 4334f0 41 API calls ___std_exception_copy 62040->62058 62047 44544c 62041->62047 62054 43b83e 41 API calls 2 library calls 62041->62054 62044 44549c 62044->62047 62055 43b83e 41 API calls 2 library calls 62044->62055 62046 4454ba 62046->62047 62056 43b83e 41 API calls 2 library calls 62046->62056 62047->62038 62057 43bf8f 14 API calls __dosmaperr 62047->62057 62059 43ceeb 62049->62059 62052->62036 62053->62038 62054->62044 62055->62046 62056->62047 62057->62040 62058->62038 62060 43cef7 __FrameHandler3::FrameUnwindToState 62059->62060 62061 43cefe 62060->62061 62064 43cf29 62060->62064 62079 43bf8f 14 API calls __dosmaperr 62061->62079 62063 43cf03 62080 4334f0 41 API calls ___std_exception_copy 62063->62080 62070 43d4d5 62064->62070 62069 43cf0d 62069->62030 62082 437a37 62070->62082 62075 43d50b 62077 43cf4d 62075->62077 62137 4458aa 14 API calls __dosmaperr 62075->62137 62081 43cf80 LeaveCriticalSection __wsopen_s 62077->62081 62079->62063 62080->62069 62081->62069 62138 433e3e 62082->62138 62085 437a5b 62087 437a1a 62085->62087 62149 437968 62087->62149 62090 43d563 62174 43d2b1 62090->62174 62093 43d595 62206 43bf7c 14 API calls __dosmaperr 62093->62206 62094 43d5ae 62192 44902a 62094->62192 62098 43d5d3 62205 43d21c CreateFileW 62098->62205 62099 43d5bc 62208 43bf7c 14 API calls __dosmaperr 62099->62208 62103 43d5c1 62209 43bf8f 14 API calls __dosmaperr 62103->62209 62105 43d689 GetFileType 62107 43d694 GetLastError 62105->62107 62108 43d6db 62105->62108 62106 43d5a7 62106->62075 62212 43bf35 14 API calls __dosmaperr 62107->62212 62214 448f75 15 API calls 2 library calls 62108->62214 62109 43d59a 62207 43bf8f 14 API calls __dosmaperr 62109->62207 62110 43d60c 62110->62105 62111 43d65e GetLastError 62110->62111 62210 43d21c CreateFileW 62110->62210 62211 43bf35 14 API calls __dosmaperr 62111->62211 62114 43d6a2 CloseHandle 62114->62109 62116 43d6cb 62114->62116 62213 43bf8f 14 API calls __dosmaperr 62116->62213 62118 43d651 62118->62105 62118->62111 62120 43d6fc 62122 43d748 62120->62122 62215 43d42b 75 API calls 3 library calls 62120->62215 62121 43d6d0 62121->62109 62126 43d74f 62122->62126 62217 43cfc6 75 API calls 4 library calls 62122->62217 62125 43d77d 62125->62126 62127 43d78b 62125->62127 62216 44365f 44 API calls 2 library calls 62126->62216 62127->62106 62129 43d807 CloseHandle 62127->62129 62218 43d21c CreateFileW 62129->62218 62131 43d832 62132 43d868 62131->62132 62133 43d83c GetLastError 62131->62133 62132->62106 62219 43bf35 14 API calls __dosmaperr 62133->62219 62135 43d848 62220 44913d 15 API calls 2 library calls 62135->62220 62137->62077 62139 433e5c 62138->62139 62141 433e55 62138->62141 62140 4446d2 __Strxfrm 41 API calls 62139->62140 62139->62141 62142 433e7d 62140->62142 62141->62085 62146 445d9e 5 API calls std::_Lockit::_Lockit 62141->62146 62147 4449bd 41 API calls __Strxfrm 62142->62147 62144 433e93 62148 444a1b 41 API calls _strftime 62144->62148 62146->62085 62147->62144 62148->62141 62150 437990 62149->62150 62151 437976 62149->62151 62152 437997 62150->62152 62153 4379b6 62150->62153 62167 437a76 14 API calls ___std_exception_destroy 62151->62167 62158 437980 62152->62158 62168 437a90 15 API calls _strftime 62152->62168 62169 445a0a MultiByteToWideChar _strftime 62153->62169 62157 4379c5 62159 4379cc GetLastError 62157->62159 62160 4379f2 62157->62160 62172 437a90 15 API calls _strftime 62157->62172 62158->62075 62158->62090 62170 43bf35 14 API calls __dosmaperr 62159->62170 62160->62158 62173 445a0a MultiByteToWideChar _strftime 62160->62173 62164 4379d8 62171 43bf8f 14 API calls __dosmaperr 62164->62171 62165 437a09 62165->62158 62165->62159 62167->62158 62168->62158 62169->62157 62170->62164 62171->62158 62172->62160 62173->62165 62175 43d2d2 62174->62175 62176 43d2ec 62174->62176 62175->62176 62228 43bf8f 14 API calls __dosmaperr 62175->62228 62221 43d241 62176->62221 62179 43d2e1 62229 4334f0 41 API calls ___std_exception_copy 62179->62229 62181 43d324 62182 43d353 62181->62182 62230 43bf8f 14 API calls __dosmaperr 62181->62230 62189 43d3a6 62182->62189 62232 4412b0 41 API calls 2 library calls 62182->62232 62185 43d3a1 62187 43d41e 62185->62187 62185->62189 62186 43d348 62231 4334f0 41 API calls ___std_exception_copy 62186->62231 62233 43351d 11 API calls _unexpected 62187->62233 62189->62093 62189->62094 62191 43d42a 62193 449036 __FrameHandler3::FrameUnwindToState 62192->62193 62236 43eadb EnterCriticalSection 62193->62236 62195 449062 62240 448e04 15 API calls 3 library calls 62195->62240 62199 449067 62204 449084 62199->62204 62241 448f52 EnterCriticalSection 62199->62241 62200 44903d 62200->62195 62201 4490d1 EnterCriticalSection 62200->62201 62200->62204 62203 4490de LeaveCriticalSection 62201->62203 62201->62204 62203->62200 62237 449134 62204->62237 62205->62110 62206->62109 62207->62106 62208->62103 62209->62109 62210->62118 62211->62109 62212->62114 62213->62121 62214->62120 62215->62122 62216->62106 62217->62125 62218->62131 62219->62135 62220->62132 62223 43d259 62221->62223 62222 43d274 62222->62181 62223->62222 62234 43bf8f 14 API calls __dosmaperr 62223->62234 62225 43d298 62235 4334f0 41 API calls ___std_exception_copy 62225->62235 62227 43d2a3 62227->62181 62228->62179 62229->62176 62230->62186 62231->62182 62232->62185 62233->62191 62234->62225 62235->62227 62236->62200 62242 43eb23 LeaveCriticalSection 62237->62242 62239 43d5b3 62239->62098 62239->62099 62240->62199 62241->62204 62242->62239 62243 4f2d70 62244 4340b0 43 API calls 62243->62244 62245 4f2e12 62244->62245 62246 437938 71 API calls 62245->62246 62248 4f2e1f 62245->62248 62246->62248 62247 4f2e52 std::ios_base::_Ios_base_dtor 62248->62247 62249 433500 std::_Throw_Cpp_error 41 API calls 62248->62249 62250 4f2e6b 62249->62250

                                                                                      Executed Functions

                                                                                      Function 00453C30 Relevance: 75.1, APIs: 33, Strings: 9, Instructions: 1568sleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 453c30-453cfe call 42efb0 Sleep call 4e2fa0 call 403420 call 43bb47 call 4f80f0 call 433e2c call 430240 call 4031b0 call 403420 call 42fcc0 call 4031b0 call 403420 call 42fcc0 call 403420 29 453d01-453d06 0->29 29->29 30 453d08-453d43 call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 29->30 41 453d46-453d4b 30->41 41->41 42 453d4d-453d8b call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 41->42 53 453d90-453d95 42->53 53->53 54 453d97-454e07 call 403420 call 4032a0 call 413fa0 call 4031c0 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter call 45a5c0 SetThreadExecutionState call 4f80f0 call 433e2c LoadLibraryA call 430240 GetModuleFileNameA call 403260 call 414090 call 4f3350 call 4031b0 call 416680 call 452ef0 * 2 GetProcessId call 413b90 * 5 call 452ef0 SetThreadExecutionState GetPEB 53->54 112 454e10-454e33 54->112 113 454e35-454e3a 112->113 114 454e88-454e8a 112->114 113->114 115 454e3c-454e42 113->115 114->112 116 454e44-454e5b 115->116 117 454e7d-454e86 116->117 118 454e5d 116->118 117->114 117->116 119 454e60-454e73 118->119 119->119 120 454e75-454e7b 119->120 120->117 121 454e8c-455338 LoadLibraryA call 4fa570 call 413b90 CreateThread FindCloseChangeNotification call 403260 120->121 132 455340-455349 121->132 132->132 133 45534b-4556c9 GetTempPathA call 4f2470 call 403260 call 417fd0 call 418040 call 413fa0 call 4031c0 * 3 call 403260 call 417fd0 call 418040 call 4031c0 * 2 call 403420 call 4f2cd0 call 403420 call 4f2cd0 call 403420 CreateDirectoryA call 403420 CreateDirectoryA call 403420 GetPEB 132->133 178 4556d0-4556f3 133->178 179 4556f5-4556fa 178->179 180 455748-45574a 178->180 179->180 181 4556fc-455702 179->181 180->178 182 455704-45571b 181->182 183 45573d-455746 182->183 184 45571d 182->184 183->180 183->182 185 455720-455733 184->185 185->185 186 455735-45573b 185->186 186->183 187 45574c-4567f1 SetCurrentDirectoryA call 413f70 call 4df790 call 452ef0 call 4f0b00 call 4f6620 call 417f00 call 418040 call 4081e0 call 4031c0 * 2 call 4d3280 call 413f70 call 403420 call 42f8b0 call 403260 * 10 call 410f30 call 410c00 call 42e2a7 call 418e00 OutputDebugStringA call 4d20b0 186->187 252 4567f6-458d42 call 4116a0 call 4d1f60 call 403260 * 3 call 411510 call 4114a0 call 415520 call 4f60d0 187->252 273 45a1a7-45a1ae 252->273 274 458d48-458f77 call 4d2120 call 4d2040 call 4d1fd0 call 48a680 call 489370 call 410e60 OutputDebugStringA call 410e60 CreateThread * 2 call 408980 call 4a2ee0 252->274 275 45a1b4-45a1b9 273->275 276 45a23c-45a2a6 call 4031c0 * 3 call 410cb0 call 410d10 call 4031c0 * 2 OutputDebugStringA 273->276 274->273 275->276 278 45a1bf-45a235 call 4119d0 * 6 call 414090 call 4d7e10 275->278 321 45a2ac-45a2ae 276->321 322 45a52a 276->322 278->276 333 45a237 call 4dd9d0 278->333 321->322 325 45a2b4-45a32a call 4119d0 * 6 call 414090 call 4d7e10 321->325 326 45a530-45a558 Sleep shutdown closesocket 322->326 325->322 363 45a330-45a424 call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 325->363 330 45a569-45a598 call 4031c0 * 3 326->330 331 45a55a-45a55c 326->331 349 45a59f-45a5b2 call 4031c0 330->349 350 45a59a call 4040b0 330->350 331->330 335 45a55e 331->335 333->276 339 45a560-45a567 Sleep 335->339 339->339 350->349 363->330 370 45a42a-45a50c Sleep call 403260 call 4d2190 363->370 375 45a521-45a528 370->375 376 45a50e 370->376 375->326 377 45a510-45a51f Sleep 376->377 377->375 377->377
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(00000025), ref: 00453C44
                                                                                        • Part of subcall function 004E2FA0: __Xtime_get_ticks.LIBCPMT ref: 004E2FA1
                                                                                        • Part of subcall function 004E2FA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E2FAF
                                                                                      • GetCurrentProcess.KERNEL32(00008000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001), ref: 00453DCD
                                                                                      • SetPriorityClass.KERNELBASE(00000000), ref: 00453DD4
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(0045A780), ref: 00453DDF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassCurrentExceptionFilterPriorityProcessSleepUnhandledUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                      • String ID: /*************/$131$131$147.45.47.93:58709$149.18.24.96$43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch$futer
                                                                                      • API String ID: 1211644118-3050393103
                                                                                      • Opcode ID: d8dc7ae4399afbc338cbd3cb43fe2f1cafb63e5b3bc4480d4e0b40fd1439af9b
                                                                                      • Instruction ID: 58df280d1c5bcf31294a4ea42ed0208b52652377ae8c263acff41185647b5a58
                                                                                      • Opcode Fuzzy Hash: d8dc7ae4399afbc338cbd3cb43fe2f1cafb63e5b3bc4480d4e0b40fd1439af9b
                                                                                      • Instruction Fuzzy Hash: F70326B45083829FC324DF29C491AABBBE4FFD8345F40491EE98997352DB30A549CF96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D3150 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 743 4d3150-4d3182 WSAStartup 744 4d3188-4d31b2 call 4f6620 * 2 743->744 745 4d3256-4d325f 743->745 750 4d31be-4d3204 getaddrinfo 744->750 751 4d31b4-4d31b8 744->751 752 4d3206-4d320c 750->752 753 4d3250 WSACleanup 750->753 751->745 751->750 754 4d320e 752->754 755 4d3264-4d326e freeaddrinfo 752->755 753->745 757 4d3214-4d3228 socket 754->757 755->753 756 4d3270-4d3278 755->756 757->753 758 4d322a-4d323a connect 757->758 759 4d323c-4d3244 closesocket 758->759 760 4d3260 758->760 759->757 761 4d3246-4d324a freeaddrinfo 759->761 760->755 761->753
                                                                                      APIs
                                                                                      • WSAStartup.WS2_32 ref: 004D317A
                                                                                      • getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                      • socket.WS2_32(?,?,?), ref: 004D321D
                                                                                      • connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                      • closesocket.WS2_32(00000000), ref: 004D323D
                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                      • WSACleanup.WS2_32 ref: 004D3250
                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D3265
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                      • String ID:
                                                                                      • API String ID: 58224237-0
                                                                                      • Opcode ID: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                      • Instruction ID: 66b7f2af6e1e00109afe9fd9f1c3058fd8df4c895de65cf13c46908161227474
                                                                                      • Opcode Fuzzy Hash: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                      • Instruction Fuzzy Hash: 7731E631A047009BD7209F29DC4862BB7E5FF85735F104B5FF9A4933E0D37899489696
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045A5C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156sleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 762 45a5c0-45a5d3 GetCursorPos 763 45a5d5-45a5e1 GetCursorPos 762->763 764 45a5e7-45a5ed 763->764 765 45a6a8-45a6b1 GetPEB 763->765 764->765 766 45a5f3-45a5ff GetPEB 764->766 767 45a6b4-45a6c8 765->767 768 45a600-45a614 766->768 769 45a719-45a71b 767->769 770 45a6ca-45a6cf 767->770 772 45a664-45a666 768->772 773 45a616-45a61b 768->773 769->767 770->769 771 45a6d1-45a6d9 770->771 774 45a6e0-45a6f3 771->774 772->768 773->772 775 45a61d-45a623 773->775 776 45a6f5-45a708 774->776 777 45a712-45a717 774->777 778 45a625-45a638 775->778 776->776 779 45a70a-45a710 776->779 777->769 777->774 780 45a65d-45a662 778->780 781 45a63a 778->781 779->777 782 45a71d-45a742 Sleep 779->782 780->772 780->778 783 45a640-45a653 781->783 782->763 783->783 784 45a655-45a65b 783->784 784->780 785 45a668-45a69a Sleep GetCursorPos 784->785 785->765 786 45a69c-45a6a2 785->786 786->765 787 45a747-45a758 call 4f6620 786->787 790 45a75e 787->790 791 45a75a-45a75c 787->791 792 45a760-45a77d call 4f6620 790->792 791->792
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D3
                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D9
                                                                                      • Sleep.KERNELBASE(000003E9,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A688
                                                                                      • GetCursorPos.USER32(?), ref: 0045A68E
                                                                                      • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A73A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Sleep
                                                                                      • String ID: =E
                                                                                      • API String ID: 1847515627-2289002813
                                                                                      • Opcode ID: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                      • Instruction ID: 823f227e19ebc1f4262c84ee3b7a9e46c16cc5b48225767440be61142120e435
                                                                                      • Opcode Fuzzy Hash: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                      • Instruction Fuzzy Hash: B151CC35A00215CFCB18CF58C4C4EAAB7B1FF49705F19429AD945AB312D739ED1ACB81
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004DF790 Relevance: 9.5, APIs: 6, Instructions: 540processlibraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 795 4df790-4df7f3 call 430240 GetModuleFileNameA 798 4df7f6-4df7fb 795->798 798->798 799 4df7fd-4df889 call 4034e0 798->799 802 4df890-4df895 799->802 802->802 803 4df897-4df8bd call 419950 802->803 806 4dfa33 803->806 807 4df8c3-4df93d 803->807 808 4dfa37-4dfa3a 806->808 809 4df940-4df945 807->809 810 4dfa3c-4dfa45 808->810 811 4dfa61-4dfa6c 808->811 809->809 812 4df947-4df96d call 419950 809->812 813 4dfa57-4dfa5e call 42e183 810->813 814 4dfa47-4dfa55 810->814 812->806 821 4df973-4df9fc 812->821 813->811 814->813 816 4dfa6d-4dfae1 call 433500 call 430240 814->816 828 4dfaea 816->828 829 4dfae3-4dfae8 816->829 822 4dfa00-4dfa05 821->822 822->822 824 4dfa07-4dfa31 call 419950 822->824 824->806 824->808 831 4dfaef-4dfc13 call 4f6620 GetModuleHandleA GetProcAddress 828->831 829->831 834 4dfc1a-4dfc50 call 4f6620 CreateProcessA 831->834 835 4dfc15 831->835 838 4dfd0e-4dfd14 834->838 839 4dfc56-4dfc78 call 4f6620 GetPEB 834->839 835->834 840 4dfd3e-4dfd50 838->840 841 4dfd16-4dfd22 838->841 848 4dfc80-4dfc94 839->848 843 4dfd34-4dfd3b call 42e183 841->843 844 4dfd24-4dfd32 841->844 843->840 844->843 846 4dfd51-4dfd9e call 433500 844->846 856 4dfda0 846->856 857 4dfda2-4dfdbe MultiByteToWideChar 846->857 851 4dfce7-4dfce9 848->851 852 4dfc96-4dfc9b 848->852 851->848 852->851 854 4dfc9d-4dfca3 852->854 855 4dfca5-4dfcba 854->855 858 4dfcdd-4dfce5 855->858 859 4dfcbc 855->859 856->857 860 4dfdc0-4dfdf4 call 4164d0 857->860 861 4dfe33-4dfe54 857->861 858->851 858->855 862 4dfcc0-4dfcd3 859->862 868 4dfdf8-4dfe31 MultiByteToWideChar 860->868 869 4dfdf6 860->869 864 4dfe57-4dfe6b 861->864 862->862 865 4dfcd5-4dfcdb 862->865 865->858 867 4dfceb-4dfd0a 865->867 867->838 868->864 869->868
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000200,?,?,811C9DC5), ref: 004DF7D2
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 004DFBF1
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004DFBFC
                                                                                      • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004DFC4C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Module$AddressCreateFileHandleNameProcProcess
                                                                                      • String ID:
                                                                                      • API String ID: 347136680-0
                                                                                      • Opcode ID: f5ef7e5a0093e01301607f7d42f07229371b5a2fad561cb305fd20bd82fb37b4
                                                                                      • Instruction ID: 1c398614b8e40d06d673246c6905bd3bbdd575ff32f9acac0e67e79eca0af1e2
                                                                                      • Opcode Fuzzy Hash: f5ef7e5a0093e01301607f7d42f07229371b5a2fad561cb305fd20bd82fb37b4
                                                                                      • Instruction Fuzzy Hash: 393258B4D00249AFDB10CF98D995BEEFBB1FF48314F20425AE849AB381D7346A45CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D23C0 Relevance: 18.4, APIs: 12, Instructions: 351networksleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 378 4d23c0-4d23f8 379 4d23fe 378->379 380 4d2870-4d2884 378->380 381 4d2404-4d240c 379->381 382 4d240e-4d2434 call 4d3150 381->382 383 4d2447-4d2490 setsockopt recv WSAGetLastError 381->383 386 4d2439-4d2441 382->386 383->380 385 4d2496-4d2499 383->385 387 4d249f-4d24a6 385->387 388 4d27da-4d2804 call 42d8f9 call 452ef0 385->388 386->383 390 4d285b-4d286a Sleep 386->390 391 4d24ac-4d24f3 call 416930 recv 387->391 392 4d27c8-4d27d8 recv 387->392 393 4d284d-4d2855 Sleep 388->393 403 4d2806 388->403 390->380 390->381 398 4d24f9-4d2514 recv 391->398 399 4d2784-4d2791 391->399 392->393 393->390 398->399 401 4d251a-4d2551 398->401 399->393 402 4d2797-4d27a3 399->402 404 4d25b4-4d25e4 call 414090 401->404 405 4d2553-4d25b1 call 416930 setsockopt recv 401->405 406 4d27b9-4d27c3 call 42e183 402->406 407 4d27a5-4d27b3 402->407 408 4d2808-4d280e 403->408 409 4d2810-4d2837 call 4081e0 403->409 421 4d25ea 404->421 422 4d2704-4d2741 call 4d2890 404->422 405->404 406->393 407->406 413 4d2885-4d288a call 433500 407->413 408->393 408->409 415 4d283c-4d2848 409->415 415->393 423 4d25f0-4d2608 421->423 425 4d2746-4d2753 422->425 426 4d261a-4d2629 423->426 427 4d260a-4d2615 423->427 425->399 428 4d2755-4d2764 425->428 429 4d2639-4d2645 426->429 430 4d262b-4d2634 426->430 431 4d26e9 427->431 432 4d277a-4d2781 call 42e183 428->432 433 4d2766-4d2774 428->433 434 4d2655-4d2661 429->434 435 4d2647-4d2650 429->435 430->431 436 4d26ec-4d26fe 431->436 432->399 433->413 433->432 438 4d266e-4d267a 434->438 439 4d2663-4d266c 434->439 435->431 436->422 436->423 440 4d267c-4d2685 438->440 441 4d2687-4d2693 438->441 439->431 440->431 443 4d2695-4d269e 441->443 444 4d26a0-4d26ac 441->444 443->431 445 4d26ae-4d26b7 444->445 446 4d26b9-4d26c5 444->446 445->431 447 4d26c7-4d26d0 446->447 448 4d26d2-4d26db 446->448 447->431 448->436 449 4d26dd-4d26e5 448->449 449->431
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000374,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                        • Part of subcall function 004D3150: WSAStartup.WS2_32 ref: 004D317A
                                                                                        • Part of subcall function 004D3150: getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                        • Part of subcall function 004D3150: socket.WS2_32(?,?,?), ref: 004D321D
                                                                                        • Part of subcall function 004D3150: connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                        • Part of subcall function 004D3150: closesocket.WS2_32(00000000), ref: 004D323D
                                                                                        • Part of subcall function 004D3150: freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                        • Part of subcall function 004D3150: WSACleanup.WS2_32 ref: 004D3250
                                                                                      • recv.WS2_32(?,00000004,00000008), ref: 004D27D6
                                                                                      • __Xtime_get_ticks.LIBCPMT ref: 004D27DA
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D27E8
                                                                                      • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004D284F
                                                                                      • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004D285D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                      • String ID:
                                                                                      • API String ID: 4125349891-0
                                                                                      • Opcode ID: 741e4aba1a023d42f8cda5b1c611e4a31a37109a2d99ce0121b9f219ece0da7f
                                                                                      • Instruction ID: 15ea99ae058cf58d21446cf462f8f8b9c5c04bab4b96d95aa166a16db5b48a04
                                                                                      • Opcode Fuzzy Hash: 741e4aba1a023d42f8cda5b1c611e4a31a37109a2d99ce0121b9f219ece0da7f
                                                                                      • Instruction Fuzzy Hash: 55E13230900244DFDB15DBA4CDA07ADBBF1BF66310F24425BE841AB2D2DBB45C8ADB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043D563 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 450 43d563-43d593 call 43d2b1 453 43d595-43d5a0 call 43bf7c 450->453 454 43d5ae-43d5ba call 44902a 450->454 459 43d5a2-43d5a9 call 43bf8f 453->459 460 43d5d3-43d61c call 43d21c 454->460 461 43d5bc-43d5d1 call 43bf7c call 43bf8f 454->461 471 43d888-43d88c 459->471 469 43d689-43d692 GetFileType 460->469 470 43d61e-43d627 460->470 461->459 472 43d694-43d6c5 GetLastError call 43bf35 CloseHandle 469->472 473 43d6db-43d6de 469->473 475 43d629-43d62d 470->475 476 43d65e-43d684 GetLastError call 43bf35 470->476 472->459 487 43d6cb-43d6d6 call 43bf8f 472->487 478 43d6e0-43d6e5 473->478 479 43d6e7-43d6ed 473->479 475->476 480 43d62f-43d65c call 43d21c 475->480 476->459 483 43d6f1-43d73f call 448f75 478->483 479->483 484 43d6ef 479->484 480->469 480->476 493 43d741-43d74d call 43d42b 483->493 494 43d75e-43d786 call 43cfc6 483->494 484->483 487->459 493->494 499 43d74f 493->499 500 43d78b-43d7cc 494->500 501 43d788-43d789 494->501 502 43d751-43d759 call 44365f 499->502 503 43d7ce-43d7d2 500->503 504 43d7ed-43d7fb 500->504 501->502 502->471 503->504 506 43d7d4-43d7e8 503->506 507 43d801-43d805 504->507 508 43d886 504->508 506->504 507->508 510 43d807-43d83a CloseHandle call 43d21c 507->510 508->471 513 43d86e-43d882 510->513 514 43d83c-43d868 GetLastError call 43bf35 call 44913d 510->514 513->508 514->513
                                                                                      APIs
                                                                                        • Part of subcall function 0043D21C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                      • GetLastError.KERNEL32 ref: 0043D677
                                                                                      • __dosmaperr.LIBCMT ref: 0043D67E
                                                                                      • GetFileType.KERNELBASE(00000000), ref: 0043D68A
                                                                                      • GetLastError.KERNEL32 ref: 0043D694
                                                                                      • __dosmaperr.LIBCMT ref: 0043D69D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0043D6BD
                                                                                      • CloseHandle.KERNEL32(?), ref: 0043D80A
                                                                                      • GetLastError.KERNEL32 ref: 0043D83C
                                                                                      • __dosmaperr.LIBCMT ref: 0043D843
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                      • String ID: H
                                                                                      • API String ID: 4237864984-2852464175
                                                                                      • Opcode ID: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                      • Instruction ID: deea7823187220b22c69116efca66525af397024c1424d0dae53dd4a9d4c69af
                                                                                      • Opcode Fuzzy Hash: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                      • Instruction Fuzzy Hash: 47A17C31E14114AFCF19AF68EC467AE3BB1EB0A324F14215EF811DB391DB388816DB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D2190 Relevance: 16.9, APIs: 11, Instructions: 404networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 519 4d2190-4d21d6 call 42d429 522 4d21dc-4d21e6 519->522 523 4d238f-4d2391 call 42cdc4 519->523 525 4d21ec-4d2262 522->525 526 4d2396-4d23a2 call 42cdc4 522->526 523->526 528 4d2266-4d226b 525->528 529 4d23a7 call 403110 526->529 528->528 530 4d226d-4d227b 528->530 533 4d23ac call 433500 529->533 530->529 531 4d2281-4d22ae call 41b4a0 530->531 538 4d22b0-4d22d1 531->538 539 4d22d3-4d22e2 call 420640 531->539 537 4d23b1-4d23f8 call 433500 533->537 551 4d23fe 537->551 552 4d2870-4d2884 537->552 541 4d22e5-4d22ec 538->541 539->541 545 4d22ee-4d22fa 541->545 546 4d231a-4d2350 call 42d43a call 414090 call 4081e0 541->546 548 4d22fc-4d230a 545->548 549 4d2310-4d2317 call 42e183 545->549 568 4d237d-4d238e 546->568 569 4d2352-4d235e 546->569 548->533 548->549 549->546 556 4d2404-4d240c 551->556 559 4d240e-4d2441 call 4d3150 556->559 560 4d2447-4d2490 setsockopt recv WSAGetLastError 556->560 559->560 571 4d285b-4d286a Sleep 559->571 560->552 563 4d2496-4d2499 560->563 566 4d249f-4d24a6 563->566 567 4d27da-4d2804 call 42d8f9 call 452ef0 563->567 572 4d24ac-4d24f3 call 416930 recv 566->572 573 4d27c8-4d27d8 recv 566->573 576 4d284d-4d2855 Sleep 567->576 588 4d2806 567->588 574 4d2370-4d237a call 42e183 569->574 575 4d2360-4d236e 569->575 571->552 571->556 582 4d24f9-4d2514 recv 572->582 583 4d2784-4d2791 572->583 573->576 574->568 575->537 575->574 576->571 582->583 586 4d251a-4d2551 582->586 583->576 587 4d2797-4d27a3 583->587 589 4d25b4-4d25e4 call 414090 586->589 590 4d2553-4d25b1 call 416930 setsockopt recv 586->590 591 4d27b9-4d27c3 call 42e183 587->591 592 4d27a5-4d27b3 587->592 593 4d2808-4d280e 588->593 594 4d2810-4d2848 call 4081e0 588->594 606 4d25ea 589->606 607 4d2704-4d2753 call 4d2890 589->607 590->589 591->576 592->591 598 4d2885-4d288a call 433500 592->598 593->576 593->594 594->576 608 4d25f0-4d2608 606->608 607->583 613 4d2755-4d2764 607->613 611 4d261a-4d2629 608->611 612 4d260a-4d2615 608->612 614 4d2639-4d2645 611->614 615 4d262b-4d2634 611->615 616 4d26e9 612->616 617 4d277a-4d2781 call 42e183 613->617 618 4d2766-4d2774 613->618 619 4d2655-4d2661 614->619 620 4d2647-4d2650 614->620 615->616 621 4d26ec-4d26fe 616->621 617->583 618->598 618->617 623 4d266e-4d267a 619->623 624 4d2663-4d266c 619->624 620->616 621->607 621->608 625 4d267c-4d2685 623->625 626 4d2687-4d2693 623->626 624->616 625->616 628 4d2695-4d269e 626->628 629 4d26a0-4d26ac 626->629 628->616 630 4d26ae-4d26b7 629->630 631 4d26b9-4d26c5 629->631 630->616 632 4d26c7-4d26d0 631->632 633 4d26d2-4d26db 631->633 632->616 633->621 634 4d26dd-4d26e5 633->634 634->616
                                                                                      APIs
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D2391
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D23A2
                                                                                      • setsockopt.WS2_32(00000374,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: recv$Cpp_errorThrow_setsockoptstd::_$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 4262120464-0
                                                                                      • Opcode ID: c1582d6184370410a97c32afa1233909a04efc10503d3efc906a2629de16cee2
                                                                                      • Instruction ID: f7b17b8e68668ba49e7fca0522a5bdce23b6917c1ff1aba89fdf03a1c4391d3e
                                                                                      • Opcode Fuzzy Hash: c1582d6184370410a97c32afa1233909a04efc10503d3efc906a2629de16cee2
                                                                                      • Instruction Fuzzy Hash: 8AF10070D00248DBDB14DFA8DD95BAEBBB1FF54314F10821AE804AB392DB786985DF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004431A0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 635 4431a0-4431b0 636 4431b2-4431c5 call 43bf7c call 43bf8f 635->636 637 4431ca-4431cc 635->637 651 443524 636->651 638 4431d2-4431d8 637->638 639 44350c-443519 call 43bf7c call 43bf8f 637->639 638->639 641 4431de-443207 638->641 656 44351f call 4334f0 639->656 641->639 645 44320d-443216 641->645 649 443230-443232 645->649 650 443218-44322b call 43bf7c call 43bf8f 645->650 654 443508-44350a 649->654 655 443238-44323c 649->655 650->656 657 443527-44352a 651->657 654->657 655->654 659 443242-443246 655->659 656->651 659->650 662 443248-44325f 659->662 664 443294-44329a 662->664 665 443261-443264 662->665 666 44329c-4432a3 664->666 667 44326e-443285 call 43bf7c call 43bf8f call 4334f0 664->667 668 443266-44326c 665->668 669 44328a-443292 665->669 672 4432a5 666->672 673 4432a7-4432c5 call 445924 call 4458aa * 2 666->673 700 44343f 667->700 668->667 668->669 671 443307-443326 669->671 675 4433e2-4433eb call 44e474 671->675 676 44332c-443338 671->676 672->673 704 4432c7-4432dd call 43bf8f call 43bf7c 673->704 705 4432e2-443305 call 43ce8d 673->705 687 44345c 675->687 688 4433ed-4433ff 675->688 676->675 680 44333e-443340 676->680 680->675 684 443346-443367 680->684 684->675 689 443369-44337f 684->689 692 443460-443476 ReadFile 687->692 688->687 694 443401-443410 GetConsoleMode 688->694 689->675 695 443381-443383 689->695 698 4434d4-4434df GetLastError 692->698 699 443478-44347e 692->699 694->687 701 443412-443416 694->701 695->675 696 443385-4433a8 695->696 696->675 703 4433aa-4433c0 696->703 706 4434e1-4434f3 call 43bf8f call 43bf7c 698->706 707 4434f8-4434fb 698->707 699->698 708 443480 699->708 702 443442-44344c call 4458aa 700->702 701->692 709 443418-443430 ReadConsoleW 701->709 702->657 703->675 711 4433c2-4433c4 703->711 704->700 705->671 706->700 718 443501-443503 707->718 719 443438-44343e call 43bf35 707->719 715 443483-443495 708->715 716 443451-44345a 709->716 717 443432 GetLastError 709->717 711->675 721 4433c6-4433dd 711->721 715->702 725 443497-44349b 715->725 716->715 717->719 718->702 719->700 721->675 729 4434b4-4434c1 725->729 730 44349d-4434ad call 442eb2 725->730 735 4434c3 call 443009 729->735 736 4434cd-4434d2 call 442cf8 729->736 742 4434b0-4434b2 730->742 740 4434c8-4434cb 735->740 736->740 740->742 742->702
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3907804496
                                                                                      • Opcode ID: f312eda8249cc3069f08ad3250047b362f1821e8ea6b527c5d9c004b485e982e
                                                                                      • Instruction ID: e3239ec4e1ee32b8324d570a22e522ef24bddbe65fd960e714ad45a7b0e040b8
                                                                                      • Opcode Fuzzy Hash: f312eda8249cc3069f08ad3250047b362f1821e8ea6b527c5d9c004b485e982e
                                                                                      • Instruction Fuzzy Hash: 77B12670A04244AFEB01DF59C881BBE7BB1FF49715F14419AE90197382CB789E41CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004081E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 332libraryloadernetworkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 870 4081e0-408232 call 414090 873 408354-4083db call 4031c0 call 4f6620 870->873 874 408238-40823b 870->874 890 4083f1-4083f9 call 416930 873->890 891 4083dd-4083ef 873->891 875 408240-408266 874->875 877 408278-408287 875->877 878 408268-408273 875->878 881 408297-4082a3 877->881 882 408289-408292 877->882 880 408347 878->880 884 40834a-40834e 880->884 885 4082b3-4082bf 881->885 886 4082a5-4082ae 881->886 882->880 884->873 884->875 888 4082c1-4082ca 885->888 889 4082cc-4082d8 885->889 886->880 888->880 892 4082e5-4082f1 889->892 893 4082da-4082e3 889->893 894 4083fe-408451 call 4f6620 * 2 890->894 891->894 897 4082f3-4082fc 892->897 898 4082fe-40830a 892->898 893->880 907 408453-408482 call 4f6620 call 42fcc0 894->907 908 408485-40849b call 4f6620 894->908 897->880 899 408317-408323 898->899 900 40830c-408315 898->900 902 408330-408339 899->902 903 408325-40832e 899->903 900->880 902->884 906 40833b-408343 902->906 903->880 906->880 907->908 914 4084a1-4084a7 908->914 915 40859e 908->915 918 4084b0-40858e GetModuleHandleA GetProcAddress WSASend 914->918 916 4085a2-4085a8 915->916 919 4085d2-4085ea 916->919 920 4085aa-4085b6 916->920 921 408590-408598 918->921 922 40860c-408610 918->922 925 40861c-408631 919->925 926 4085ec-4085f8 919->926 923 4085c8-4085cf call 42e183 920->923 924 4085b8-4085c6 920->924 921->915 921->918 922->916 923->919 924->923 927 408632-408637 call 433500 924->927 929 408612-408619 call 42e183 926->929 930 4085fa-408608 926->930 929->925 930->927 933 40860a 930->933 933->929
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408566
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00408574
                                                                                      • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408589
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProcSend
                                                                                      • String ID: Ws2_32.dll
                                                                                      • API String ID: 2819740048-3093949381
                                                                                      • Opcode ID: 605ac2d7a3170708ba1039c723fe4127dad6931d4a4a67f7d388f1b1f58ff418
                                                                                      • Instruction ID: b889a33a35ddf0adef0218ac58701f77bdbbaba15cb1320cc4c9efeef27d22b6
                                                                                      • Opcode Fuzzy Hash: 605ac2d7a3170708ba1039c723fe4127dad6931d4a4a67f7d388f1b1f58ff418
                                                                                      • Instruction Fuzzy Hash: 1BE1BC70D00258EFDF15CBA4DD917EDBBB0AF56704F14029EE8857B282DB34198ACB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2CD0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 937 4f2cd0-4f2ce7 call 42d429 940 4f2d4c-4f2d4e call 42cdc4 937->940 941 4f2ce9-4f2cf3 937->941 944 4f2d53-4f2d64 call 42cdc4 940->944 943 4f2cf5-4f2cf7 941->943 941->944 945 4f2cf9-4f2cfe 943->945 946 4f2d35 943->946 949 4f2d00-4f2d05 945->949 948 4f2d37-4f2d4b call 42d43a 946->948 949->949 952 4f2d07-4f2d09 949->952 952->946 954 4f2d0b-4f2d15 GetFileAttributesA 952->954 955 4f2d17-4f2d20 GetLastError 954->955 956 4f2d31-4f2d33 954->956 955->956 957 4f2d22-4f2d25 955->957 956->948 957->956 958 4f2d27-4f2d2a 957->958 958->956 959 4f2d2c-4f2d2f 958->959 959->946 959->956
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(?,00000005,00000005,?), ref: 004F2D0C
                                                                                      • GetLastError.KERNEL32(?,00000005,00000005,?), ref: 004F2D17
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D4E
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 995686243-0
                                                                                      • Opcode ID: 1a30c07ed28fe703679387aa5b2d6d259f589d07aea0d83f312770283b1f14c8
                                                                                      • Instruction ID: 325128bde6972141eaafbb0e95bf719766b08d5b5670bbe0189b29004b96e682
                                                                                      • Opcode Fuzzy Hash: 1a30c07ed28fe703679387aa5b2d6d259f589d07aea0d83f312770283b1f14c8
                                                                                      • Instruction Fuzzy Hash: 3401C071641118129A342A35ED4907F370D8713328BA80F1BEE25973D5D9DFCC45875A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D2890 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 560COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 960 4d2890-4d28e1 961 4d2946-4d294c 960->961 962 4d28e3-4d2904 call 4081e0 960->962 964 4d294e-4d296e call 413df0 961->964 965 4d2970-4d2976 961->965 968 4d2909 962->968 973 4d290c-4d2915 964->973 966 4d299d-4d29a3 965->966 967 4d2978-4d2998 call 413df0 965->967 971 4d29cc-4d29d2 966->971 972 4d29a5-4d29a9 966->972 967->973 968->973 979 4d29d4-4d29ed call 43bb47 971->979 980 4d29f2-4d29f8 971->980 972->973 976 4d29af-4d29c7 call 413df0 972->976 977 4d291b-4d2927 973->977 978 4d30a4-4d30b7 973->978 976->973 982 4d292d-4d293b 977->982 983 4d309a-4d30a1 call 42e183 977->983 979->973 985 4d29fa-4d2a01 980->985 986 4d2a06-4d2a0c 980->986 988 4d30b8 call 433500 982->988 989 4d2941 982->989 983->978 985->973 992 4d2f16-4d2f1c 986->992 993 4d2a12-4d2a36 call 404b10 986->993 1000 4d30bd-4d3105 call 433500 setsockopt 988->1000 989->983 997 4d2f1e-4d2f4f call 4186a0 call 411960 992->997 998 4d2f54-4d2f5a 992->998 1005 4d2a40-4d2a58 993->1005 997->973 1002 4d2f5c-4d2f8d call 4186a0 call 411960 998->1002 1003 4d2f92-4d2f98 998->1003 1002->973 1007 4d2f9a-4d2fcb call 4186a0 call 411960 1003->1007 1008 4d2fd0-4d2fd6 1003->1008 1011 4d2efe-4d2f0b call 42d43a 1005->1011 1012 4d2a5e-4d2a90 1005->1012 1007->973 1015 4d300e-4d3014 1008->1015 1016 4d2fd8-4d3009 call 4186a0 call 411960 1008->1016 1011->973 1021 4d2a93-4d2a98 1012->1021 1018 4d304c-4d3052 1015->1018 1019 4d3016-4d3047 call 4186a0 call 411960 1015->1019 1016->973 1018->973 1030 4d3058-4d3083 call 453390 call 413fa0 call 4031c0 1018->1030 1019->973 1021->1021 1028 4d2a9a-4d2b3c call 4034e0 1021->1028 1043 4d2b40-4d2b45 1028->1043 1030->973 1043->1043 1045 4d2b47-4d2ba8 call 41c4c0 1043->1045 1051 4d2bac-4d2bc6 call 419950 1045->1051 1052 4d2baa 1045->1052 1055 4d2bc8-4d2bd7 1051->1055 1056 4d2bf7-4d2c1f 1051->1056 1052->1051 1057 4d2bed-4d2bf4 call 42e183 1055->1057 1058 4d2bd9-4d2be7 1055->1058 1059 4d2c21-4d2c30 1056->1059 1060 4d2c50-4d2c6f 1056->1060 1057->1056 1058->1000 1058->1057 1062 4d2c46-4d2c4d call 42e183 1059->1062 1063 4d2c32-4d2c40 1059->1063 1064 4d2c75-4d2d52 call 4032a0 call 4e2cc0 call 4031c0 call 413b90 1060->1064 1065 4d2f10-4d2f11 1060->1065 1062->1060 1063->1000 1063->1062 1077 4d2d7c-4d2e0a 1064->1077 1078 4d2d54-4d2d77 GetCurrentProcess call 414090 call 4db380 1064->1078 1065->1005 1080 4d2e0c 1077->1080 1081 4d2e0e-4d2e1f call 4340b0 1077->1081 1087 4d2e4d-4d2e62 1078->1087 1080->1081 1081->1087 1088 4d2e21-4d2e4a call 43beb8 call 437938 1081->1088 1090 4d2e64-4d2e66 1087->1090 1091 4d2ea6-4d2eac 1087->1091 1088->1087 1093 4d2e68-4d2e90 call 4031c0 1090->1093 1094 4d2e93-4d2e9e 1090->1094 1095 4d2eae-4d2eb8 1091->1095 1096 4d2eda-4d2ef9 call 4031c0 1091->1096 1093->1094 1094->1090 1100 4d2ea0 1094->1100 1101 4d2eba-4d2ec8 1095->1101 1102 4d2ed0-4d2ed7 call 42e183 1095->1102 1096->1011 1100->1091 1101->1000 1106 4d2ece 1101->1106 1102->1096 1106->1102
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,6F2977B7,?,?,?,?,?,?,?,00000000,00000001,761B23A0,00000000), ref: 004D2D54
                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                        • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(-00000008,?,004D2F08,00588C44,761B23A0,00000000), ref: 0042D44E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$AllocMemoryVirtualWrite$CurrentExclusiveLockRelease
                                                                                      • String ID: 149.18.24.96
                                                                                      • API String ID: 666592346-171400976
                                                                                      • Opcode ID: 270da5508d348e68f7a9e6667ccf5ce37d91e12b293a508e750d7236e560dbd7
                                                                                      • Instruction ID: 26b9c72b6ddc4c31c1f3b4b91af9721e671e16450a7e1798ce2a3c04c8b5f315
                                                                                      • Opcode Fuzzy Hash: 270da5508d348e68f7a9e6667ccf5ce37d91e12b293a508e750d7236e560dbd7
                                                                                      • Instruction Fuzzy Hash: 7432DF70900208CBDB14DF68C9957EDBBB1FF58304F14419AE8096B392DB789E85CFA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F8D20 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 250COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1108 4f8d20-4f8d58 1109 4f8d5e-4f8d84 1108->1109 1110 4f8d5a-4f8d5c 1108->1110 1111 4f8d87-4f8db1 1109->1111 1110->1111 1113 4f8db3-4f8ddc call 419780 1111->1113 1114 4f8de1-4f8e07 GetLastError 1111->1114 1120 4f8edb-4f8ee1 1113->1120 1118 4f8e0d-4f8e68 call 419780 call 42e191 1114->1118 1119 4f8eaa-4f8ed7 call 419780 1114->1119 1147 4f8e6a-4f8e6f 1118->1147 1148 4f8e89-4f8ea8 call 42e1c2 1118->1148 1119->1120 1123 4f8f15-4f8f31 1120->1123 1124 4f8ee3-4f8ef5 1120->1124 1129 4f8f3b-4f8f3e 1123->1129 1130 4f8f33-4f8f39 1123->1130 1127 4f8f0b-4f8f12 call 42e183 1124->1127 1128 4f8ef7-4f8f05 1124->1128 1127->1123 1128->1127 1132 4f9028-4f902f call 433500 1128->1132 1134 4f8f41-4f8f58 1129->1134 1130->1134 1138 4f8f6c-4f8f7e call 41e890 1134->1138 1139 4f8f5a-4f8f6a 1134->1139 1141 4f8f81-4f8fa3 call 416aa0 1138->1141 1139->1141 1149 4f8fcd-4f8fd2 call 4f8120 1141->1149 1150 4f8fa5-4f8fb1 1141->1150 1151 4f8e70-4f8e79 1147->1151 1148->1120 1159 4f8fd7-4f8fe0 1149->1159 1153 4f8fc3-4f8fca call 42e183 1150->1153 1154 4f8fb3-4f8fc1 1150->1154 1151->1151 1156 4f8e7b-4f8e84 call 413750 1151->1156 1153->1149 1154->1132 1154->1153 1156->1148 1162 4f9013-4f9025 1159->1162 1163 4f8fe2-4f8ff4 1159->1163 1164 4f9006-4f9010 call 42e183 1163->1164 1165 4f8ff6-4f9004 1163->1165 1164->1162 1165->1132 1165->1164
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: -1L$-2L
                                                                                      • API String ID: 1452528299-3975959154
                                                                                      • Opcode ID: 691346873af9f375a3fd3bec6b454848e53a0b4af0cd965a2b75b339649d0642
                                                                                      • Instruction ID: 8532e58cabc42239c9a206463210862c2cf1955d45b676afb1905f123e481057
                                                                                      • Opcode Fuzzy Hash: 691346873af9f375a3fd3bec6b454848e53a0b4af0cd965a2b75b339649d0642
                                                                                      • Instruction Fuzzy Hash: 8BA1A071E102489BDB18DBA4CC95BFEB771FF58304F14821EE905BB281EB746A85CB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00433692 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1168 433692-43369f 1169 4336a1-4336c4 call 433473 1168->1169 1170 4336c9-4336dd call 444a79 1168->1170 1175 433830-433832 1169->1175 1176 4336e2-4336eb call 43ce6f 1170->1176 1177 4336df 1170->1177 1179 4336f0-4336ff 1176->1179 1177->1176 1180 433701 1179->1180 1181 43370f-433718 1179->1181 1184 433707-433709 1180->1184 1185 4337d9-4337de 1180->1185 1182 43371a-433727 1181->1182 1183 43372c-433760 1181->1183 1186 43382c 1182->1186 1187 433762-43376c 1183->1187 1188 4337bd-4337c9 1183->1188 1184->1181 1184->1185 1189 43382e-43382f 1185->1189 1186->1189 1190 433793-43379f 1187->1190 1191 43376e-43377a 1187->1191 1192 4337e0-4337e3 1188->1192 1193 4337cb-4337d2 1188->1193 1189->1175 1190->1192 1195 4337a1-4337bb call 433ba9 1190->1195 1191->1190 1194 43377c-43378e call 4339fe 1191->1194 1196 4337e6-4337ee 1192->1196 1193->1185 1194->1189 1195->1196 1197 4337f0-4337f6 1196->1197 1198 43382a 1196->1198 1201 4337f8-43380c call 433833 1197->1201 1202 43380e-433812 1197->1202 1198->1186 1201->1189 1206 433825-433827 1202->1206 1207 433814-433822 call 452ef0 1202->1207 1206->1198 1207->1206
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d A
                                                                                      • API String ID: 0-616623946
                                                                                      • Opcode ID: 5716fe010b3ef8e82fbddee052f2b6988042c47bb628807dafe6179510680c26
                                                                                      • Instruction ID: 8d691b3f4dbeef2f936747217c2848be1b4780fc272094865f28ed7dea4c0760
                                                                                      • Opcode Fuzzy Hash: 5716fe010b3ef8e82fbddee052f2b6988042c47bb628807dafe6179510680c26
                                                                                      • Instruction Fuzzy Hash: 7B51E3B4A00104AFDB14DF59CC85AAABBF1EF4D324F24915AF8099B352D379EE41CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00444019 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1211 444019-44403b 1212 444041-444043 1211->1212 1213 44422e 1211->1213 1214 444045-444064 call 433473 1212->1214 1215 44406f-444092 1212->1215 1216 444230-444234 1213->1216 1224 444067-44406a 1214->1224 1218 444094-444096 1215->1218 1219 444098-44409e 1215->1219 1218->1219 1221 4440a0-4440b1 1218->1221 1219->1214 1219->1221 1222 4440c4-4440d4 call 443b5e 1221->1222 1223 4440b3-4440c1 call 43cecd 1221->1223 1229 4440d6-4440dc 1222->1229 1230 44411d-44412f 1222->1230 1223->1222 1224->1216 1233 444105-44411b call 44372f 1229->1233 1234 4440de-4440e1 1229->1234 1231 444186-4441a6 WriteFile 1230->1231 1232 444131-444137 1230->1232 1239 4441b1 1231->1239 1240 4441a8-4441ae GetLastError 1231->1240 1235 444172-444184 call 443bdb 1232->1235 1236 444139-44413c 1232->1236 1249 4440fe-444100 1233->1249 1237 4440e3-4440e6 1234->1237 1238 4440ec-4440fb call 443af6 1234->1238 1261 444159-44415c 1235->1261 1243 44415e-444170 call 443d9f 1236->1243 1244 44413e-444141 1236->1244 1237->1238 1245 4441c6-4441c9 1237->1245 1238->1249 1242 4441b4-4441bf 1239->1242 1240->1239 1250 4441c1-4441c4 1242->1250 1251 444229-44422c 1242->1251 1243->1261 1252 4441cc-4441ce 1244->1252 1253 444147-444154 call 443cb6 1244->1253 1245->1252 1249->1242 1250->1245 1251->1216 1257 4441d0-4441d5 1252->1257 1258 4441fc-444208 1252->1258 1253->1261 1262 4441d7-4441e9 1257->1262 1263 4441ee-4441f7 call 43bf58 1257->1263 1264 444212-444224 1258->1264 1265 44420a-444210 1258->1265 1261->1249 1262->1224 1263->1224 1264->1224 1265->1213 1265->1264
                                                                                      APIs
                                                                                        • Part of subcall function 0044372F: GetConsoleOutputCP.KERNEL32(D7297C87,00000000,00000000,00000000), ref: 00443792
                                                                                      • WriteFile.KERNELBASE(?,00000000,?,00000000,00000000,00000000,00000000,0000000C,?,00000000,00578C88,00000014,0043BE32,00000000,00000000,00000000), ref: 0044419E
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 004441A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                                                      • String ID:
                                                                                      • API String ID: 2915228174-0
                                                                                      • Opcode ID: a2902c3c69c25210d81bcce29da4bc8cd80d89380b950bcc4e5f7a79d08526b7
                                                                                      • Instruction ID: 0628d0172fcac0a10c399004d6184d52a202fa31f39ed19b8586a1ab0f8a80ff
                                                                                      • Opcode Fuzzy Hash: a2902c3c69c25210d81bcce29da4bc8cd80d89380b950bcc4e5f7a79d08526b7
                                                                                      • Instruction Fuzzy Hash: 2B61C471900119AFEF11CFA8DC84BEFBBB9BF99304F14014AE900A7202D779D955DB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407B10 Relevance: 3.1, APIs: 2, Instructions: 114COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1268 407b10-407b56 1269 407c25-407c39 call 42e243 1268->1269 1270 407b5c-407b65 1268->1270 1269->1270 1279 407c3f-407c90 call 42e16e call 42e1f2 1269->1279 1271 407b67 1270->1271 1272 407b69-407b73 GetFileAttributesA 1270->1272 1271->1272 1274 407c10-407c24 1272->1274 1275 407b79-407b87 1272->1275 1277 407b92-407b9c 1275->1277 1278 407b89-407b8f 1275->1278 1280 407ba6-407bbf call 4198b0 1277->1280 1281 407b9e-407ba3 1277->1281 1278->1277 1279->1270 1287 407bc1-407bd8 call 413b30 call 407b10 1280->1287 1288 407be8-407beb 1280->1288 1281->1280 1295 407bdd-407be5 call 4031c0 1287->1295 1291 407bed 1288->1291 1292 407bef-407c0f CreateDirectoryA 1288->1292 1291->1292 1295->1288
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(?,7FFFFFFF,?,?,?,?,00000000,00558869,000000FF,?,?,00000000,00000001), ref: 00407B6A
                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000,00558869,000000FF,?,?,00000000), ref: 00407BF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesCreateDirectoryFile
                                                                                      • String ID:
                                                                                      • API String ID: 3401506121-0
                                                                                      • Opcode ID: 88b6d157f409cee9c50ab71b6ff0b2b2da8276be95a888d3290d1b8dfbb9eb26
                                                                                      • Instruction ID: 2e2c2f2e01908e67c2a54bf0340a0c4501e43c5477e127a6dc49a8083d671767
                                                                                      • Opcode Fuzzy Hash: 88b6d157f409cee9c50ab71b6ff0b2b2da8276be95a888d3290d1b8dfbb9eb26
                                                                                      • Instruction Fuzzy Hash: 2641F175E14601EFC720DF64EC42AAAB7B5FB54724F18032AE816633D0E7347944DB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044368F Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436E5
                                                                                      • GetLastError.KERNEL32(?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                      • String ID:
                                                                                      • API String ID: 1687624791-0
                                                                                      • Opcode ID: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                      • Instruction ID: 5b9e54e71ebf2813978f3334a6ac8d2e590d94fd15b88a1802dc34040f0fcd9e
                                                                                      • Opcode Fuzzy Hash: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                      • Instruction Fuzzy Hash: 0B118C326041153AF6302A34AC4DB3F67898B82F39F26014FF908873C2DE6D8D409658
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043CDAC Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0043CEE6,00000000,00000000,00000000,00000002,00000000), ref: 0043CDE8
                                                                                      • GetLastError.KERNEL32(00000000,?,0043CEE6,00000000,00000000,00000000,00000002,00000000,?,004440BE,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0043CDF5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 2976181284-0
                                                                                      • Opcode ID: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                      • Instruction ID: 056746620e1e5b2230fb06e89194d4bad5ac0bf9516e57b03a2b19a767fcc837
                                                                                      • Opcode Fuzzy Hash: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                      • Instruction Fuzzy Hash: 62012632614119AFCF058F59CC49D9E3F2AEF89320F24020AF811AB2D0EA75ED41DBD4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05CC37C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 05CC37EE
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 05CC380E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, Offset: 05CC3000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_5cc3000_2zdult23rz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: 562e1f1df9967a86b8dc01b8d7d5e648caa18cc38f8a3e016f6c519a22b5169f
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: 88F062312007106FD7207BB5B88DA6E7AF8FF49A25F104DADE643D10C0DA74E9454661
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D20B0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(00000065), ref: 004D2103
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID: 131
                                                                                      • API String ID: 3472027048-2136814527
                                                                                      • Opcode ID: 7fcd9baa8a9375f207873d3bd77103b4ea8c4e2924f330d05fd9db3092bf82de
                                                                                      • Instruction ID: 16727208b5f08e4bea599353fbf53a6d413f31fbfb73884cdf8f34aab55cbcc4
                                                                                      • Opcode Fuzzy Hash: 7fcd9baa8a9375f207873d3bd77103b4ea8c4e2924f330d05fd9db3092bf82de
                                                                                      • Instruction Fuzzy Hash: B8F0A731B0025416EA26736D7E06B3B3F8997A5765F48009FEE403BBD2DDD9280987D6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F3350 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __fread_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 2638373210-0
                                                                                      • Opcode ID: a84dd0405f3734e21e00de2f9719074e0bf350ecf619eceb43609241f9f5c459
                                                                                      • Instruction ID: 6ce4f48939319f72f3aec6a6d9b50e6fff9bcb1e6f6dae555552d8831335830b
                                                                                      • Opcode Fuzzy Hash: a84dd0405f3734e21e00de2f9719074e0bf350ecf619eceb43609241f9f5c459
                                                                                      • Instruction Fuzzy Hash: 2551A0B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8146B341E779AA41CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044550F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wsopen_s
                                                                                      • String ID:
                                                                                      • API String ID: 3347428461-0
                                                                                      • Opcode ID: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                      • Instruction ID: e92d0ab7a98c68cd7689e4ea664d55cb742e11440dbe97f573872f5ababe4450
                                                                                      • Opcode Fuzzy Hash: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                      • Instruction Fuzzy Hash: D6112A71A0410AAFDF05DF58E94199F7BF5EF48304F14405AF805EB352D670DA15CB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004036F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040373F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                      • String ID:
                                                                                      • API String ID: 118556049-0
                                                                                      • Opcode ID: c8f910bf03f94a0f0c294a8cbb5c47e77f87340cd5e2596aba26795b41fc774c
                                                                                      • Instruction ID: 1f83190ccb7284a945d627c352a8af0deec80e54417847a9b28e6d6de5687d5d
                                                                                      • Opcode Fuzzy Hash: c8f910bf03f94a0f0c294a8cbb5c47e77f87340cd5e2596aba26795b41fc774c
                                                                                      • Instruction Fuzzy Hash: F6F024F26000009BCB14AF61E4429FAB7ECDE243A7750447FF989D7282E73EDA448788
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00444EEA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,0042C58A,?,?,00444870,00000001,00000364,?,00000008,000000FF,?,0042F3CF,?,?,00000000,?), ref: 00444F2B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                      • Instruction ID: 086544c5e523b8e02c2757f3417cf7e9bd7439c420b709eac9e7cfb6d4d974b4
                                                                                      • Opcode Fuzzy Hash: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                      • Instruction Fuzzy Hash: CEF0B4316155246BBB215E629C05B7B7788ABD17A1F158417FD04E7280CE38D80886E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00445924 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0042F3CF,?,?,00000000,?,?,0040390D,0042C58A,?,?,0042C58A), ref: 00445956
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                      • Instruction ID: 47241cb67a9c7b30d4e0b830f1b418076ccf533a730137c1b779a77b3e9f7ccf
                                                                                      • Opcode Fuzzy Hash: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                      • Instruction Fuzzy Hash: 1CE0E571202A20EBFE252F265C0576B3648DB413B0F080113FD05F6292DB68CC0482ED
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043D21C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                      • Instruction ID: 7ae74b51c889a2cb05e6a06522f477e8d6926b4a8c7f3733491aa3a38d366a2c
                                                                                      • Opcode Fuzzy Hash: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                      • Instruction Fuzzy Hash: 92D06C3200010DBBDF028F84DC06EDA3BAAFB4C714F014040FA1866120C772E822EB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05CC3485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 05CC34D6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, Offset: 05CC3000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_5cc3000_2zdult23rz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 632c44495199bdb385e1c2179a08d5a29573660bcdd1f37d04753ee3063fc78f
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: 5B112B79A00208EFDB01DF98C989E99BFF5AF08751F058094F9489B361D375EA90EB80
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 0051E6F0 Relevance: 84.5, Strings: 66, Instructions: 2003COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $AX$*?[$-%T$Safety level may not be changed inside a transaction$cache_size$cache_size$cache_size$case_sensitive_like$cid$cid$collation_list$database_list$default_cache_size$dflt_value$encoding$encoding$exclusive$exclusive$file$file$freelist_count$glob$glob$index_info$index_list$journal_mode$journal_mode$journal_size_limit$journal_size_limit$like$like$like$locking_mode$locking_mode$max_page_count$max_page_count$memory$name$name$name$name$name$normal$normal$not a writable directory$notnull$page_count$page_count$page_size$page_size$schema_version$seq$seq$seq$seqno$synchronous$synchronous$table_info$temp_store$temp_store$temp_store_directory$temp_store_directory$type$unique$unsupported encoding: %s$user_version
                                                                                      • API String ID: 0-2540211024
                                                                                      • Opcode ID: b3b4600330eca52d6da621488ec254c91da53a423cad2c0afe11b63631272a03
                                                                                      • Instruction ID: e845cb136b924fc1b8bd2ff68bcba8bd07f58aab76af76392cb2f3833a97622e
                                                                                      • Opcode Fuzzy Hash: b3b4600330eca52d6da621488ec254c91da53a423cad2c0afe11b63631272a03
                                                                                      • Instruction Fuzzy Hash: 4603F1706047029FE724EF28C855B6ABFE1BF84344F05856DEC864B392EB75E945CB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2150 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 154windowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004F2189
                                                                                      • GetSystemMetrics.USER32(00000001), ref: 004F219F
                                                                                      • GetSystemMetrics.USER32(00000000), ref: 004F21A5
                                                                                      • GetDC.USER32(00000000), ref: 004F21AB
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004F21BF
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 004F21D3
                                                                                      • SelectObject.GDI32(?,00000000), ref: 004F21E8
                                                                                      • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 004F2201
                                                                                      • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004F2217
                                                                                      • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004F2233
                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F225A
                                                                                      • GdipSaveImageToFile.GDIPLUS(00000000,?,?,?), ref: 004F22FD
                                                                                      • DeleteObject.GDI32(?), ref: 004F2306
                                                                                      • GdipDisposeImage.GDIPLUS(00000000), ref: 004F230D
                                                                                      • DeleteObject.GDI32(?), ref: 004F2316
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 004F231F
                                                                                      • GdiplusShutdown.GDIPLUS(?), ref: 004F2328
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Gdip$Image$CreateObject$BitmapCompatibleDeleteEncodersGdiplusMetricsSystem$DisposeFileFromReleaseSaveSelectShutdownSizeStartup
                                                                                      • String ID: d$image/png
                                                                                      • API String ID: 258367123-2616758285
                                                                                      • Opcode ID: d93c92cf953bbe82929a5a79100fd7e348d6b079dbf9517b437a49d65dcd1284
                                                                                      • Instruction ID: db5a99caf6ac0e95f343f652cfce475829ccb6d2aa326760d5af157a7b9552c8
                                                                                      • Opcode Fuzzy Hash: d93c92cf953bbe82929a5a79100fd7e348d6b079dbf9517b437a49d65dcd1284
                                                                                      • Instruction Fuzzy Hash: C8516D71D00209AFDF109FA4DD49BEEBBB8FF18314F100065EA05B72A1D7B99948DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00420DB0 Relevance: 29.1, APIs: 12, Strings: 4, Instructions: 1114COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00421441
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0042145A
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004215C9
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004215E2
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00421771
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0042178A
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004218F8
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00421911
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: array$number overflow parsing '$object$value
                                                                                      • API String ID: 4194217158-3322379575
                                                                                      • Opcode ID: e555e912bc3d5ea9eb6b2d2de366fb1622abbe6a57b9346b50e1f3dcaf57cb67
                                                                                      • Instruction ID: 00768d5fc8748761bd5f16832d8c5e7407e174650216dc2cd932e62d29873a42
                                                                                      • Opcode Fuzzy Hash: e555e912bc3d5ea9eb6b2d2de366fb1622abbe6a57b9346b50e1f3dcaf57cb67
                                                                                      • Instruction Fuzzy Hash: 37A20770E0025CDFDB14DF64DC84BEEBBB4BF15304F5442AAE405AB252D778AA84CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2870 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 307COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C46
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2C57
                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000005,?), ref: 004F2C92
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CAD
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2CBE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cpp_errorThrow_std::_$CreateDirectory
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 2715195259-1173974218
                                                                                      • Opcode ID: 814ce260b9bfa26f523507cfed22b3522d2a7f73f82a2f2749aa20a71174747c
                                                                                      • Instruction ID: 7da63344816831cd32a6d15c85321fef3bc67ca236fa94babc2c51aa99245672
                                                                                      • Opcode Fuzzy Hash: 814ce260b9bfa26f523507cfed22b3522d2a7f73f82a2f2749aa20a71174747c
                                                                                      • Instruction Fuzzy Hash: 83B15970D002089BDB24DF64CD897FEBBB5EF15314F14421AE914B7292DBB49A88CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0052A080 Relevance: 21.0, Strings: 16, Instructions: 970COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • UNIQUE, xrefs: 0052A9FA
                                                                                      • INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 0052AA3F
                                                                                      • table %s has no column named %s, xrefs: 0052A720
                                                                                      • there is already a table named %s, xrefs: 0052A36A
                                                                                      • sqlite_master, xrefs: 0052AA37
                                                                                      • virtual tables may not be indexed, xrefs: 0052A285
                                                                                      • sqlite_, xrefs: 0052A22A
                                                                                      • sqlite_autoindex_%s_%d, xrefs: 0052A3ED
                                                                                      • conflicting ON CONFLICT clauses specified, xrefs: 0052A85A
                                                                                      • CREATE%s INDEX %.*s, xrefs: 0052AA0E
                                                                                      • table %s may not be indexed, xrefs: 0052A269
                                                                                      • index %s already exists, xrefs: 0052A3D0
                                                                                      • name='%q', xrefs: 0052AAAC
                                                                                      • altertab_, xrefs: 0052A24E
                                                                                      • index, xrefs: 0052A198
                                                                                      • %s %T cannot reference objects in database %s, xrefs: 0052A19D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: UNIQUE$%s %T cannot reference objects in database %s$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$altertab_$conflicting ON CONFLICT clauses specified$index$index %s already exists$name='%q'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$table %s has no column named %s$table %s may not be indexed$there is already a table named %s$virtual tables may not be indexed
                                                                                      • API String ID: 0-2275377220
                                                                                      • Opcode ID: 42eb52e28c9e75529f81b515b9a557a50d157e7ce874963da385c56fa8c2caa6
                                                                                      • Instruction ID: e93dd321a033fea174b589206a083260ae5da8e2c1557436a8bfc2c3ffc6432b
                                                                                      • Opcode Fuzzy Hash: 42eb52e28c9e75529f81b515b9a557a50d157e7ce874963da385c56fa8c2caa6
                                                                                      • Instruction Fuzzy Hash: 8D82A274A002669FDB14CF68D494BAEBFB1BF46304F188569EC05AB382D735ED41CB92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004DB380 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 287injectionmemorysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                      • VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000218,00000000,00588C74,0000000C,?,?), ref: 004DB667
                                                                                      • WriteProcessMemory.KERNEL32(?,?,004DB750,-00000010,00000000), ref: 004DB687
                                                                                      • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 004DB69A
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004DB6A3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
                                                                                      • String ID: %s|%s$131$t-M
                                                                                      • API String ID: 2137838514-1610326920
                                                                                      • Opcode ID: d846cd9efe794dabbe6303a7ca57bf51d6a4f60f0f1195384f94d2039c0c4ba4
                                                                                      • Instruction ID: 6aa050c662bd13d499a16f11a1e563ae193b69cbb3db5d026509a3591e8fd703
                                                                                      • Opcode Fuzzy Hash: d846cd9efe794dabbe6303a7ca57bf51d6a4f60f0f1195384f94d2039c0c4ba4
                                                                                      • Instruction Fuzzy Hash: 6AC1AD719002089FDB14CFA8DC95BAEBBB5FF48300F10815AE905BB391DB74A984DFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F3910 Relevance: 15.5, APIs: 5, Strings: 3, Instructions: 1541processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004F3A30
                                                                                      • Process32First.KERNEL32(00000000,00000128), ref: 004F3A40
                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 004F3A5D
                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 004F3D02
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004F3D0E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                                                      • String ID: exists$h<W$T
                                                                                      • API String ID: 2284531361-4052732701
                                                                                      • Opcode ID: 5f31ad664e5ba84cd135917ad95c6ca46942d6c56e0b6ec4c5cf96f2ceaf7ba0
                                                                                      • Instruction ID: a55d78c1f13f08f41782f3ebf8019b16d79fea48d73a6b4249f6ffd2f4471d15
                                                                                      • Opcode Fuzzy Hash: 5f31ad664e5ba84cd135917ad95c6ca46942d6c56e0b6ec4c5cf96f2ceaf7ba0
                                                                                      • Instruction Fuzzy Hash: 15F26774C0026C9BDB25CF68C994BEEBBB1BF49304F1482DAD949A7341DB346A86CF54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042C8B1 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,00000000), ref: 0042C949
                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 0042C953
                                                                                      • FindFirstFileW.KERNEL32(?,?,?,?,00000000), ref: 0042C96A
                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 0042C975
                                                                                      • FindClose.KERNEL32(00000000,?,?,00000000), ref: 0042C981
                                                                                      • ___std_fs_open_handle@16.LIBCPMT ref: 0042CA3A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                                                                                      • String ID:
                                                                                      • API String ID: 2340820627-0
                                                                                      • Opcode ID: bf5c314ba0da57aee43f03cfb816f80cec1ee27c70f78e51851dbfabe2b1590b
                                                                                      • Instruction ID: 9c96711158d71915e989b8915fd07cc0fb9d29d2e584a18587f3ea2c0814df8f
                                                                                      • Opcode Fuzzy Hash: bf5c314ba0da57aee43f03cfb816f80cec1ee27c70f78e51851dbfabe2b1590b
                                                                                      • Instruction Fuzzy Hash: B5719F74B006299FCB20CF28ECC9BAEB7B4BF05350F544256E855E3390DB74AA85CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00516730 Relevance: 12.0, Strings: 9, Instructions: 760COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $%s.%s$%s: %s$%s: %s.%s$no such table$no such table: %s$no tables specified$sqlite_subquery_%p_$too many columns in result set
                                                                                      • API String ID: 0-1803442545
                                                                                      • Opcode ID: c46570eeff12e201942a45b98213d1242dffe5d686e4ce8297ad7a80c2508b26
                                                                                      • Instruction ID: dbcf86031569527fedc52a40f5d4d288d03f0ee8d1881843e8073522b91ea1c3
                                                                                      • Opcode Fuzzy Hash: c46570eeff12e201942a45b98213d1242dffe5d686e4ce8297ad7a80c2508b26
                                                                                      • Instruction Fuzzy Hash: DE626F746043428FE720DF28C484B9ABFE1BF88314F14896DE8999B352E775ED85CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32 ref: 005514A1
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005514C5
                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 005514F7
                                                                                      • LocalFree.KERNEL32(?), ref: 0055150E
                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00551546
                                                                                        • Part of subcall function 00551FA0: AreFileApisANSI.KERNEL32(00000000,00000000,?,?,?,00550CE5), ref: 00551FAC
                                                                                        • Part of subcall function 00551FA0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,00550CE5), ref: 00551FC1
                                                                                        • Part of subcall function 00551FA0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00551FE7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
                                                                                      • String ID: OsError 0x%x (%u)
                                                                                      • API String ID: 807219750-2664311388
                                                                                      • Opcode ID: 1e980f5be3f40432892b78680a9e00c8c781f1225daa683e8a12723f3aed8efa
                                                                                      • Instruction ID: 9b27ad27aa6b107916d8f15fc18c28eacd3d43973c27fd9c2debad90333f58c4
                                                                                      • Opcode Fuzzy Hash: 1e980f5be3f40432892b78680a9e00c8c781f1225daa683e8a12723f3aed8efa
                                                                                      • Instruction Fuzzy Hash: DB21A771F04208BBDB20AB75AC09F9E7FB9FB85752F1000A6F909E3190E7709E44CA65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0052E510 Relevance: 10.6, Strings: 8, Instructions: 557COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • database %s is already in use, xrefs: 0052E6DB
                                                                                      • out of memory, xrefs: 0052EAB3
                                                                                      • cannot ATTACH database within transaction, xrefs: 0052E633
                                                                                      • too many attached databases - max %d, xrefs: 0052E61A
                                                                                      • database is already attached, xrefs: 0052E8AE
                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0052E903
                                                                                      • unknown error, xrefs: 0052EB99
                                                                                      • unable to open database: %s, xrefs: 0052EA69
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s$unknown error
                                                                                      • API String ID: 0-3388813885
                                                                                      • Opcode ID: 702ed6e63216880816570d34f11c1dba0bc889db466786b29044e47f033371ce
                                                                                      • Instruction ID: c3b9d6300042f78e0bdfbefd1445517a0dd6b803bd7168242ccf3fd657f5b24e
                                                                                      • Opcode Fuzzy Hash: 702ed6e63216880816570d34f11c1dba0bc889db466786b29044e47f033371ce
                                                                                      • Instruction Fuzzy Hash: 282228706007529BDB20CF24E49676ABFF1FF56304F14882ED89A97382E770E985CB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044F050 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __floor_pentium4
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                      • API String ID: 4168288129-2761157908
                                                                                      • Opcode ID: c68a482fff77e025b5f2395bd1c32dc8eaeef183412ba3e2533826b7f177a24f
                                                                                      • Instruction ID: 19b2b9832e91dc5334225f28d461ebb5f9cd7fa0aaab348ffad5a30d2ce72a94
                                                                                      • Opcode Fuzzy Hash: c68a482fff77e025b5f2395bd1c32dc8eaeef183412ba3e2533826b7f177a24f
                                                                                      • Instruction Fuzzy Hash: 0FD23971E086288FDB64CE28DD447EAB7B5EB45305F1401EBD80DE7241EB78AE898F45
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005233F0 Relevance: 10.1, Strings: 7, Instructions: 1371COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: %d values for %d columns$OID$ROWID$_ROWID_$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
                                                                                      • API String ID: 0-557196483
                                                                                      • Opcode ID: f76b86c6181df38b935f5e198d6386c28489abdb5433cebf390b30408947ea8e
                                                                                      • Instruction ID: e16d57ff769c01e613f081803d3a99e8b2fa06a3413bbdfdeb6f383a167cc5c4
                                                                                      • Opcode Fuzzy Hash: f76b86c6181df38b935f5e198d6386c28489abdb5433cebf390b30408947ea8e
                                                                                      • Instruction Fuzzy Hash: 84D269706047528FD724DF28D444B2ABBE1FF86304F15895DE88A8B392E779E945CF82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D1380 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 921fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D1837
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D1848
                                                                                      • DeleteFileA.KERNEL32(?), ref: 004D1911
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cpp_errorThrow_std::_$DeleteFile
                                                                                      • String ID: 131$futer
                                                                                      • API String ID: 801707934-4190298202
                                                                                      • Opcode ID: 3351b610fb7c0e38ca72391ab1cac65f232bbd6e17476fb8fd2e1fc74a3e9932
                                                                                      • Instruction ID: ed3f0cb8ca549558cf38e877f09047e3770604ffa05b733eb3555e5ea153d0bb
                                                                                      • Opcode Fuzzy Hash: 3351b610fb7c0e38ca72391ab1cac65f232bbd6e17476fb8fd2e1fc74a3e9932
                                                                                      • Instruction Fuzzy Hash: BF82D5B0D00204DFCB14DF68D895BAEBBB1FF49314F14425EE845AB392D738AA45CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044DB84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,2000000B,0044DE96,00000002,00000000,?,?,?,0044DE96,?,00000000), ref: 0044DC1D
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,20001004,0044DE96,00000002,00000000,?,?,?,0044DE96,?,00000000), ref: 0044DC46
                                                                                      • GetACP.KERNEL32(?,?,0044DE96,?,00000000), ref: 0044DC5B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 2299586839-711371036
                                                                                      • Opcode ID: 0db92f83539562add904e7f00848d79ebd1a0197efef5317cf0568fffe86725e
                                                                                      • Instruction ID: 1394b0987a4baadc561295707693a2f226613c8b6a9ba9225a5c5d7c31b213ab
                                                                                      • Opcode Fuzzy Hash: 0db92f83539562add904e7f00848d79ebd1a0197efef5317cf0568fffe86725e
                                                                                      • Instruction Fuzzy Hash: 3E21C232E00104A6FB349F64CD84B9773A6EF54F50B568466E90ADB310EB76ED41D398
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005209F0 Relevance: 8.8, Strings: 6, Instructions: 1305COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: WITHOUT ROWID$WITHOUT ROWID$d$library routine called out of sequence$out of memory$unknown error
                                                                                      • API String ID: 0-1049893272
                                                                                      • Opcode ID: 0fb34dae45e55d200879d9be982dc038cf41f4de84004c7c6be17aa8078a4593
                                                                                      • Instruction ID: 497802968e842dde83b933efc766fcc9b30b40c45d497888dbf4db774b5c934f
                                                                                      • Opcode Fuzzy Hash: 0fb34dae45e55d200879d9be982dc038cf41f4de84004c7c6be17aa8078a4593
                                                                                      • Instruction Fuzzy Hash: 5CB2CF70605B52DFC728CF28E494A6BBBF1BF96304F14492DE88A97391D731E845CB86
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FF450 Relevance: 8.2, Strings: 6, Instructions: 735COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown compression method$unknown header flags set
                                                                                      • API String ID: 0-3686625691
                                                                                      • Opcode ID: 4c2f9d5c2bdd7808168994c88f556638d8f90cd17022183335ab7c82b5a3c369
                                                                                      • Instruction ID: 3f80238d5f8a72e0ad2ebb0af3e3e782f679acaebd88050fb0d0b61cde383b65
                                                                                      • Opcode Fuzzy Hash: 4c2f9d5c2bdd7808168994c88f556638d8f90cd17022183335ab7c82b5a3c369
                                                                                      • Instruction Fuzzy Hash: 23626CB1E002499FDB14CF59C5847AEBBF1BF48308F2481AED904AB392C779D946CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551220 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005512E3
                                                                                      • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 00551313
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 0055131B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile$Version
                                                                                      • String ID:
                                                                                      • API String ID: 1715692615-0
                                                                                      • Opcode ID: a50e396471c21bd5292f2ea255f87583e8432b1e27d6808c766b3da514bf39bc
                                                                                      • Instruction ID: b4edcec529d807a06da9efb1c5396e9c71554b609393fe2db9d6cd66cb1a39d6
                                                                                      • Opcode Fuzzy Hash: a50e396471c21bd5292f2ea255f87583e8432b1e27d6808c766b3da514bf39bc
                                                                                      • Instruction Fuzzy Hash: C561CC71604702ABDB10DF29D854BABBFE4FF84315F04492AFC99D6280EB35D9098B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044DD60 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0044DE68
                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 0044DEA6
                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0044DEB9
                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0044DF01
                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0044DF1C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                      • String ID:
                                                                                      • API String ID: 415426439-0
                                                                                      • Opcode ID: c0c8c2d6262a040be15751399d3cf2aa6162f753bba806c1ef4a1672a4700e44
                                                                                      • Instruction ID: 721269df72700bf9050ff1f907747f54117a3986f916008cc6d55a86c54b6450
                                                                                      • Opcode Fuzzy Hash: c0c8c2d6262a040be15751399d3cf2aa6162f753bba806c1ef4a1672a4700e44
                                                                                      • Instruction Fuzzy Hash: 12518071E00605ABFF10DFA5CC41ABB77B8EF18704F15446BE901EB290EB789904CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00513320 Relevance: 7.4, Strings: 5, Instructions: 1164COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: OID$ROWID$_ROWID_$no such column: %s$rows updated
                                                                                      • API String ID: 0-3385237395
                                                                                      • Opcode ID: 2111e1e3017d67c2f7bbf8387bf79ca03383a41b87454351c0d0f7efb7efb2f7
                                                                                      • Instruction ID: 54983cf935286fed85f1d38aca188a08520a17ed0d3d8c2e75c97e0ee3f6277e
                                                                                      • Opcode Fuzzy Hash: 2111e1e3017d67c2f7bbf8387bf79ca03383a41b87454351c0d0f7efb7efb2f7
                                                                                      • Instruction Fuzzy Hash: B6C278706047428FE724DF18C0A4B6ABBF1FF88304F16895DE9968B352D775E985CB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D3EB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0044D4AA
                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?), ref: 0044D4E1
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0044D644
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                      • String ID: utf8
                                                                                      • API String ID: 607553120-905460609
                                                                                      • Opcode ID: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                      • Instruction ID: 2cfea991c2b2acc9964e98fc6b5fb71baa63820d9a3b6a37bb74a83d3ed0bc3b
                                                                                      • Opcode Fuzzy Hash: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                      • Instruction Fuzzy Hash: F771D671A00605AAFB24AB75CC86BBB73A8EF05748F14442BF905D7281EF7CE944C769
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0050D010 Relevance: 6.1, Strings: 4, Instructions: 1130COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .,+-$@$H$Q
                                                                                      • API String ID: 0-2755557186
                                                                                      • Opcode ID: c897259b73a0517bb5c1bfbb884ad928e7401f702e3503b2968597b33c7ccf55
                                                                                      • Instruction ID: 7287085181065342c0cf32ad8819db337b2f58c8c442f7811d5b28c015796729
                                                                                      • Opcode Fuzzy Hash: c897259b73a0517bb5c1bfbb884ad928e7401f702e3503b2968597b33c7ccf55
                                                                                      • Instruction Fuzzy Hash: B5B27C74E002099FDF14DF98C890BAEBBB2FF88304F148159E845AB396D735AD55CBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042EA14 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0042EA20
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 0042EAEC
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042EB05
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0042EB0F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                      • String ID:
                                                                                      • API String ID: 254469556-0
                                                                                      • Opcode ID: 42954efdac53cf3c2a2cf13cc16ca68fea820c5f8c06520c72d11b2371d29965
                                                                                      • Instruction ID: 1249aa533244df727fa709a41629287d637b7995ae69670e2272991b28a3673f
                                                                                      • Opcode Fuzzy Hash: 42954efdac53cf3c2a2cf13cc16ca68fea820c5f8c06520c72d11b2371d29965
                                                                                      • Instruction Fuzzy Hash: C331F775D052289BDB20EFA5D9497CDBBB8BF08304F1041EAE40DAB250EB759B84CF45
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00550DF0 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTime.KERNEL32(?), ref: 00550E0A
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00550E25
                                                                                      • GetTickCount.KERNEL32 ref: 00550E3A
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00550E51
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                      • String ID:
                                                                                      • API String ID: 4122616988-0
                                                                                      • Opcode ID: 2ac2ec12dac1c0ddfdd78ada81de9e9e7eb84829c7919e5107d900e7ee8de75e
                                                                                      • Instruction ID: 0ad404b685b9be94c967810f0ec58d8e8c259cc4ebc635e655cd524cbb144e7b
                                                                                      • Opcode Fuzzy Hash: 2ac2ec12dac1c0ddfdd78ada81de9e9e7eb84829c7919e5107d900e7ee8de75e
                                                                                      • Instruction Fuzzy Hash: 81110432A006288BDB118FACEC884EEFBE8FF49321B404976ED49D7251DA70E484C790
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D3280 Relevance: 5.9, Strings: 4, Instructions: 927COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 149.18.24.96$149.18.24.96$Content-Type: application/x-www-form-urlencoded$Content-Type: application/x-www-form-urlencoded
                                                                                      • API String ID: 0-731838243
                                                                                      • Opcode ID: b0432dc79cd047b5696158ff9bd72d7dbe8a2134232c52a5f0752b22be155275
                                                                                      • Instruction ID: 33a632d0a306c15a1de1fb4794a992465f2ff5513e11846780c43e6219a31879
                                                                                      • Opcode Fuzzy Hash: b0432dc79cd047b5696158ff9bd72d7dbe8a2134232c52a5f0752b22be155275
                                                                                      • Instruction Fuzzy Hash: BCB201B4D042589BCB25DFA8D991BECBBB1BF48314F14819AE84977341DB342E84CF69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005145A0 Relevance: 5.4, Strings: 3, Instructions: 1619COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: max$min$too many terms in compound SELECT
                                                                                      • API String ID: 0-238764930
                                                                                      • Opcode ID: 205a107d1f05d0722c780a0591bc6b168285149ab388ede348cf7e081aed1c1a
                                                                                      • Instruction ID: 21d4b731694caece0f62baeaebb39f7c46cc54ca136487e19f75387d70021220
                                                                                      • Opcode Fuzzy Hash: 205a107d1f05d0722c780a0591bc6b168285149ab388ede348cf7e081aed1c1a
                                                                                      • Instruction Fuzzy Hash: 97F23670604741CFE724DF28C494B6ABBE1BFC8344F15896DE9858B352EB75E885CB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00452968 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00452979
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00452994
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoQuerySystemVirtual
                                                                                      • String ID: D
                                                                                      • API String ID: 401686933-2746444292
                                                                                      • Opcode ID: e74ab065f0439bd4aea146d8791e2cb0e9397abd09d2c9666de48529700fe63d
                                                                                      • Instruction ID: 5c20be6a1f0816990224c99f6728689887d7ae44d02cb0a50e4543e85df9bff5
                                                                                      • Opcode Fuzzy Hash: e74ab065f0439bd4aea146d8791e2cb0e9397abd09d2c9666de48529700fe63d
                                                                                      • Instruction Fuzzy Hash: 5401F7B37001096BDB14DE29DC05BDE7BAAAFD5325F0CC226ED19D7341DA78D905CA90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042C623 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,?,?,00403F3F,?,?,?,?,?,?,0055847D,000000FF), ref: 0042C637
                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,?,?,00000000,00000000,00000000,?,?,?,00403F3F,?,?), ref: 0042C65E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FormatInfoLocaleMessage
                                                                                      • String ID: !x-sys-default-locale
                                                                                      • API String ID: 4235545615-2729719199
                                                                                      • Opcode ID: 6f5429a6348d8f1c07becab912b970258c68df31968fb96a1b0a6208db707351
                                                                                      • Instruction ID: 5b6063aa3af019313e454f52bbb2b892fc0fc7ce3dc01ef7e9449aa7aef8ef01
                                                                                      • Opcode Fuzzy Hash: 6f5429a6348d8f1c07becab912b970258c68df31968fb96a1b0a6208db707351
                                                                                      • Instruction Fuzzy Hash: F7F03075614114FFEB189B98DC4ADAF7AACEB19394F404119F602D7150E6F1AE009760
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D808 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044D85C
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044D8A6
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044D96C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 661929714-0
                                                                                      • Opcode ID: 5db40f0beb62554498c78fa207cbcb21fed7a2ab908d42d80f8629cdf2fd32a1
                                                                                      • Instruction ID: a7ef0e2b3e67b6f440219475ae74fe998f4269ac0d9ab468b59062505fc3cc5d
                                                                                      • Opcode Fuzzy Hash: 5db40f0beb62554498c78fa207cbcb21fed7a2ab908d42d80f8629cdf2fd32a1
                                                                                      • Instruction Fuzzy Hash: BB61A1B19001079FFB28DF29CC86BBBB3A9EF04304F10416BE905D6685EB78D991CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D1240 Relevance: 4.6, APIs: 3, Instructions: 116encryptionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004D1275
                                                                                      • LocalFree.KERNEL32(?), ref: 004D12A4
                                                                                      • LocalFree.KERNEL32(?,?), ref: 004D1365
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLocal$CryptDataUnprotect
                                                                                      • String ID:
                                                                                      • API String ID: 2835072361-0
                                                                                      • Opcode ID: faf5e702467f3a29d371903c32aaca82da333eb71e39eb5694a67d102b66e2d3
                                                                                      • Instruction ID: edacca0892e7d6bf58cfe28d189f09218ecc2b188b76278acbc21aeb1f3e2cb0
                                                                                      • Opcode Fuzzy Hash: faf5e702467f3a29d371903c32aaca82da333eb71e39eb5694a67d102b66e2d3
                                                                                      • Instruction Fuzzy Hash: DD312631D001086BEB00ABA9DC857FEB779EF59314F00817BEC18B7351EB3959858BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004332F4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004333EC
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004333F6
                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00433403
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 3906539128-0
                                                                                      • Opcode ID: 9f1139638b3df056369de36d10a25bd443a0870b0bf33701996310552448855e
                                                                                      • Instruction ID: 827401fa7b85709c6d67aee7b5506a22afc2dd98f9d62e6690368e1bc4fb37e0
                                                                                      • Opcode Fuzzy Hash: 9f1139638b3df056369de36d10a25bd443a0870b0bf33701996310552448855e
                                                                                      • Instruction Fuzzy Hash: 5731C2749012289BCB21DF69D9897CDBBB8BF18314F5051EAE41CA7250EB749F858F48
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0050C410 Relevance: 4.6, Strings: 3, Instructions: 827COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: @$at most %d tables in a join$cannot use index: %s
                                                                                      • API String ID: 0-1661248
                                                                                      • Opcode ID: 96278dc3c2256f420819860643cefb534853969c864d33d1d4ee65e6d1989b47
                                                                                      • Instruction ID: 1e85c1d1c864a2752028fd896f2660f9a60132eac6b45b977aee6aafcb7e98c9
                                                                                      • Opcode Fuzzy Hash: 96278dc3c2256f420819860643cefb534853969c864d33d1d4ee65e6d1989b47
                                                                                      • Instruction Fuzzy Hash: 3B724875A087418FD724CF28C440A2ABFE2FFCA314F158A5DE8999B391D771E945CB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551070 Relevance: 4.6, APIs: 3, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005510AE
                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 005510CD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Version$AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 1468075466-0
                                                                                      • Opcode ID: 97c2f0af1e1d7325e694b2aa72ffb2bf89a0a7e1763b9606cc2be0516b8671bd
                                                                                      • Instruction ID: 1b6ae3cb7f5bf0e907ef9fa77f2bed44bd693e69e760e1f883d9a1ea48be3fa6
                                                                                      • Opcode Fuzzy Hash: 97c2f0af1e1d7325e694b2aa72ffb2bf89a0a7e1763b9606cc2be0516b8671bd
                                                                                      • Instruction Fuzzy Hash: 9A112736A006148BC720DF7DE988BAA7FE9FB59325F0001A7ED08D3250DA30DD48CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042C82B Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindClose.KERNEL32(000000FF,?,004209DA,?), ref: 0042C837
                                                                                      • FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,004209DA,?), ref: 0042C866
                                                                                      • GetLastError.KERNEL32(?,004209DA,?), ref: 0042C878
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseErrorFileFirstLast
                                                                                      • String ID:
                                                                                      • API String ID: 4020440971-0
                                                                                      • Opcode ID: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                      • Instruction ID: 8a27f9886f01e289c274a129579c59828a859e60d8a88321f661c1881ad45666
                                                                                      • Opcode Fuzzy Hash: 86c14a02093f16810e4dd88f91deff2d5f86e2f0abe4bed8fc1f86c1b24be754
                                                                                      • Instruction Fuzzy Hash: B4F0B431100518BFDB103F79EC488BE3B9CEF14371B508626F969D11B1D7718965D664
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FECA0 Relevance: 4.2, Strings: 3, Instructions: 430COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • invalid distance too far back, xrefs: 004FF11D
                                                                                      • invalid distance code, xrefs: 004FF104
                                                                                      • invalid literal/length code, xrefs: 004FF0E5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                                                      • API String ID: 0-3255898291
                                                                                      • Opcode ID: a56b6f9168196dd5cbb45870d9149c3749346c5705395b0878eb4e917256bc04
                                                                                      • Instruction ID: 8d2d3c4523878f4030503be7c435480a9b53d15c3056f5b6c5059bdf7dfacae5
                                                                                      • Opcode Fuzzy Hash: a56b6f9168196dd5cbb45870d9149c3749346c5705395b0878eb4e917256bc04
                                                                                      • Instruction Fuzzy Hash: 49F19231E002599FCB04CF69C5905BDBBF2FF99301B2481AED595EB342D739AA06CB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0054B990 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BB45
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054BE47
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                      • String ID:
                                                                                      • API String ID: 885266447-0
                                                                                      • Opcode ID: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                      • Instruction ID: a8910782226fa043b0ca02c89601bdb6306c66060be7ccd375e3029c486516c8
                                                                                      • Opcode Fuzzy Hash: 8619c628930c15e3f64ee4185456f4c73d0beadc8a2f11204caef400f59f07bd
                                                                                      • Instruction Fuzzy Hash: 0402A470604602AFEB14CF29C850BEABBE4FF88318F04866DE959C7650D774ED65CB92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00553170 Relevance: 3.5, APIs: 2, Instructions: 465COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553513
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00553571
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                      • String ID:
                                                                                      • API String ID: 885266447-0
                                                                                      • Opcode ID: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                      • Instruction ID: 3fbf31a8c3cdee1091fcfc22b4047fc9f3449861c1a85ea422063c13361c5e55
                                                                                      • Opcode Fuzzy Hash: d6ef0b778412603ae4375fe8f4b2b868cc24e55a123d3fdd18dfd41b4726deb8
                                                                                      • Instruction Fuzzy Hash: 7802F571E006598BCF19CF6DD8A42BDFFB1BF85351F1982ABE859AB281DB704A44C740
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004371F0 Relevance: 3.5, APIs: 2, Instructions: 455COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8699a35763ac44eb22cce45b8889ca4ebfbbd05a2f808e76f48b50c83f6b4931
                                                                                      • Instruction ID: 7de7f519c8b512efe808fbc5ffa62cc3ef6a6e83b70a7c434dda002dc4e381e9
                                                                                      • Opcode Fuzzy Hash: 8699a35763ac44eb22cce45b8889ca4ebfbbd05a2f808e76f48b50c83f6b4931
                                                                                      • Instruction Fuzzy Hash: 47026FB1E042199BDF24CFA9C9806AEFBF1FF48324F24826AD955E7341D735A901CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FA050 Relevance: 3.2, APIs: 2, Instructions: 220networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetCloseHandle.WININET(?), ref: 004FA262
                                                                                      • InternetCloseHandle.WININET(?), ref: 004FA271
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleInternet
                                                                                      • String ID:
                                                                                      • API String ID: 1081599783-0
                                                                                      • Opcode ID: 80956989b8c3acaa30689384fa85edbe78acf62e72dad3c00cb1da54d72189f2
                                                                                      • Instruction ID: f9047d7434dced4cf20933e84560d58d69618fbb45727c1a51f3fb53e9aaca21
                                                                                      • Opcode Fuzzy Hash: 80956989b8c3acaa30689384fa85edbe78acf62e72dad3c00cb1da54d72189f2
                                                                                      • Instruction Fuzzy Hash: 1B814DB5E042099BDF18CF99DD81ABEBBB5FF88310F14812AE905B7340DB359911CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043C1FB Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0043C210
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043C22F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                      • String ID:
                                                                                      • API String ID: 1518329722-0
                                                                                      • Opcode ID: 954a7c4d5890fab9a4c96a24ff15e7c185c2cda78a089061de3c48e681f8a955
                                                                                      • Instruction ID: ec6cd9ee3c427c05d13ca8e13f4ecd96f164f970f8f353a80a24a946ea283c5e
                                                                                      • Opcode Fuzzy Hash: 954a7c4d5890fab9a4c96a24ff15e7c185c2cda78a089061de3c48e681f8a955
                                                                                      • Instruction Fuzzy Hash: 9CF0F4B1E00214BB8724CFADC88499FBEEAEAC9370B35429AF809E3340E574DD01C794
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004536D0 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: +$/
                                                                                      • API String ID: 0-2439032044
                                                                                      • Opcode ID: ab50ada89258f2e9534fe265f384ea8fb20dd5c5a6c5db8d80d47731f75520c3
                                                                                      • Instruction ID: 796a871646bd2685f763a536c5d2eb57fa7702993fd3fc0b8e0a162fd2415c14
                                                                                      • Opcode Fuzzy Hash: ab50ada89258f2e9534fe265f384ea8fb20dd5c5a6c5db8d80d47731f75520c3
                                                                                      • Instruction Fuzzy Hash: 43F13471E001459FCB05CF68C4906EEBFF5FF49352F24426AE865A7382D7389A48CBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0050F620 Relevance: 2.1, Strings: 1, Instructions: 858COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: match
                                                                                      • API String ID: 0-2052834565
                                                                                      • Opcode ID: 95e3a01fd2e5a19cfcceef5ee12e30068266fc5679921be7572f4702c3f8890c
                                                                                      • Instruction ID: d3a6c69669175a2caa2aa64f558d39f9d5895a4d07a01edede38e67d12c62577
                                                                                      • Opcode Fuzzy Hash: 95e3a01fd2e5a19cfcceef5ee12e30068266fc5679921be7572f4702c3f8890c
                                                                                      • Instruction Fuzzy Hash: E272A3746047418FD724DF24C485B6BBFE1BF88304F148A6DE88A8B792D775E885CB92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00541180 Relevance: 2.0, Strings: 1, Instructions: 710COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: %s-mj%08X
                                                                                      • API String ID: 0-77246884
                                                                                      • Opcode ID: c36b806efd238cb85f734633c2ea761f11f9bbe70b06756de1a34c4df3bb4ff0
                                                                                      • Instruction ID: 5ca5c39a8de68291b6d3e4cc79652f43b2b7ddcad8b7fc2209c3f4d9f5c1e8c2
                                                                                      • Opcode Fuzzy Hash: c36b806efd238cb85f734633c2ea761f11f9bbe70b06756de1a34c4df3bb4ff0
                                                                                      • Instruction Fuzzy Hash: 1E427E74A006069FDB14CFA9D884BEEBBF1FF58308F188069D81AA7311D775A985CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004479BE Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00447E03,00000000,00000000,00000000), ref: 00447CC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InformationTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 565725191-0
                                                                                      • Opcode ID: 3a5586bc615656ec4b608de28d13bf62060f675f43a55b6b57679b6e8cc7b9a4
                                                                                      • Instruction ID: ea3c3819e00c7610c2bdce84c30dacc5ed2750e9284a6662424918e6eb4f3f86
                                                                                      • Opcode Fuzzy Hash: 3a5586bc615656ec4b608de28d13bf62060f675f43a55b6b57679b6e8cc7b9a4
                                                                                      • Instruction Fuzzy Hash: A2C13771D04115ABEB10BF65DC02ABF7BA9EF04758F64445BF900EB281EB389E42C798
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005041A0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ~IP
                                                                                      • API String ID: 0-3959306736
                                                                                      • Opcode ID: b1fdcda4715aefa95cdded5a1e3c2b4ef5fa28535821b5a0eba220b7a96750b7
                                                                                      • Instruction ID: 0e36e89e1f9e1fd0a3757911ecfb7ec23bbf8a2227642b7cf3c9c86fbdf17ad5
                                                                                      • Opcode Fuzzy Hash: b1fdcda4715aefa95cdded5a1e3c2b4ef5fa28535821b5a0eba220b7a96750b7
                                                                                      • Instruction Fuzzy Hash: 4942CDB1A00649CBDB14CE78C8407ADFFA1FF46311F1886ADE5A5E7781D734994ACBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00448314 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044830F,?,?,00000008,?,?,0045277F,00000000), ref: 00448541
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: a522b569da1b4251fc9465fad5f5be812267484b24e4dcd58fb934ad629dd70c
                                                                                      • Instruction ID: 77f85e0033942a6f02aeb2ce0c4b177648a4ad42039305f86338891f230134e9
                                                                                      • Opcode Fuzzy Hash: a522b569da1b4251fc9465fad5f5be812267484b24e4dcd58fb934ad629dd70c
                                                                                      • Instruction Fuzzy Hash: 15B14B31610609DFE715CF28C48AB697BE0FF45364F25865DE899CF2A1CB39E982CB44
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0050E450 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: !
                                                                                      • API String ID: 0-2657877971
                                                                                      • Opcode ID: 2b540187df3081818611ad0faee9f1032e9016378777c44864a2ae72a30e3cb2
                                                                                      • Instruction ID: c0eeada6260e29c31d7b62fd3a35856ce760a15ccc0f5b1cff4669d61bc51190
                                                                                      • Opcode Fuzzy Hash: 2b540187df3081818611ad0faee9f1032e9016378777c44864a2ae72a30e3cb2
                                                                                      • Instruction Fuzzy Hash: 06029B71D00619CFDB15CFA4D891BAEBBB5FF58340F24865AE819BB291D730A981CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0054E340 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __allrem
                                                                                      • String ID:
                                                                                      • API String ID: 2933888876-0
                                                                                      • Opcode ID: a9d30a74fc4e9ed61f6c396232b0d774953ff2e67443f99245b097325991053d
                                                                                      • Instruction ID: 6a3e6f16453dbbf5a8bbe516ce83afefbcf635a20edd48ca6a6075a7bef4e538
                                                                                      • Opcode Fuzzy Hash: a9d30a74fc4e9ed61f6c396232b0d774953ff2e67443f99245b097325991053d
                                                                                      • Instruction Fuzzy Hash: A9619D31610744CFCB19CF6DC880A5AFBF1BF95304B048AAEE886DB752C630E955CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042E615 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0042E62B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FeaturePresentProcessor
                                                                                      • String ID:
                                                                                      • API String ID: 2325560087-0
                                                                                      • Opcode ID: 3ca076d294132ea85c9225524bd060b2b5d0a9659c1cd1948e615a2f79d017dc
                                                                                      • Instruction ID: 0560f1a0132bf4e5b1c808d14a47f9a7b5d2127d5f653d530456e995a7e1946a
                                                                                      • Opcode Fuzzy Hash: 3ca076d294132ea85c9225524bd060b2b5d0a9659c1cd1948e615a2f79d017dc
                                                                                      • Instruction Fuzzy Hash: 1A517EB1A01215CBDB18CF69E9857AABBF4FB68310F6480AAD815EB790D379DD04CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044A4BD Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: afc79e698587ceb94eb08f2d5911b01c91996052b760619b6665b5f770433781
                                                                                      • Instruction ID: 43a8121c9936acc675afad3d7a398d95df7ce8f9f1e10b0a7353c4c380b6e0d1
                                                                                      • Opcode Fuzzy Hash: afc79e698587ceb94eb08f2d5911b01c91996052b760619b6665b5f770433781
                                                                                      • Instruction Fuzzy Hash: AD41C5B5844219AFEF20DF69CC89AAEBBB9EF45304F1442DEE44DD3201D6349E848F54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044DA5B Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044DAAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 3736152602-0
                                                                                      • Opcode ID: c2975fa7154ef1f307fe959cf56d6e9e0eddb6192ca9df98402dda858ca7e39f
                                                                                      • Instruction ID: dd78411b6d02ea73808ec2e7c3fcf06bf5b204a043b4b0ce9a73ff3597b80607
                                                                                      • Opcode Fuzzy Hash: c2975fa7154ef1f307fe959cf56d6e9e0eddb6192ca9df98402dda858ca7e39f
                                                                                      • Instruction Fuzzy Hash: 7A21D032A05206ABFB289A25CC46EBB73A8EF08344F11407FF901D6241EB78ED00CB58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00504A90 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: -
                                                                                      • API String ID: 0-2547889144
                                                                                      • Opcode ID: 380dda1ef3d93faf75dbacb9f630860303182309aaebddffecc3a3ea39fa0403
                                                                                      • Instruction ID: 38aa0a0541716d94f7284c8eb05237e614240b63d97cf31906db9550cd6421b3
                                                                                      • Opcode Fuzzy Hash: 380dda1ef3d93faf75dbacb9f630860303182309aaebddffecc3a3ea39fa0403
                                                                                      • Instruction Fuzzy Hash: 91C1B2759007049FEB21CFA4C841AEEFBF6FF48310F108A59E5A6D7690D770AA46CB51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043A8BD Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0
                                                                                      • API String ID: 0-4108050209
                                                                                      • Opcode ID: 9fae787529c539db411449c7c426ecae237ed91d3812021c802cfd60af6ea9cf
                                                                                      • Instruction ID: 20f36868057f2dc5694f653adca667ab833700143c84c98609cf2c37f38438c9
                                                                                      • Opcode Fuzzy Hash: 9fae787529c539db411449c7c426ecae237ed91d3812021c802cfd60af6ea9cf
                                                                                      • Instruction Fuzzy Hash: BEB1D37158060A8BCB28DE6885556BFB7A1AF0C304F142A1FD5D2A7381C73CAD65CB9B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D6E2 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • EnumSystemLocalesW.KERNEL32(0044D808,00000001,00000000,?,-00000050,?,0044DE3C,00000000,?,?,?,00000055,?), ref: 0044D754
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: 74811ef92082ea11476a4a0775b59368989c922df0a41872fce1cb506a1c7c39
                                                                                      • Instruction ID: d63533fa27c32808a75666b88b8b659c3fd8f93e3591a50ebc9a6a7f41383f5d
                                                                                      • Opcode Fuzzy Hash: 74811ef92082ea11476a4a0775b59368989c922df0a41872fce1cb506a1c7c39
                                                                                      • Instruction Fuzzy Hash: 22114C3B6007055FEB18AF39C89167BBB91FF84359B15442EE94747B40D379B842CB40
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044DC8A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044DB05,00000000,00000000,?), ref: 0044DCB6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 3736152602-0
                                                                                      • Opcode ID: 0637a9234226735897cadec0c07571a5b51b04de3a391088df2eeea5decfeb04
                                                                                      • Instruction ID: 25f27c41e2a799376a793f10ec0ae59c946a4f3c6d1d0bc4c30979dedc61f3af
                                                                                      • Opcode Fuzzy Hash: 0637a9234226735897cadec0c07571a5b51b04de3a391088df2eeea5decfeb04
                                                                                      • Instruction Fuzzy Hash: AE01DB32A001166BEF1C97258C856FB7754DB40354F15442EEC47A71C0DAB8ED41D594
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D5F0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0044D644
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID: utf8
                                                                                      • API String ID: 3736152602-905460609
                                                                                      • Opcode ID: 920c1418828a3e559e3acd869b1a92a1130720e4529be8c9e90a49c049048bcc
                                                                                      • Instruction ID: 6c0174c134c73646d7c90a0ea1aa7825cb3b77a2b70d1140e75137df18781df8
                                                                                      • Opcode Fuzzy Hash: 920c1418828a3e559e3acd869b1a92a1130720e4529be8c9e90a49c049048bcc
                                                                                      • Instruction Fuzzy Hash: 51F02832A00115ABEB14AF39DC5AEBA73E8DF45314F12007FF602D7240EA7CAD049758
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D77D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • EnumSystemLocalesW.KERNEL32(0044DA5B,00000001,?,?,-00000050,?,0044DE04,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0044D7C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: 49b0da54b3289b7529160025e64babfda73cccd0dd63a0630e318fd5595f48d0
                                                                                      • Instruction ID: c5dd859dd70427a1582982cb37ea1c70f7b8b22991fc0cf0f6faf13280faefb1
                                                                                      • Opcode Fuzzy Hash: 49b0da54b3289b7529160025e64babfda73cccd0dd63a0630e318fd5595f48d0
                                                                                      • Instruction Fuzzy Hash: 42F0F6366003045FEB245F399C91A7BBB91EF8176CF15846EFA464BA90C6B99C02CA14
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00547260 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d
                                                                                      • API String ID: 0-2564639436
                                                                                      • Opcode ID: 65b2b50e87701b05392edcc5b016cabdb43a27c71a424911f7f495d90d19c7da
                                                                                      • Instruction ID: 3fb9d88d0b5f755fd0e6344615324f693740c7374d349f51c13debef489c49ab
                                                                                      • Opcode Fuzzy Hash: 65b2b50e87701b05392edcc5b016cabdb43a27c71a424911f7f495d90d19c7da
                                                                                      • Instruction Fuzzy Hash: A9B181706087468FD714CF29C4905AABFE1BFD9308F1885ADE8958F342D775E906CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00445A41 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 0043EADB: EnterCriticalSection.KERNEL32(?,?,0044035C,00000000,00578B08,0000000C,00440324,0042C58A,?,00444F1D,0042C58A,?,00444870,00000001,00000364,?), ref: 0043EAEA
                                                                                      • EnumSystemLocalesW.KERNEL32(00445A34,00000001,00578D88,0000000C,00445E69,00000000), ref: 00445A79
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                      • String ID:
                                                                                      • API String ID: 1272433827-0
                                                                                      • Opcode ID: 15786d997aef7d7ab4e4b205401f3d5632b5533645e4db0cf4740f2cdb25dd2e
                                                                                      • Instruction ID: 975feb7b3ab3afacf800ca2749cddded062046f6123fa37677f8dc3026703573
                                                                                      • Opcode Fuzzy Hash: 15786d997aef7d7ab4e4b205401f3d5632b5533645e4db0cf4740f2cdb25dd2e
                                                                                      • Instruction Fuzzy Hash: E2F03C32A41200DFD700DF99E846B5977F1EB18724F10851AE800AB2D1CAB949049F44
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044D697 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • EnumSystemLocalesW.KERNEL32(0044D5F0,00000001,?,?,?,0044DE5E,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0044D6CE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: ad720073d8a9bd0854b318b08c834bdb29ebfc33f3660edff20abc08132d780f
                                                                                      • Instruction ID: e55e49f08a5d554f6926ce35e3531e1ed2b45db46240f784fd6e82346de52d89
                                                                                      • Opcode Fuzzy Hash: ad720073d8a9bd0854b318b08c834bdb29ebfc33f3660edff20abc08132d780f
                                                                                      • Instruction Fuzzy Hash: BEF0553A70020857EB14AF39D81576BBF90EFC2714B0B405EEE098F281CA79D842CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00445FC4 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00442706,?,20001004,00000000,00000002,?,?,00441CF8), ref: 00445FF8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 2299586839-0
                                                                                      • Opcode ID: 1ba360382770a577bdc0a634bc701b9d591f825f29f064a57b32caf63b92feb7
                                                                                      • Instruction ID: f4173b9e4e9db5570490656a11340cfbd407105faa0d346c5000665c7e3cf4e8
                                                                                      • Opcode Fuzzy Hash: 1ba360382770a577bdc0a634bc701b9d591f825f29f064a57b32caf63b92feb7
                                                                                      • Instruction Fuzzy Hash: D4E08632540A1CBBEF122F61DC04E9E3F16EF44761F004416FD05A6222CB798D25BBDA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004E2C80 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 004E2C93
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 1347740429-0
                                                                                      • Opcode ID: 6d7b403be2a52da18699192a358012470769ff12c202795e8b52c9651caf2a84
                                                                                      • Instruction ID: de7932f46881d58097039676193586107e5d50b177220b61d64bf596e7e07861
                                                                                      • Opcode Fuzzy Hash: 6d7b403be2a52da18699192a358012470769ff12c202795e8b52c9651caf2a84
                                                                                      • Instruction Fuzzy Hash: 4EE07D71704104AFC709CB0AAD1037AB7ECEB85701F14409DF84CC3500C23DCD08A620
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00503E00 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: -
                                                                                      • API String ID: 0-2547889144
                                                                                      • Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
                                                                                      • Instruction ID: 1559c6fbe9af4ae949f9f59b4d9dd60709f0b2c6334ddd8d40e317b99a3fbb23
                                                                                      • Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
                                                                                      • Instruction Fuzzy Hash: 8681AF70911648AEEF219AB4C840BEDFFF5EF05201F1489E8E8D1E3B41D678D64AC7A1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00545BF0 Relevance: 1.0, Instructions: 974COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: caf834001ea446df0036a476286a7bfb4e90ec212345cfca0d0e976b8e82d378
                                                                                      • Instruction ID: 6dc6575b03be9784365497c085fa600415a15eb75f263b80c6d4bb0475320933
                                                                                      • Opcode Fuzzy Hash: caf834001ea446df0036a476286a7bfb4e90ec212345cfca0d0e976b8e82d378
                                                                                      • Instruction Fuzzy Hash: AB929E70A083528FC714CF29D49466ABBF1BFD9308F18896DE885D7352E735E849CB92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FB0A0 Relevance: .8, Instructions: 763COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                      • Instruction ID: f66ee135833696fdc7097fc137d742b9d11648fb3e57faaf4428e0af157d3001
                                                                                      • Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
                                                                                      • Instruction Fuzzy Hash: 653274B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00510140 Relevance: .7, Instructions: 660COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fb20a9ab949ab236c62cc85e773eeeaf98a45e05a4b9f90c927e224cd229a3f5
                                                                                      • Instruction ID: 7734e3287553b3d74106f6f7eb9ccba05eed1c215cdc5eb9b880f13b62f88aab
                                                                                      • Opcode Fuzzy Hash: fb20a9ab949ab236c62cc85e773eeeaf98a45e05a4b9f90c927e224cd229a3f5
                                                                                      • Instruction Fuzzy Hash: 65428D75A043418FE714CF28C480B5ABBE1BFC8314F149A6DE9999B395D7B1E8C5CB82
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00504FE0 Relevance: .5, Instructions: 514COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 462a57ca317a6d8a166d02cb38495b8c20b9ea2f44dbbe5edf3c46a57e50bf80
                                                                                      • Instruction ID: 7757f8fc9b8f85dab1bb2ad46412550d50e0bedee1a40c7e8741c7df14e7ece4
                                                                                      • Opcode Fuzzy Hash: 462a57ca317a6d8a166d02cb38495b8c20b9ea2f44dbbe5edf3c46a57e50bf80
                                                                                      • Instruction Fuzzy Hash: 8A122171E006099FDF14CFA9C884AAFBBF6BF88310F144629E856A7291E731AD458F51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00506210 Relevance: .4, Instructions: 436COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ef81d08433bf8d8d61e6c1161020cb8fffbde7e1d3568ab1fbacf3de246997fd
                                                                                      • Instruction ID: ba967dd3ff9d9106477157ee49b7d729a4060b443a8a457c01192f13d4eca8ea
                                                                                      • Opcode Fuzzy Hash: ef81d08433bf8d8d61e6c1161020cb8fffbde7e1d3568ab1fbacf3de246997fd
                                                                                      • Instruction Fuzzy Hash: DA02B3326106968FC724CF29C88107BBBF1EF89311769886ED9D6DB781C634F612CB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FC8B0 Relevance: .4, Instructions: 436COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cd521b889542f296bfaed5314055fa668bf2ffd65be26f9d3c7731796762692a
                                                                                      • Instruction ID: 5e2d1ab2bce61d981860ebf19bddab20534b6d4d11a507bd48879200d39f2fed
                                                                                      • Opcode Fuzzy Hash: cd521b889542f296bfaed5314055fa668bf2ffd65be26f9d3c7731796762692a
                                                                                      • Instruction Fuzzy Hash: 15125674A00B098FCB24CF29C5C0AAAB7F1FF88314B14496EE99A8B751D735F951CB85
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00553BB0 Relevance: .4, Instructions: 429COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bae7487293e0dc385c770392db7ca73dace1d0f42b9179006753cc26472b5183
                                                                                      • Instruction ID: 58816452aaef0bab64cc97f158be379e85dfabc4257e2525a70992e3c6a28104
                                                                                      • Opcode Fuzzy Hash: bae7487293e0dc385c770392db7ca73dace1d0f42b9179006753cc26472b5183
                                                                                      • Instruction Fuzzy Hash: 21F15F329051928FDB158E38C4A13EDBF72BF65341F1846A7DC999B383D2389B59C790
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00502580 Relevance: .4, Instructions: 406COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 39387ab85209766842b9284995c4f4661568adcf7e725f55e952964d27ec746d
                                                                                      • Instruction ID: 544e97e2d2659a48e5ca0f5675e74e05ae03e0083d16ca512a67e675fa9a4e76
                                                                                      • Opcode Fuzzy Hash: 39387ab85209766842b9284995c4f4661568adcf7e725f55e952964d27ec746d
                                                                                      • Instruction Fuzzy Hash: 27027C74905215CFCB19CF58C4D48B9BBF1FFA9310F29819DD8899B3A6D730AA81CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042A040 Relevance: .4, Instructions: 394COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5fbb21310ebcda3e4e059c5daabd12ca751ce5a75bdd29feff0510c95ec1bd5b
                                                                                      • Instruction ID: e176e8c39fa0001ffa0331148fc1a1e597aad8ea40cb8f55bb963474ee5d0d66
                                                                                      • Opcode Fuzzy Hash: 5fbb21310ebcda3e4e059c5daabd12ca751ce5a75bdd29feff0510c95ec1bd5b
                                                                                      • Instruction Fuzzy Hash: BEE1F372F1022A8FCB05CFA8D8816ADFBF1AF88324F5941AAD815B7340D774A955CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043ABFF Relevance: .3, Instructions: 333COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b936da6fa63ff3c9941933694ab20e4ced834cba7d39d6f97687a7cc9c1a2aa9
                                                                                      • Instruction ID: b77fb66b65a7cd15b76525c16936a83aaa1f8e48e04690ffc265ef7540f6e5ab
                                                                                      • Opcode Fuzzy Hash: b936da6fa63ff3c9941933694ab20e4ced834cba7d39d6f97687a7cc9c1a2aa9
                                                                                      • Instruction Fuzzy Hash: 67C1CD709806068FCB24CF68C494A7BBBB2AF0D304F24660BD4D297791C339AD65CB5B
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044CEA1 Relevance: .3, Instructions: 327COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1452528299-0
                                                                                      • Opcode ID: afcc77529efb64274b7416809ca556df6147631fdf66756cd8a0b3ef413a42af
                                                                                      • Instruction ID: 5f1cb8c8074dd1ad8c9c3560b724a861c65c7d1d7404c3ef60a989e79c7d9ee6
                                                                                      • Opcode Fuzzy Hash: afcc77529efb64274b7416809ca556df6147631fdf66756cd8a0b3ef413a42af
                                                                                      • Instruction Fuzzy Hash: 9FB1E675A007019BEB389F25CCC2AB7B3A9EF54308F54456FE943C6680EA7DE986C714
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00506920 Relevance: .3, Instructions: 313COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3c5e9afb0340c538037aee8e06cf4db1c74506ff76afd08ac3cc375c4bd7e949
                                                                                      • Instruction ID: 21ea325e3d8e9dd88ad6d2e4823945e325a7d4879c9c0f24fc1850b01c051b63
                                                                                      • Opcode Fuzzy Hash: 3c5e9afb0340c538037aee8e06cf4db1c74506ff76afd08ac3cc375c4bd7e949
                                                                                      • Instruction Fuzzy Hash: 10D19F70600B41CBE724CF39C45079ABBE0FF45314F148A6DD4EA8B781EB74A489CB91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00506DD0 Relevance: .3, Instructions: 294COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9226b04f7e21239919893a05cdb86704bbfbc6d518d31c226dace148a3012db9
                                                                                      • Instruction ID: 7a6889ae545e6ec7e5da51a817b46c2a83bd4d4ff43436e387e76d31d11313cc
                                                                                      • Opcode Fuzzy Hash: 9226b04f7e21239919893a05cdb86704bbfbc6d518d31c226dace148a3012db9
                                                                                      • Instruction Fuzzy Hash: 97B1B0756087019FC720CF68C840A6BBBE5FF88324F144B2DF8AAD3690D774EA558B52
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00552230 Relevance: .3, Instructions: 284COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 893fc609b8402a8608f33f145b25375dfb948b4b09f3cbc2c50ffdfc71324a8c
                                                                                      • Instruction ID: cf1624fd1a6dc0b57627c03be5c97227f8004610d698b89aec3193db8da64621
                                                                                      • Opcode Fuzzy Hash: 893fc609b8402a8608f33f145b25375dfb948b4b09f3cbc2c50ffdfc71324a8c
                                                                                      • Instruction Fuzzy Hash: FFA157B4A016169FDB14CF69C49066AFBE1FF8A315F28C66ADC18DB311E731E915CB80
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00453450 Relevance: .2, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b08204afe2b93367e389797d6b26a5b5906cfef6ab924b9fa18c453b9a8b958
                                                                                      • Instruction ID: 4760c8aac2775d88ce5afe2aa9a6c194579425224feb06dc2f39e30c9f8e2f3f
                                                                                      • Opcode Fuzzy Hash: 1b08204afe2b93367e389797d6b26a5b5906cfef6ab924b9fa18c453b9a8b958
                                                                                      • Instruction Fuzzy Hash: FB8100B0E00245AFDB118F69C9907BBBBA4EB1A346F4401AADC54A7343D7399A0DD7A4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00503BD0 Relevance: .2, Instructions: 199COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
                                                                                      • Instruction ID: 153ad128e3baa2a89b3cd3a6b4d1e78249d5372dd193227f4e93c557145195e1
                                                                                      • Opcode Fuzzy Hash: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
                                                                                      • Instruction Fuzzy Hash: 6C61E731610609AFEB34CAA8C841AEEFFF9FF45310F108AADE596D36D0D270AA45C751
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FBE00 Relevance: .2, Instructions: 194COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 794a7f1c8da851de123a8cb36b784223d3d5061ff9f43bc90911fb1ba4d4a164
                                                                                      • Instruction ID: 0bac669ca15a16959d8963909ca58fedb4fc25c6a12a3c3dd1bbd6b990ac7096
                                                                                      • Opcode Fuzzy Hash: 794a7f1c8da851de123a8cb36b784223d3d5061ff9f43bc90911fb1ba4d4a164
                                                                                      • Instruction Fuzzy Hash: 087163356201E44FD748CF5EECC0436BB62E3AE301749866ADA81CB395C575F92AE7A0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FC0A0 Relevance: .2, Instructions: 189COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                      • Instruction ID: 38e074bbf3e805e58539ca8d739cae2271b6a1961dda6b795eee354daaa2981f
                                                                                      • Opcode Fuzzy Hash: 142b9e497edc779feb926e324d820a004adefa17f44103fd404662cc1c40eab9
                                                                                      • Instruction Fuzzy Hash: 2361DA316201A84FE748DF5EFCC0476B361E3AE301789461AEA81CB395C675F56AE7E0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004351B8 Relevance: .2, Instructions: 156COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd71f3774c32148dbb9a209fc02133cbfe0372526eb67c7398d57bd26b7fbe4d
                                                                                      • Instruction ID: 96e57ead98d41e04fe68f30f62ea81bdeba23ce11bdd67b69aec938acc7c3f29
                                                                                      • Opcode Fuzzy Hash: bd71f3774c32148dbb9a209fc02133cbfe0372526eb67c7398d57bd26b7fbe4d
                                                                                      • Instruction Fuzzy Hash: 8F516072D00119AFDF04CF99C841AEFBBB6FF88304F598499E915AB301D7789A41DB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005040A0 Relevance: .1, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                      • Instruction ID: 7211d50b4de8a7ebd746b1f7ef274bdd41a532539b5b6ed0c87081a493a79e19
                                                                                      • Opcode Fuzzy Hash: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
                                                                                      • Instruction Fuzzy Hash: 19312972B80708AEDB209E69CC40BCDBF96EF45211F04C559FD9C9B750C271E259C7A0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00552DC0 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
                                                                                      • Instruction ID: f555f2e009fd02678a7dd5ab17e7374ade26630ceb05d7c72dcffa46560cf6fc
                                                                                      • Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
                                                                                      • Instruction Fuzzy Hash: CA21A341E1A6A84BDB00593ED891792BFC5C797329F28D3F4D8588FBDED514A40AC3E1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00431A30 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                      • Instruction ID: 263d72efdb7cc7cf478f7cccf9532bf8706e55590fa81357ec6907f8a2a5f3c2
                                                                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                      • Instruction Fuzzy Hash: 2F113D7724308243D604EA7DC8B45B7A7D5EBCE323F2DA37BD0418B774D22AD9459608
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05CC30A3 Relevance: .1, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, Offset: 05CC3000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_5cc3000_2zdult23rz.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction ID: 7e72ef2e6690c9a5bb5c930835545b38448b448786202d9581441aaa1fa49460
                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction Fuzzy Hash: ED11A573340100AFDB54DF55ECC1FA677EAFB89620B1984A9ED08CB312D676E842C760
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004E35A0 Relevance: 24.5, APIs: 16, Instructions: 493fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32 ref: 004E35C8
                                                                                      • RmStartSession.RSTRTMGR(?,00000000,?), ref: 004E3620
                                                                                      • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 004E3657
                                                                                      • RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 004E367F
                                                                                      • RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 004E36A0
                                                                                      • RmEndSession.RSTRTMGR(?), ref: 004E36F9
                                                                                      • SetLastError.KERNEL32(00000000), ref: 004E3700
                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004E371F
                                                                                      • GetLastError.KERNEL32(?,?,00000000), ref: 004E372A
                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 004E3742
                                                                                      • RmStartSession.RSTRTMGR(?,00000000,?,?,00000000), ref: 004E37B1
                                                                                      • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004E37E8
                                                                                      • RmGetList.RSTRTMGR(?,?,?,?,?,?,00000000), ref: 004E3810
                                                                                      • RmShutdown.RSTRTMGR(?,00000001,00000000,?,00000000), ref: 004E3830
                                                                                      • RmEndSession.RSTRTMGR(?,?,00000000), ref: 004E387F
                                                                                      • SetLastError.KERNEL32(00000000,?,00000000), ref: 004E3886
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastSession$CopyFileListRegisterResourcesShutdownStart
                                                                                      • String ID:
                                                                                      • API String ID: 1315383477-0
                                                                                      • Opcode ID: e4494fbdcfc94840c99f63401240c0ef558749a62026360f375190c91bdac27d
                                                                                      • Instruction ID: 5bf62267ccc7f4fe4693b81ad114fb0840f9afa76d5c815397b18ace0e574e84
                                                                                      • Opcode Fuzzy Hash: e4494fbdcfc94840c99f63401240c0ef558749a62026360f375190c91bdac27d
                                                                                      • Instruction Fuzzy Hash: AC02AD71D00259AFCB15DFA5D888BEEBBB8FF08315F14022AE815A7391D7389E44CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FAEB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 142memorystringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharNextA.USER32 ref: 004FAED5
                                                                                      • CharNextA.USER32 ref: 004FAEF5
                                                                                      • CharNextA.USER32 ref: 004FAF15
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004FAF46
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000003,00000000), ref: 004FAFAC
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000003,00000000), ref: 004FAFC8
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004FAFCB
                                                                                      • lstrcpynA.KERNEL32(00000000,?,?), ref: 004FAFD8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004FB003
                                                                                      • HeapFree.KERNEL32(00000000), ref: 004FB006
                                                                                      Strings
                                                                                      • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36, xrefs: 004FAFE8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$CharNext$Process$AllocFreeUnothrow_t@std@@@__ehfuncinfo$??2@lstrcpynlstrlen
                                                                                      • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                                                                      • API String ID: 2305228968-2732702261
                                                                                      • Opcode ID: e7e08bb893945eb25dbe9f12266579f6bca237da5d2f85bac1dfd766cae6c02f
                                                                                      • Instruction ID: aa675b424b4e1d7cb5e2c758342acdf9c2bcf323f175e4b0a03793666df143de
                                                                                      • Opcode Fuzzy Hash: e7e08bb893945eb25dbe9f12266579f6bca237da5d2f85bac1dfd766cae6c02f
                                                                                      • Instruction Fuzzy Hash: 5A41F5F5A013099FCF10CFA89C846BABFF9EF69304F14009BDA08A7351D6744D169B65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F1F70 Relevance: 15.2, APIs: 10, Instructions: 164memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LocalAlloc.KERNEL32(00000040,0000001C), ref: 004F1FD6
                                                                                      • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,00000000), ref: 004F1FE9
                                                                                      • LocalAlloc.KERNEL32(00000040,0000001C), ref: 004F2021
                                                                                      • SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,00562560,00000000,00000000), ref: 004F203F
                                                                                      • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,00000000,00000000), ref: 004F205D
                                                                                      • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,00000000,00000000,00000000), ref: 004F2081
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 004F20B2
                                                                                      • LocalFree.KERNEL32(?), ref: 004F20B7
                                                                                      • LocalFree.KERNEL32(?), ref: 004F20BC
                                                                                      • GetModuleHandleExA.KERNEL32(00000004,004F2120,?), ref: 004F2136
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Local$DeviceSetup$Free$AllocDetailEnumInterface$HandleInfoInterfacesModule
                                                                                      • String ID:
                                                                                      • API String ID: 1887780378-0
                                                                                      • Opcode ID: 9607e7ffee7eea4fae023fd6746c200fb26042c967f9c31e3c338901e71b8e09
                                                                                      • Instruction ID: 494fbb85ca7e0afc687ede11ca133eaef54922e140210b8116aefa76882a7597
                                                                                      • Opcode Fuzzy Hash: 9607e7ffee7eea4fae023fd6746c200fb26042c967f9c31e3c338901e71b8e09
                                                                                      • Instruction Fuzzy Hash: 7651C171D00209ABEB10DF55DD05BAEBFB4FF04710F20421AFA04B7290D7B96A40DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00432056 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
                                                                                      • String ID: L;V$csm$csm$csm
                                                                                      • API String ID: 944608866-3339109018
                                                                                      • Opcode ID: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                      • Instruction ID: 1a3b2e3aada59ff5ba11aad393d6dbbfac41e5171332123353ed96db4a75ae81
                                                                                      • Opcode Fuzzy Hash: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                      • Instruction Fuzzy Hash: 81B19971800219EFCF18DFA5CA819AFBBB5FF08314F14605BE9106B252D7B8DA51CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00452273 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00451BDF), ref: 0045228C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: DecodePointer
                                                                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                      • API String ID: 3527080286-3064271455
                                                                                      • Opcode ID: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                      • Instruction ID: bc8b7c0c72404b0f1092b03344519f1b29bd64598f75d1cbe0b332ea915a13b4
                                                                                      • Opcode Fuzzy Hash: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                      • Instruction Fuzzy Hash: 40513B70A0050ADBCF148F69DA481AE7FB4FB46306F144147EC81A7266C7FC8A6EDB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004177F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00417826
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00417848
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00417868
                                                                                      • __Getctype.LIBCPMT ref: 00417911
                                                                                      • std::_Facet_Register.LIBCPMT ref: 00417930
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00417948
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                                                      • String ID: 0E@$\vA
                                                                                      • API String ID: 1102183713-2226545
                                                                                      • Opcode ID: 5ce362214d94140fd8bcfa868daed7a92143abca53e426fa9f2a0771951e31b2
                                                                                      • Instruction ID: 09abc8fdb797d46040b568194e29cb2883a52247b0fc0860c35a2cd0411dedce
                                                                                      • Opcode Fuzzy Hash: 5ce362214d94140fd8bcfa868daed7a92143abca53e426fa9f2a0771951e31b2
                                                                                      • Instruction Fuzzy Hash: 1041DF70E042159FCB10DF58D985AAEBBB4EB14710F24826AE806AB351DB34AE84CBD5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551130 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                      • GetVersionExA.KERNEL32(?), ref: 00551173
                                                                                      • DeleteFileW.KERNEL32(00000000), ref: 00551192
                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00551199
                                                                                      • GetLastError.KERNEL32 ref: 005511A6
                                                                                      • Sleep.KERNEL32(00000064), ref: 005511BC
                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 005511C5
                                                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 005511CC
                                                                                      • GetLastError.KERNEL32 ref: 005511D9
                                                                                      • Sleep.KERNEL32(00000064), ref: 005511EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesDeleteErrorLastSleepVersion
                                                                                      • String ID:
                                                                                      • API String ID: 1421123951-0
                                                                                      • Opcode ID: 254916c3e086d8c6bc62c099ca2d2d4904ded30bcc8ed0b7d7c71cfea1b2b4f0
                                                                                      • Instruction ID: 2cf516fa490645c339834e1360d609708cb136430ee32b1ceb257c2769835cc0
                                                                                      • Opcode Fuzzy Hash: 254916c3e086d8c6bc62c099ca2d2d4904ded30bcc8ed0b7d7c71cfea1b2b4f0
                                                                                      • Instruction Fuzzy Hash: 5F21F635900E149BCB20AB78AC9C2AD7EB4FB6A336F100197EE1AD3280DA704849D751
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FA570 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 406libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004FA60F
                                                                                      • GetProcAddress.KERNEL32 ref: 004FA6FD
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004FAA56
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc
                                                                                      • String ID: oG
                                                                                      • API String ID: 190572456-640269701
                                                                                      • Opcode ID: 33fd1c439eafc3505eccf3fcbfca229b35a13e3ed88270e9ff94ed8903c26656
                                                                                      • Instruction ID: ebb65e544f4b55e3f8542421140664e1fb1608402e4cfdf1bbd5af7b98d055f7
                                                                                      • Opcode Fuzzy Hash: 33fd1c439eafc3505eccf3fcbfca229b35a13e3ed88270e9ff94ed8903c26656
                                                                                      • Instruction Fuzzy Hash: 052257B8D05208EFDB54CFA8D69099CBBB1FB48310F2085AAD459BB351DB706B81EF44
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004194E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00419503
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00419525
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00419545
                                                                                      • std::_Facet_Register.LIBCPMT ref: 004195ED
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00419605
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                      • String ID: rA$rA
                                                                                      • API String ID: 459529453-3077158656
                                                                                      • Opcode ID: 48346a4b37d6e1cd3ba8cbbf1d4ec3c7fffbc0c2fe5b83c24005499ebec7f7a9
                                                                                      • Instruction ID: f82415891cd8211b3ee928bea85c35c3d7de34b435ea50990ee9c55b5ecdff82
                                                                                      • Opcode Fuzzy Hash: 48346a4b37d6e1cd3ba8cbbf1d4ec3c7fffbc0c2fe5b83c24005499ebec7f7a9
                                                                                      • Instruction Fuzzy Hash: 9141FF71A00114EBCB11CF58D890BAEBBB5FF40754F14412EE80AAB391D738ED45CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F59C0 Relevance: 12.3, APIs: 8, Instructions: 339libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 004F5AF1
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004F5AFD
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 004F5C8A
                                                                                      • SetEvent.KERNEL32(00000000), ref: 004F5C91
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Event$AddressCreateHandleModuleProc
                                                                                      • String ID:
                                                                                      • API String ID: 2341598627-0
                                                                                      • Opcode ID: d109a23d399d555b11f58c63a38eb96ac9726a57879fb5c022911b9b90253375
                                                                                      • Instruction ID: ab29904312227280e52672ba860979ed658178f04e72ca629b13ed8f0c29f346
                                                                                      • Opcode Fuzzy Hash: d109a23d399d555b11f58c63a38eb96ac9726a57879fb5c022911b9b90253375
                                                                                      • Instruction Fuzzy Hash: B5F1E2B49083489FD714CF69D880A9EFBF4FB88354F148A5EE9A9A7350D7309A41CF16
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FA2D0 Relevance: 12.2, APIs: 8, Instructions: 165networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 004FA320
                                                                                      • GetLastError.KERNEL32 ref: 004FA415
                                                                                      • InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 004FA440
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: InternetOption$ErrorLastQuery
                                                                                      • String ID:
                                                                                      • API String ID: 3980908186-0
                                                                                      • Opcode ID: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                      • Instruction ID: f01b2b404452f55ee339e3d54677c8633c7154c7c4ff77dbfa4ec76481364019
                                                                                      • Opcode Fuzzy Hash: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                      • Instruction Fuzzy Hash: B7515EB5D40318ABEB20CF94DC85BFEBBB4EB48711F10411AEE14B7380D7B46A059BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 005519B0 Relevance: 12.1, APIs: 8, Instructions: 141filesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LockFile.KERNEL32(00000000,40000000,00000000,00000001,00000000), ref: 00551A13
                                                                                      • Sleep.KERNEL32(00000001), ref: 00551A21
                                                                                      • GetLastError.KERNEL32 ref: 00551A38
                                                                                      • UnlockFile.KERNEL32(00000000,40000000,00000000,?,00000000), ref: 00551A83
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$ErrorLastLockSleepUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 3015003838-0
                                                                                      • Opcode ID: f314dbaf667b006f79d421b092528d3be634706ec04991754e085598023d61a6
                                                                                      • Instruction ID: 1a32dd69ea1bb1e7667ccce0abadb203d749469daee7398687d0a90ca2f09069
                                                                                      • Opcode Fuzzy Hash: f314dbaf667b006f79d421b092528d3be634706ec04991754e085598023d61a6
                                                                                      • Instruction Fuzzy Hash: 8341D531B02B156BDB318A28DDA575EBF65FB94722F208217ED08AB340D7719D88C7C4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F9F20 Relevance: 12.1, APIs: 8, Instructions: 122memorystringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharNextA.USER32 ref: 004F9F45
                                                                                      • CharNextA.USER32 ref: 004F9F5C
                                                                                      • CharNextA.USER32 ref: 004F9F75
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F9FA6
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000003,00000000), ref: 004FA00C
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,00000003,00000000), ref: 004FA022
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004FA029
                                                                                      • lstrcpynA.KERNEL32(00000000,?,?), ref: 004FA036
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharNext$Heap$AllocProcessUnothrow_t@std@@@__ehfuncinfo$??2@lstrcpynlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 1659885099-0
                                                                                      • Opcode ID: 03b31b514a5a5bdda045a1bb753ed8d65a6b884bdd88744eed651d4e0cf060da
                                                                                      • Instruction ID: 6765c8874e15113026cbde70767e16841385025c065108afb9b47ee34e1d185f
                                                                                      • Opcode Fuzzy Hash: 03b31b514a5a5bdda045a1bb753ed8d65a6b884bdd88744eed651d4e0cf060da
                                                                                      • Instruction Fuzzy Hash: 2A4106715042089FCB21CF6D98846B6BBE9EF6E314B14415BEE48E7320D7349C469B78
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004463F6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 3213747228-0
                                                                                      • Opcode ID: 34bc779386904af94e3a65745d8093cf5441aa8cc4e4cdc27bc5775c85d1135f
                                                                                      • Instruction ID: 2b99461290635fdf7c51841e77c4c0c2a1f842bf94a4ab4c5a5740794f6651be
                                                                                      • Opcode Fuzzy Hash: 34bc779386904af94e3a65745d8093cf5441aa8cc4e4cdc27bc5775c85d1135f
                                                                                      • Instruction Fuzzy Hash: F7B16A72900255AFFB118F24CC81BAF7BA5EF17354F16415BE804AB382D67CD901CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00431B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00431B97
                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00431B9F
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00431C28
                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00431C53
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00431CA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                      • String ID: csm
                                                                                      • API String ID: 1170836740-1018135373
                                                                                      • Opcode ID: f167ac4cbc0b3b9c8b624ea0916c7860bb678a2d2bf17d7334bf3ba534fc49b9
                                                                                      • Instruction ID: 00089ecd58738c76d8715bf1292c521005f35f5fc362e079b464ccdb9f512a68
                                                                                      • Opcode Fuzzy Hash: f167ac4cbc0b3b9c8b624ea0916c7860bb678a2d2bf17d7334bf3ba534fc49b9
                                                                                      • Instruction Fuzzy Hash: 1441C730A002089BCF10DF69D845A9FBBF5FF09314F14A05BE8149B3A2D779EA15CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00550C20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32 ref: 00550C2B
                                                                                      • GetVersionExA.KERNEL32(?), ref: 00550C50
                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00550C83
                                                                                      • LocalFree.KERNEL32(?), ref: 00550C9A
                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00550CD3
                                                                                        • Part of subcall function 00551FA0: AreFileApisANSI.KERNEL32(00000000,00000000,?,?,?,00550CE5), ref: 00551FAC
                                                                                        • Part of subcall function 00551FA0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,00550CE5), ref: 00551FC1
                                                                                        • Part of subcall function 00551FA0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00551FE7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
                                                                                      • String ID: OsError 0x%x (%u)
                                                                                      • API String ID: 807219750-2664311388
                                                                                      • Opcode ID: cd324edbeeec52278ffea66cb50500e71f7e35b7cc21714691c6525984e38f6a
                                                                                      • Instruction ID: 08cd3c40af0c2fcdf6899e604bb854dbb55886f7669cb3a7ffab2d22d202db60
                                                                                      • Opcode Fuzzy Hash: cd324edbeeec52278ffea66cb50500e71f7e35b7cc21714691c6525984e38f6a
                                                                                      • Instruction Fuzzy Hash: DC21F831A44204BBDB20AF65DC1AFAE7F78FF45751F1000AAFD09A6290DA709E08DB61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00445C0E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00445D1D,0040390D,?,00000000,?,?,?,00445F47,00000022,FlsSetValue,00566B90,00566B98,?), ref: 00445CCF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary
                                                                                      • String ID: api-ms-$ext-ms-
                                                                                      • API String ID: 3664257935-537541572
                                                                                      • Opcode ID: bb92fe7f77a9a60fedb79d5c16dfdd37ff0c4ae1ee88665c25182e52ac412831
                                                                                      • Instruction ID: 12b6cf18798c9e2326ec9fd18e61984b9916515d6beb6ef8b0fade810c99d971
                                                                                      • Opcode Fuzzy Hash: bb92fe7f77a9a60fedb79d5c16dfdd37ff0c4ae1ee88665c25182e52ac412831
                                                                                      • Instruction Fuzzy Hash: D2212B31A01B11A7EF219B24AC81A5B3768EB617B0F240112ED06E7391DB78ED04DAD5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004528B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0045292E,00452AD7), ref: 004528CA
                                                                                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 004528E0
                                                                                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 004528F5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule
                                                                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                      • API String ID: 667068680-1718035505
                                                                                      • Opcode ID: 5ca132e14272f3b082404aaa7a6dd11ed0959ef9272e18b7197f08eea655af98
                                                                                      • Instruction ID: 729d5fff529096ec94aeb90dbf1dcce1d83b151dad17e07028f84ed9cc8fa2d5
                                                                                      • Opcode Fuzzy Hash: 5ca132e14272f3b082404aaa7a6dd11ed0959ef9272e18b7197f08eea655af98
                                                                                      • Instruction Fuzzy Hash: 44F028F1701223674B251EA45E8063B36D8FB13356700113BDC01F3342EAD8CC8EA79A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045074D Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,00450A1D,00000000,00000000,?,00000001,?,?,?,?,00000001,?), ref: 004507F3
                                                                                      • __freea.LIBCMT ref: 00450988
                                                                                      • __freea.LIBCMT ref: 0045098E
                                                                                      • __freea.LIBCMT ref: 004509C4
                                                                                      • __freea.LIBCMT ref: 004509CA
                                                                                      • __freea.LIBCMT ref: 004509DA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __freea$Info
                                                                                      • String ID:
                                                                                      • API String ID: 541289543-0
                                                                                      • Opcode ID: 7ae90ec05b67949f3af620a9af225e5826dd7639eb69a58de472c3d5dfabbd17
                                                                                      • Instruction ID: 7f4fb2f38fc2a3d88391827f987f0ec3a0eaf25df59567eae6c8024b596d3b8f
                                                                                      • Opcode Fuzzy Hash: 7ae90ec05b67949f3af620a9af225e5826dd7639eb69a58de472c3d5dfabbd17
                                                                                      • Instruction Fuzzy Hash: 3A71D5BA900205ABEF21AE558C42FAF77A59F49315F29041BEC44B7383D63D9C08C799
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042DBF9 Relevance: 9.2, APIs: 6, Instructions: 225COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 0042DC84
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0042DD10
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042DD7B
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0042DD97
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042DDFA
                                                                                      • CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042DE17
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$CompareInfoString
                                                                                      • String ID:
                                                                                      • API String ID: 2984826149-0
                                                                                      • Opcode ID: 4c9a90a3dea74e2108ad6b7928db56527dcac77587bbea659fc7601973b93a34
                                                                                      • Instruction ID: e9bc3badf4b96eefdde01511e177a356cb443475cd584fb63612fd280f30124b
                                                                                      • Opcode Fuzzy Hash: 4c9a90a3dea74e2108ad6b7928db56527dcac77587bbea659fc7601973b93a34
                                                                                      • Instruction Fuzzy Hash: A971EF32F006299BDF209F65EC45BFFBBB5AF59710F95001BE854AB290D6788C00C7A9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F1770 Relevance: 9.2, APIs: 6, Instructions: 209COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 004F17F9
                                                                                      • MultiByteToWideChar.KERNEL32(0000000F,00000000,?,000000FF,00000000,0000000F), ref: 004F182D
                                                                                      • WideCharToMultiByte.KERNEL32(000004E3,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 004F1854
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 004F1882
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000004E3), ref: 004F192C
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,0000000F,000000FF,00000000,00000000,00000000,00000000), ref: 004F1957
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 626452242-0
                                                                                      • Opcode ID: b243b1d06e98ba986ab6623083b8fafbda3b67136764b6e60c675227b3c12ef3
                                                                                      • Instruction ID: c171202e14bccd46751fe906430aab80820f84c3078230ed5993c6e32c17da72
                                                                                      • Opcode Fuzzy Hash: b243b1d06e98ba986ab6623083b8fafbda3b67136764b6e60c675227b3c12ef3
                                                                                      • Instruction Fuzzy Hash: EB51FB71A00215BBDB209F65DC06FAF7AA5EF45760F24032AFA14B73D0D7B9990087E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042D939 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0042D982
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0042D9ED
                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DA0A
                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0042DA49
                                                                                      • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DAA8
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0042DACB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiStringWide
                                                                                      • String ID:
                                                                                      • API String ID: 2829165498-0
                                                                                      • Opcode ID: e437e0c0af398b2dc6ece3cc5697cfe5836360b16713ca35af6ef7086f63228d
                                                                                      • Instruction ID: 7ced6e395bd95c176d412ce2a3b5c4c8357bf70d43b6ddba362163eb6abffa5e
                                                                                      • Opcode Fuzzy Hash: e437e0c0af398b2dc6ece3cc5697cfe5836360b16713ca35af6ef7086f63228d
                                                                                      • Instruction Fuzzy Hash: 1351E172A00226ABDF209FA5EC45FAB3BB9EF44754F54402AF905E6290D778CC40DB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041A2A0 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2CA
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2EC
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A30C
                                                                                      • __Getcoll.LIBCPMT ref: 0041A3AF
                                                                                      • std::_Facet_Register.LIBCPMT ref: 0041A413
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A42B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                      • String ID:
                                                                                      • API String ID: 1184649410-0
                                                                                      • Opcode ID: 076d0fe7c93981d2d41f397725067e6f3a6359fb17fddf899550ac6be59329cf
                                                                                      • Instruction ID: 4dfe593e994f1a936f3b51d0b47bc881a4e76fe992b8c8e0f1a10b66f2d188dc
                                                                                      • Opcode Fuzzy Hash: 076d0fe7c93981d2d41f397725067e6f3a6359fb17fddf899550ac6be59329cf
                                                                                      • Instruction Fuzzy Hash: C751F0B0901218DFCB11DF59E9857EEBBB0EF04314F14411EE806AB381D738AE85CB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041A800 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 378COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A959
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041A972
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB4E
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0041AB67
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: value
                                                                                      • API String ID: 4194217158-494360628
                                                                                      • Opcode ID: 1380824a95bc997cd1a618de76426d84b46abf83204bb8d30c209254a19dc526
                                                                                      • Instruction ID: 9f034d729ebebe199f4f723a1c14bfd040db2caa5f80a11ca9a640f2ae4bdf80
                                                                                      • Opcode Fuzzy Hash: 1380824a95bc997cd1a618de76426d84b46abf83204bb8d30c209254a19dc526
                                                                                      • Instruction Fuzzy Hash: 8DF10370D002488FDB14DF65C844BEEBBB4BF15304F14829EE455A7782E7786A88CFA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00431CE8 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00431CDF,0042F5D3,0042EBF1), ref: 00431CF6
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00431D04
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00431D1D
                                                                                      • SetLastError.KERNEL32(00000000,00431CDF,0042F5D3,0042EBF1), ref: 00431D6F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: bdf13b6d1d8e18a8b774bc6ee8821ea5a6160ca6eff986b5a5196f214e0a0951
                                                                                      • Instruction ID: 84b5965ef68033184a41bf43324a8165c3f1a151a01a13dd34567c870461e457
                                                                                      • Opcode Fuzzy Hash: bdf13b6d1d8e18a8b774bc6ee8821ea5a6160ca6eff986b5a5196f214e0a0951
                                                                                      • Instruction Fuzzy Hash: EF0128362082119EA7301775BC8966B2A95DB1A7B5F30332FF421711F0EF592C45A348
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406670 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 271COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004069C5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$`l@$parse error$ror
                                                                                      • API String ID: 2659868963-3266356038
                                                                                      • Opcode ID: 53af6addfde28bf3a16ab36eea05e26c967cdf7b503d3b1760af8db5e788244e
                                                                                      • Instruction ID: 449376e9882de2a67fd6c2ed42b49e996c61688416e34e3c9e616e75aad760e2
                                                                                      • Opcode Fuzzy Hash: 53af6addfde28bf3a16ab36eea05e26c967cdf7b503d3b1760af8db5e788244e
                                                                                      • Instruction Fuzzy Hash: CCB1EE71E002488FDB18DF68DC84BADBB71FF46304F1483AAE4097B792D7789A949B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551580 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?), ref: 005515D0
                                                                                      • GetTempPathW.KERNEL32(000000E6,?,?), ref: 005515F9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: PathTempVersion
                                                                                      • String ID: %s\etilqs_$>
                                                                                      • API String ID: 261301950-2315843240
                                                                                      • Opcode ID: f25726f1e54d4f4ef8faa3df188ffecf925dce7fef9fbd8a06b7c9e5c1ea5f56
                                                                                      • Instruction ID: 10c6a091e89028816bd95ca4d441c96f5f11479c74e12f78acaf84c47584f488
                                                                                      • Opcode Fuzzy Hash: f25726f1e54d4f4ef8faa3df188ffecf925dce7fef9fbd8a06b7c9e5c1ea5f56
                                                                                      • Instruction Fuzzy Hash: B4518970D046999EE721DB298C55BFABFE8FF19301F0805D6ED88D6081D6748F88DBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043DEC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D7297C87,?,?,00000000,0055A0C5,000000FF,?,0043DE9F,?,?,0043DE73,00000016), ref: 0043DEF8
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043DF0A
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,0055A0C5,000000FF,?,0043DE9F,?,?,0043DE73,00000016), ref: 0043DF2C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: fca125d382e1b5cc48cf6e2e9d09fae4a142da3bcc5b7675a46a2c223c676057
                                                                                      • Instruction ID: fbcb35437c5a4c45ec53554002b8eb8717f145508c6dfc8984853678761e14b7
                                                                                      • Opcode Fuzzy Hash: fca125d382e1b5cc48cf6e2e9d09fae4a142da3bcc5b7675a46a2c223c676057
                                                                                      • Instruction Fuzzy Hash: F101DB36A54A15EFDB118F44DC09BAFBBF9FB18B11F004526F812A32E0DBB49904CB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00423F30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00423F4F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00423F76
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@$0l@
                                                                                      • API String ID: 2659868963-2787657970
                                                                                      • Opcode ID: c65e32f6735fcb137c2d1fd996eca7bd14c30204ce9567b6a2847fa40d2b6b7a
                                                                                      • Instruction ID: f375550aee614b99a77dada843b986f06bd88d0e3ec64062bcfec3d2063ae6e2
                                                                                      • Opcode Fuzzy Hash: c65e32f6735fcb137c2d1fd996eca7bd14c30204ce9567b6a2847fa40d2b6b7a
                                                                                      • Instruction Fuzzy Hash: D1F0FFB6910B16AB8751DF65D440886FBFCFE55320350872BA51597A00F7B4F6588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F5CB0 Relevance: 7.7, APIs: 5, Instructions: 190memorylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004F5E39
                                                                                      • GetProcessHeap.KERNEL32 ref: 004F5E44
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00010000), ref: 004F5E5E
                                                                                      • HeapAlloc.KERNEL32(?,00000000,00010000), ref: 004F5E97
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Alloc$AddressProcProcess
                                                                                      • String ID:
                                                                                      • API String ID: 4220703211-0
                                                                                      • Opcode ID: d6095e5d8173e3d06b8f2856c133445701cc9fa8f876de273903c4e643227e6e
                                                                                      • Instruction ID: 4d7a3249636ad6ee2c5aeb2fcc37e9dbf149da18a4f7f7fc0f63c71f66f52594
                                                                                      • Opcode Fuzzy Hash: d6095e5d8173e3d06b8f2856c133445701cc9fa8f876de273903c4e643227e6e
                                                                                      • Instruction Fuzzy Hash: AB81E3B5D0421DAFDB14CFA9D884AAEFBB4FB48310F1085AAE925B7340D7746A01CF65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042D458 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0042D46C
                                                                                      • AcquireSRWLockExclusive.KERNEL32(00000008), ref: 0042D48B
                                                                                      • AcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 0042D4B9
                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 0042D514
                                                                                      • TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 0042D52B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AcquireExclusiveLock$CurrentThread
                                                                                      • String ID:
                                                                                      • API String ID: 66001078-0
                                                                                      • Opcode ID: c4c7fd52ac1ab7862176d27133f6c36aafb1f8b434feb743662d2ab8792a1d7f
                                                                                      • Instruction ID: 8be80dfe2e115d21152cf456c31a50eb731196c477f4b8b6c1033f6e00c08db3
                                                                                      • Opcode Fuzzy Hash: c4c7fd52ac1ab7862176d27133f6c36aafb1f8b434feb743662d2ab8792a1d7f
                                                                                      • Instruction Fuzzy Hash: B0414C70F00626EBCB20DF69E49496AB3F4FF04358BA0492BD056D7640D7B8F985CB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00550F60 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                      • GetVersionExA.KERNEL32(?), ref: 00550F91
                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00550FB6
                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000), ref: 00550FD6
                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00550FEF
                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000), ref: 00551021
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FullNamePath$Version
                                                                                      • String ID:
                                                                                      • API String ID: 495861893-0
                                                                                      • Opcode ID: a3e1ebd5eab9eeac9c63c83744977c54ce12b85ae5b043f29705378faabacca7
                                                                                      • Instruction ID: 74fd7fd09348e9c58995c5d938b6904648cc58af19013d0042ae03d894627d52
                                                                                      • Opcode Fuzzy Hash: a3e1ebd5eab9eeac9c63c83744977c54ce12b85ae5b043f29705378faabacca7
                                                                                      • Instruction Fuzzy Hash: F5213B7260051077D7207B74DC8AF6F3F58EF56305F000069FD0966251EE29A90D87AA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0049BD50 Relevance: 7.6, APIs: 5, Instructions: 69processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0049BD63
                                                                                      • Process32First.KERNEL32(00000000,?), ref: 0049BD86
                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0049BDD1
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0049BDDC
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0049BDF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 1789362936-0
                                                                                      • Opcode ID: 770a009acf8f9bb6be9b7da15cc158ae016ff230e17289c221e4c350a9282bdc
                                                                                      • Instruction ID: 179694a4944585f9f9ceab1c5109c52cda788e9e908b8d20a4c13795b33160ab
                                                                                      • Opcode Fuzzy Hash: 770a009acf8f9bb6be9b7da15cc158ae016ff230e17289c221e4c350a9282bdc
                                                                                      • Instruction Fuzzy Hash: 8A11E2312041085BDB215F39BDC8AFB7BAAEB59724F0402BAE848C3340D7268C09C6E5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004E3B50 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 391COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001), ref: 004E3F9F
                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?,?,00000001), ref: 004E3FC6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FolderPath
                                                                                      • String ID: cannot get value$type must be string, but is
                                                                                      • API String ID: 1514166925-4119898599
                                                                                      • Opcode ID: 897a0b142082e284de431c6cf79ac79c07d8f67cd46eb1ebc2775b5815bfb6a3
                                                                                      • Instruction ID: 5f4074a8749251ac841b06303bb2772f7504fa761187663bc7cc74ccbe1f17ba
                                                                                      • Opcode Fuzzy Hash: 897a0b142082e284de431c6cf79ac79c07d8f67cd46eb1ebc2775b5815bfb6a3
                                                                                      • Instruction Fuzzy Hash: 28F17BB0D002489FDB15DF99D885BDEBBB4AF08315F14419AE409B7382DB34AE84CF65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043FA9B Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 370COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: __freea
                                                                                      • String ID: a/p$am/pm
                                                                                      • API String ID: 240046367-3206640213
                                                                                      • Opcode ID: 3ccfd02491b33441ae641c522ae442bb272192df0b8c9e4cf4876a613e76a739
                                                                                      • Instruction ID: ce77a60b7f6bd147e37a680d805faa3ed9203eb9173c0ce421d6ff856f2014af
                                                                                      • Opcode Fuzzy Hash: 3ccfd02491b33441ae641c522ae442bb272192df0b8c9e4cf4876a613e76a739
                                                                                      • Instruction Fuzzy Hash: F5C1CF31D00216DACB248F68C85AABB77B0FF0D704F14606BE905AB761D27C9D49CB6A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004054C0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 286COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004057F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: ", "$: "$PT@
                                                                                      • API String ID: 4194217158-3328579350
                                                                                      • Opcode ID: 1d914cb4df4c410c17ad2a379a699a095bfe012290a2b2c59d39d768030863e2
                                                                                      • Instruction ID: beecba9c061fcb792caf6fe18827fc463081bcb852eebce76362f3cd81d64849
                                                                                      • Opcode Fuzzy Hash: 1d914cb4df4c410c17ad2a379a699a095bfe012290a2b2c59d39d768030863e2
                                                                                      • Instruction Fuzzy Hash: 97A10670A006049FCB18DF68D881BAFB7F5FF44304F14462EE456A7381EB79AA44DB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004073FD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@$ror
                                                                                      • API String ID: 2659868963-919343903
                                                                                      • Opcode ID: 54ef4146cc9973e50abdb5aac5b5de4deb1e0ccdb64d7a1b44ba731a5b074de1
                                                                                      • Instruction ID: 2d5b59f1ef23ddaf1b3783c953f764ee005f0a1066ad4b0af46aed6f156e7821
                                                                                      • Opcode Fuzzy Hash: 54ef4146cc9973e50abdb5aac5b5de4deb1e0ccdb64d7a1b44ba731a5b074de1
                                                                                      • Instruction Fuzzy Hash: 0981E471D002149FDB14DF98DC81BADBBB1FF49304F14826EE858AB392D774A980DB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00405790 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 187COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 004057F2
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 0040587F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00405948
                                                                                      Strings
                                                                                      • recursive_directory_iterator::operator++, xrefs: 004058CC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy$___std_exception_copy
                                                                                      • String ID: recursive_directory_iterator::operator++
                                                                                      • API String ID: 1206660477-953255998
                                                                                      • Opcode ID: f6bc180c89745b515f5c8cb3eb487b2218bfc922370238037f455579fa96e755
                                                                                      • Instruction ID: 70a2b4d5c69838f3855fcd26299ade6cc1abe9a30ceb6adbb4f24180c4878fba
                                                                                      • Opcode Fuzzy Hash: f6bc180c89745b515f5c8cb3eb487b2218bfc922370238037f455579fa96e755
                                                                                      • Instruction Fuzzy Hash: 2051E6B1900614ABC724EF25D845B9BBBF8FF04714F04462EF95693A81E778F944CBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406A30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00406C3E
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00406C4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: at line $, column
                                                                                      • API String ID: 4194217158-191570568
                                                                                      • Opcode ID: 0ed6072321b7ec8eccecababb1c0c26a46a7ebb2679eb07bb6eee8d1640a387e
                                                                                      • Instruction ID: 827c67b6778cf999f6b6b911b024970c268a0656788cb1af533502aee38e3479
                                                                                      • Opcode Fuzzy Hash: 0ed6072321b7ec8eccecababb1c0c26a46a7ebb2679eb07bb6eee8d1640a387e
                                                                                      • Instruction Fuzzy Hash: E5513571D002049FDB08DF68DD857AEBBB5EF45304F14826EF416BB792D7B8AA808794
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407080 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004071FE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@$ange
                                                                                      • API String ID: 2659868963-373280750
                                                                                      • Opcode ID: ec8c38be1f093bccec6f39d26ed8a8a50c4b02158e6fab184ee58c429a3f3a88
                                                                                      • Instruction ID: 288f119f4ccb4c7cf0b8972ea0ca9e4329cc491e57a4aee3b53e0c7375ef9e73
                                                                                      • Opcode Fuzzy Hash: ec8c38be1f093bccec6f39d26ed8a8a50c4b02158e6fab184ee58c429a3f3a88
                                                                                      • Instruction Fuzzy Hash: 3E51F371D002449BDB18CFA8DC847ADBBB0FF85304F24836EE4157B391E7B8A9848B55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004323FB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EncodePointer.KERNEL32(00000000,?), ref: 00432420
                                                                                      • CatchIt.LIBVCRUNTIME ref: 00432506
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: CatchEncodePointer
                                                                                      • String ID: MOC$RCC
                                                                                      • API String ID: 1435073870-2084237596
                                                                                      • Opcode ID: f67c2448fbd4d3d6a98c50ef117b853eaea3722c114d8127ada5358994747d23
                                                                                      • Instruction ID: 22add53dc89d87d2e38264a8044db98528aac9f98faf4db0de58bac51eca42d4
                                                                                      • Opcode Fuzzy Hash: f67c2448fbd4d3d6a98c50ef117b853eaea3722c114d8127ada5358994747d23
                                                                                      • Instruction Fuzzy Hash: 18418931900209AFCF16DF98CE81AEEBBB5FF4C304F14909AF91467261E379AA50DB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00404670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040470F
                                                                                        • Part of subcall function 0042FC4B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,?,0042C598,?,005784EC,00000000,?,00000000,-00589220), ref: 0042FCAB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                      • API String ID: 3109751735-1866435925
                                                                                      • Opcode ID: 110ff22bb014f40d9c49da7570fe546000a4ac58dd781872af612f7db9225b4d
                                                                                      • Instruction ID: 8197f4525b88e01e27707072026cd0b0714ffa689975fe44cf17ea9c6d0ad863
                                                                                      • Opcode Fuzzy Hash: 110ff22bb014f40d9c49da7570fe546000a4ac58dd781872af612f7db9225b4d
                                                                                      • Instruction Fuzzy Hash: 051124F29007046BC710DF59E801B96B7ECBF45310F44893BFA58AB681F779A914CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00416C30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00416C4F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00416C76
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$`l@
                                                                                      • API String ID: 2659868963-1799510096
                                                                                      • Opcode ID: 477b0db39ac4bde0970ea1e1086746235186a9288c2098ecaba58f6d346df46b
                                                                                      • Instruction ID: dbb7af03cc5cb26d8bc31998855cb8f279f7f761c34c3e1fc76db9b3c3456bcf
                                                                                      • Opcode Fuzzy Hash: 477b0db39ac4bde0970ea1e1086746235186a9288c2098ecaba58f6d346df46b
                                                                                      • Instruction Fuzzy Hash: AC01CDB6910B16ABC751DF65D440842FBFCFF59310750872BA91597A00E7B4F6588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041417F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141A6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                      • Instruction ID: a7d6c344e60e7f18edcee1d7e68ac694af1bcf80748ebca3b88f48a52b3fdaf1
                                                                                      • Opcode Fuzzy Hash: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                      • Instruction Fuzzy Hash: 53F0FFB6910B16AB8751DFA6D440882FBFCFE55310750872BA51597A00F7B4F5588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041424F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414276
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                      • Instruction ID: c81a8536ff326cbba859ccac6298cb5db3856efc80ffb62d725151cad3de68e9
                                                                                      • Opcode Fuzzy Hash: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                      • Instruction Fuzzy Hash: D8F0FFB6910B16AB8751DF65D440882FBFCFE55324350872BA5159BA00F7B4F6588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00416CA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00416CBF
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00416CE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: 633ac4992eca418d5ffc677f5de7f46e5b2df270f2e158bde83afa2282cd04c5
                                                                                      • Instruction ID: 7b638e66ef1866a2a6d9d212261b8ec84c1d59c8aca785b6d2b46250148b9f13
                                                                                      • Opcode Fuzzy Hash: 633ac4992eca418d5ffc677f5de7f46e5b2df270f2e158bde83afa2282cd04c5
                                                                                      • Instruction Fuzzy Hash: 53F0FFB6A10B16AB8751DFA6D440882FBFCFE55310750872BA91597A00F7B4F5588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00432E17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00432DC8,00000000,?,00588294,?,?,?,00432F6B,00000004,InitializeCriticalSectionEx,0056464C,InitializeCriticalSectionEx), ref: 00432E24
                                                                                      • GetLastError.KERNEL32(?,00432DC8,00000000,?,00588294,?,?,?,00432F6B,00000004,InitializeCriticalSectionEx,0056464C,InitializeCriticalSectionEx,00000000,?,00432BB2), ref: 00432E2E
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00432E56
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID: api-ms-
                                                                                      • API String ID: 3177248105-2084034818
                                                                                      • Opcode ID: 5d5f985b6204148051b127e035a47a58822f607e3183de8785261b29c3834a7a
                                                                                      • Instruction ID: c9dedbc074def2dabcf9ae94258afdf3d1735c7d6a4bcca6e92b2bb5c548cfe3
                                                                                      • Opcode Fuzzy Hash: 5d5f985b6204148051b127e035a47a58822f607e3183de8785261b29c3834a7a
                                                                                      • Instruction Fuzzy Hash: 06E0D830680709B7FF101B60ED07B5A3F15BB10FA0F140021F90CA81E0D7F6E955A98D
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00446260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(A{C,?,00437B41,?), ref: 00446268
                                                                                      • GetLastError.KERNEL32(?,00437B41,?), ref: 00446272
                                                                                      • __dosmaperr.LIBCMT ref: 00446279
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteErrorFileLast__dosmaperr
                                                                                      • String ID: A{C
                                                                                      • API String ID: 1545401867-2902953714
                                                                                      • Opcode ID: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                      • Instruction ID: 82298aed12121fbb76aae4bd86d3a8824ef8c8c9545724addf748e8f9a95ec58
                                                                                      • Opcode Fuzzy Hash: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                      • Instruction Fuzzy Hash: E2D02232018A093B8B002BFAFC0C81B3F1CDAC23B4B112212F12CC21A0DF79C880E540
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044372F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleOutputCP.KERNEL32(D7297C87,00000000,00000000,00000000), ref: 00443792
                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004439E4
                                                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00443A2A
                                                                                      • GetLastError.KERNEL32 ref: 00443ACD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                      • String ID:
                                                                                      • API String ID: 2112829910-0
                                                                                      • Opcode ID: 6c43be61cbda0f6c097b573cc04eb8237f5f21ceac64de5e22f9761793270a88
                                                                                      • Instruction ID: 0fce1cefab234659ad1f0217530304adac3e90b60b936070d7093385ba198d0a
                                                                                      • Opcode Fuzzy Hash: 6c43be61cbda0f6c097b573cc04eb8237f5f21ceac64de5e22f9761793270a88
                                                                                      • Instruction Fuzzy Hash: 44D18BB5E00248AFDB04CFA8C8809AEBBF5FF09714F28416AE456EB351D734AA05CF54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00431DFF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustPointer
                                                                                      • String ID:
                                                                                      • API String ID: 1740715915-0
                                                                                      • Opcode ID: 22f8edb4a09f2bb08f15e0402e3299f4473d24481a960265d7d1ad828239f7ca
                                                                                      • Instruction ID: 5e987339bfe843b9f296834bd0eb5b9b12b2b56c7c95d39286bcad5928a9d5c7
                                                                                      • Opcode Fuzzy Hash: 22f8edb4a09f2bb08f15e0402e3299f4473d24481a960265d7d1ad828239f7ca
                                                                                      • Instruction Fuzzy Hash: ED51D171601606AFDB289F15D841B7AB7A4EF08714F14552FEC06872A1E739ED81CB98
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043E299 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                      • Instruction ID: 2126f9bf5856ab37efc9431dc69293eb0664d4eadafdfeefbb5e8820937b8c22
                                                                                      • Opcode Fuzzy Hash: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                      • Instruction Fuzzy Hash: 0D41D572A00204AFD7259F3ACC42B6BBBA9EB8C714F10552FF951DB3C1D2B9A9408784
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044A27A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                      • GetLastError.KERNEL32 ref: 0044A2DE
                                                                                      • __dosmaperr.LIBCMT ref: 0044A2E5
                                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 0044A31F
                                                                                      • __dosmaperr.LIBCMT ref: 0044A326
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1913693674-0
                                                                                      • Opcode ID: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                      • Instruction ID: e808a53d57fca8bd1b61f112aec170daf55b4bc7c6cded0a037d44453b824fae
                                                                                      • Opcode Fuzzy Hash: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                      • Instruction Fuzzy Hash: E8210A31644205AFEB20AF62CC8096B77A8FF44368700841FFD19C3340EB79EC619B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551780 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                        • Part of subcall function 00552170: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,005517D5), ref: 00552186
                                                                                      • AreFileApisANSI.KERNEL32 ref: 005517E2
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 005517FB
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 00551821
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ApisFileVersion
                                                                                      • String ID:
                                                                                      • API String ID: 928063719-0
                                                                                      • Opcode ID: 031ec5809b8440159ef872148459a1f590b3e289563d8e6ea78dae530cbe2791
                                                                                      • Instruction ID: c51e4a5004bc5c8d9a7cba6e479370a0363687ca0ec671a4cb42cd6ec07258b3
                                                                                      • Opcode Fuzzy Hash: 031ec5809b8440159ef872148459a1f590b3e289563d8e6ea78dae530cbe2791
                                                                                      • Instruction Fuzzy Hash: 0B112C72B4471466D730677C5C4AB6B3A9CE75A725F100266FE08E62C0DE745D08C795
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043DFC4 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7a5f53a45029589cfd6d82fecb2c1e63987311ce998a70f6839ef034e9f5ce76
                                                                                      • Instruction ID: 81415193f2b284d52f75cea432416567dc69263c3e1cc8c88057087f1c3c8e8c
                                                                                      • Opcode Fuzzy Hash: 7a5f53a45029589cfd6d82fecb2c1e63987311ce998a70f6839ef034e9f5ce76
                                                                                      • Instruction Fuzzy Hash: DF21D831601225AFDB28AF77CC4096B77B9EF48368F10651BF959D7280D7B8EC418B94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551D70 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 00551D99
                                                                                      • GetLastError.KERNEL32 ref: 00551DA6
                                                                                      • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00551DDE
                                                                                      • GetLastError.KERNEL32 ref: 00551E0F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast$PointerWrite
                                                                                      • String ID:
                                                                                      • API String ID: 2977825765-0
                                                                                      • Opcode ID: fdd63083b0cb03508c34529706ddeef352dd26621ea0ce66a248962179dc77d8
                                                                                      • Instruction ID: 124afd07655c65dfe8ebf02a55b60b01ba141f4f94fe2aeeedbc6b017858f8c6
                                                                                      • Opcode Fuzzy Hash: fdd63083b0cb03508c34529706ddeef352dd26621ea0ce66a248962179dc77d8
                                                                                      • Instruction Fuzzy Hash: 5E21A432600A09ABCB20CFA8D845BDA7FF8FB05362F144266ED19D7240D771DD589BD0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044B21E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044B226
                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B25E
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B27E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 158306478-0
                                                                                      • Opcode ID: 72d3ac7b96c30aebca4f7b81977510e4ddf762ba545c488265c91b440556a14b
                                                                                      • Instruction ID: e8caac45197e5b900f97a91f35687491d1a7555c8db139f57b1f8df2d9843390
                                                                                      • Opcode Fuzzy Hash: 72d3ac7b96c30aebca4f7b81977510e4ddf762ba545c488265c91b440556a14b
                                                                                      • Instruction Fuzzy Hash: 9311A1B56099157F7A1127769C8EC7F696CFE95398710006AF905D2101EFACCD0192B9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551E30 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00551E4F
                                                                                      • GetLastError.KERNEL32 ref: 00551E5A
                                                                                      • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00551E82
                                                                                      • GetLastError.KERNEL32 ref: 00551E8C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast$PointerRead
                                                                                      • String ID:
                                                                                      • API String ID: 2170121939-0
                                                                                      • Opcode ID: b49e815b288db118013f7b31ade0b5ee7bcb2275d16c9ff237f0887fb9d13391
                                                                                      • Instruction ID: 1c07d7795fbcd358c5ccab0054a22981654648c43a30ee7f67c6bd12fb941fbd
                                                                                      • Opcode Fuzzy Hash: b49e815b288db118013f7b31ade0b5ee7bcb2275d16c9ff237f0887fb9d13391
                                                                                      • Instruction Fuzzy Hash: BE116D32600509ABDB108FA9EC06B9ABFACEB55371F104266FD1CC7690D771D8649BD0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551BC0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,00000000,?), ref: 00551BE7
                                                                                      • LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?,00000000,?), ref: 00551C2B
                                                                                      • LockFile.KERNEL32(?,?,00000000,00000001,00000000,00000000,?), ref: 00551C68
                                                                                      • GetLastError.KERNEL32 ref: 00551C74
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileLock$ErrorLastVersion
                                                                                      • String ID:
                                                                                      • API String ID: 1561719237-0
                                                                                      • Opcode ID: b1f35983ee3affc0888187ea055b818f5b93c82708a4729dec28fa350ab0f381
                                                                                      • Instruction ID: c6e5e3f14ebcd9b74047f326a63c3359dca0738745041834ca351f4869dad2f2
                                                                                      • Opcode Fuzzy Hash: b1f35983ee3affc0888187ea055b818f5b93c82708a4729dec28fa350ab0f381
                                                                                      • Instruction Fuzzy Hash: B111E270A40715EFE720DB68DC0ABAABBB6EB14311F004166EA09E72D0D7B49D488F91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042C79B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000), ref: 0042C7B8
                                                                                      • GetLastError.KERNEL32 ref: 0042C7C4
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 0042C7EA
                                                                                      • GetLastError.KERNEL32 ref: 0042C7F6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharErrorLastMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 203985260-0
                                                                                      • Opcode ID: d60d3f0468ca365ea2d33887d1edca9153ddd58cf00a018eb0310ef3d7885722
                                                                                      • Instruction ID: 1457a662959836737ce5e9d14aa512d11431f433389b59119e43d7cb484e3981
                                                                                      • Opcode Fuzzy Hash: d60d3f0468ca365ea2d33887d1edca9153ddd58cf00a018eb0310ef3d7885722
                                                                                      • Instruction Fuzzy Hash: 8C011236A0055ABB8F221F56EC09C9F3E26FBD97A1F508015FE0596220C771C822EBB5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0042CFB9 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 0042CFC0
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0042CFCB
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0042D039
                                                                                        • Part of subcall function 0042D11C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0042D134
                                                                                      • std::locale::_Setgloballocale.LIBCPMT ref: 0042CFE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                                      • String ID:
                                                                                      • API String ID: 677527491-0
                                                                                      • Opcode ID: a81ae077d66b6818d886551d338491a753a81bbc704f7327620bbb46f710912f
                                                                                      • Instruction ID: df240a295bf63e2224bd77c694c8fa0b7c15e45d42fccb058baf2628ad412d74
                                                                                      • Opcode Fuzzy Hash: a81ae077d66b6818d886551d338491a753a81bbc704f7327620bbb46f710912f
                                                                                      • Instruction Fuzzy Hash: 3601D431B001249BC705EF21E84557D7B61BF88744F94000EE81117391CF7CAE4ADBC9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551D10 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00551D2F
                                                                                      • GetLastError.KERNEL32 ref: 00551D3A
                                                                                      • SetEndOfFile.KERNEL32(?), ref: 00551D47
                                                                                      • GetLastError.KERNEL32 ref: 00551D51
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast$Pointer
                                                                                      • String ID:
                                                                                      • API String ID: 1697706070-0
                                                                                      • Opcode ID: e9db830aa84e949e305a23e5519836727befb5c1dc39fe6aeceb5e7ff34a8212
                                                                                      • Instruction ID: 78cfe8da683ddb1c4eba9ffbb4783858a20702ac95fb36532bf07bb8e13b767a
                                                                                      • Opcode Fuzzy Hash: e9db830aa84e949e305a23e5519836727befb5c1dc39fe6aeceb5e7ff34a8212
                                                                                      • Instruction Fuzzy Hash: 73F03031504A08AFCB109FA8EC05AAA7BB8FB15371F104356FD2DC72A0E771DD14AB84
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004515C2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0044E65F,00000000,00000001,0000000C,00000000,?,00443B21,00000000,00000000,00000000), ref: 004515D9
                                                                                      • GetLastError.KERNEL32(?,0044E65F,00000000,00000001,0000000C,00000000,?,00443B21,00000000,00000000,00000000,00000000,00000000,?,004440FB,?), ref: 004515E5
                                                                                        • Part of subcall function 004515AB: CloseHandle.KERNEL32(FFFFFFFE,004515F5,?,0044E65F,00000000,00000001,0000000C,00000000,?,00443B21,00000000,00000000,00000000,00000000,00000000), ref: 004515BB
                                                                                      • ___initconout.LIBCMT ref: 004515F5
                                                                                        • Part of subcall function 0045156D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0045159C,0044E64C,00000000,?,00443B21,00000000,00000000,00000000,00000000), ref: 00451580
                                                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0044E65F,00000000,00000001,0000000C,00000000,?,00443B21,00000000,00000000,00000000,00000000), ref: 0045160A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                      • String ID:
                                                                                      • API String ID: 2744216297-0
                                                                                      • Opcode ID: 825431769af7ecb58b9ff08572fa6bc7755dba3e29138d7d75499e0080207230
                                                                                      • Instruction ID: 4f0fea4629c9a9cefdcbd6fc6812cfd1fa0f0e5bf1bcffa0db634c91b2476c24
                                                                                      • Opcode Fuzzy Hash: 825431769af7ecb58b9ff08572fa6bc7755dba3e29138d7d75499e0080207230
                                                                                      • Instruction Fuzzy Hash: BFF03036441118BBCF221F95DC18A8A3F66FB593A2F144415FE0D96231D7328C28FBD5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00490040 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00490044
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0049004C
                                                                                      • SetEvent.KERNEL32 ref: 00490069
                                                                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 00490077
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: Current$EventObjectProcessSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 977356572-0
                                                                                      • Opcode ID: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                      • Instruction ID: 68696a4330ff011d049e89e8b4814e5f18df6cd1e962ac77584aedc126b31ea8
                                                                                      • Opcode Fuzzy Hash: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                      • Instruction Fuzzy Hash: CCE0467104A615EFCB049F68EC0C865BFA5FB297717408222FC09977B0DB708888EF80
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407D50 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 381libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 00408127
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00408132
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProc
                                                                                      • String ID: Ws2_32.dll
                                                                                      • API String ID: 1646373207-3093949381
                                                                                      • Opcode ID: 491b632f871c0b2e9f79da60abe9135bbe45576d811639c63c87b83e1c069342
                                                                                      • Instruction ID: 4cf5a73f60aaa9aa04889aa359a8f1718852bcf292be34ef81f356f0aae57edb
                                                                                      • Opcode Fuzzy Hash: 491b632f871c0b2e9f79da60abe9135bbe45576d811639c63c87b83e1c069342
                                                                                      • Instruction Fuzzy Hash: 1FF18D70E042468FCB25CF58C880A6EBBB1BF45314F24456EE5A5AB3D2D7356C42CBD6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00405DE0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 308COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406029
                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00406070
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_fs_directory_iterator_advance@8
                                                                                      • String ID: .
                                                                                      • API String ID: 2610647541-248832578
                                                                                      • Opcode ID: d29aef357e0ccb769bd4d7c1829c3bcfe03ac4cf065ef6d39e890d2a6deccaa5
                                                                                      • Instruction ID: 096b34988356738832717cd8d53d0dabcf9a03e197ae697f4c60f7eb60d7375d
                                                                                      • Opcode Fuzzy Hash: d29aef357e0ccb769bd4d7c1829c3bcfe03ac4cf065ef6d39e890d2a6deccaa5
                                                                                      • Instruction Fuzzy Hash: EBB1ED31A00A269FCB24DF28C484AABB3A5FF44314F14467AE956AB7C0D739AD55CFC4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00421ED0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422F8E
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00422FA7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: value
                                                                                      • API String ID: 4194217158-494360628
                                                                                      • Opcode ID: b4d6e486459fc4165fef155cd3e93815974afef82531802b5d23e92940ab5652
                                                                                      • Instruction ID: e486267f6df33abbab02232f3a147fe49855a435ae29b4bed88eebe1dccc493b
                                                                                      • Opcode Fuzzy Hash: b4d6e486459fc4165fef155cd3e93815974afef82531802b5d23e92940ab5652
                                                                                      • Instruction Fuzzy Hash: D0911070E0025C9BCB18DBA4DD85BEDFBB4FF05304F4481AEE049A7682D7785A8ACB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406410 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00406641
                                                                                      • ___std_exception_destroy.LIBVCRUNTIME ref: 00406650
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_destroy
                                                                                      • String ID: [json.exception.
                                                                                      • API String ID: 4194217158-791563284
                                                                                      • Opcode ID: 69e8ae6c3e54ae363f37629574a163c0fbf3223070608996bd2dae2b17642f6c
                                                                                      • Instruction ID: 9d5c587d941c6c9fb92ac9ca7a55b7e2129566a9bdf696eabab773fbc3fcb82b
                                                                                      • Opcode Fuzzy Hash: 69e8ae6c3e54ae363f37629574a163c0fbf3223070608996bd2dae2b17642f6c
                                                                                      • Instruction Fuzzy Hash: 62616570D002089BDB18DF28DD55BAEBBB0EF45304F10822EF4157B3D2D778AA948794
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00407010
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: bcbe41c5aa249d1fea8852c57527764fa0294b57d9e2ba5d086127c68554cecd
                                                                                      • Instruction ID: 3516b51c1e5f9fd4da6d9ff2b6035a17077718e5c6cfc91e46ca54004dc1bd24
                                                                                      • Opcode Fuzzy Hash: bcbe41c5aa249d1fea8852c57527764fa0294b57d9e2ba5d086127c68554cecd
                                                                                      • Instruction Fuzzy Hash: EC5101B1D002449BCB18CF68D8947AEBBB0FF55318F14832EE4157B381E7B8A984CB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406CA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00406E29
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: 97c7d59c3b195afea6fdad5512d69d55d647ae76a1cf1ad35470bd7be0820389
                                                                                      • Instruction ID: c8085b2431abbbd661158451a076a322d2444fb340424d65fcfd996802ac0ad0
                                                                                      • Opcode Fuzzy Hash: 97c7d59c3b195afea6fdad5512d69d55d647ae76a1cf1ad35470bd7be0820389
                                                                                      • Instruction Fuzzy Hash: 0351D471D002489FDB18CFA8D9447AEBBB4EF45304F14832EE4157B392E778AA84CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00404590 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0040470F
                                                                                        • Part of subcall function 0042FC4B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,?,0042C598,?,005784EC,00000000,?,00000000,-00589220), ref: 0042FCAB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise___std_exception_copy
                                                                                      • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                      • API String ID: 3109751735-1240500531
                                                                                      • Opcode ID: c80e41b3c0e3f89b34bbd97eb038494ee604058bd2ebc28d0b5fc6a2886b7790
                                                                                      • Instruction ID: b88785aaf7f68840d7686b62b29a7400031648df9c7ab407a56371cabfa6b869
                                                                                      • Opcode Fuzzy Hash: c80e41b3c0e3f89b34bbd97eb038494ee604058bd2ebc28d0b5fc6a2886b7790
                                                                                      • Instruction Fuzzy Hash: 4D4139B1900604ABC704DF59DC41BAAFBF8FF45310F14862EF914A7781E779A940CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406140 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_fs_get_full_path_name@12.LIBCPMT ref: 004061F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_fs_get_full_path_name@12
                                                                                      • String ID: absolute$h<W
                                                                                      • API String ID: 319883303-1227054036
                                                                                      • Opcode ID: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                      • Instruction ID: a39a9e8cd5e7c649dec9d62c81c2f08022a5113abdb27f993b439c29f203247c
                                                                                      • Opcode Fuzzy Hash: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                      • Instruction Fuzzy Hash: C651AEB0E00315ABDB14DF58C9047AABBF4FF48314F10466EE815A7380D775A950CBE5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004F2360
                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F238D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodersGdipImage$Size
                                                                                      • String ID: image/png
                                                                                      • API String ID: 864223233-2966254431
                                                                                      • Opcode ID: e21b857071d1cb9bc6449797421194390e2296bc93f2d18b0a27c6bddf1e72aa
                                                                                      • Instruction ID: 99d255883ba5ce217efe5dd06ccd874c50b7054dcb2a8d5064865148aeb1c457
                                                                                      • Opcode Fuzzy Hash: e21b857071d1cb9bc6449797421194390e2296bc93f2d18b0a27c6bddf1e72aa
                                                                                      • Instruction Fuzzy Hash: E7213BB2E0011CABDB109BB4DD816BEB7A8EF25314F1001B6ED08E7311E7799A44C655
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00404120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00404141
                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404190
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                      • String ID: bad locale name
                                                                                      • API String ID: 3988782225-1405518554
                                                                                      • Opcode ID: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                      • Instruction ID: 95f085b47d10799f27f930042da3a8dc43f911f11589ebef340e3e8cf28b8f7c
                                                                                      • Opcode Fuzzy Hash: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                      • Instruction Fuzzy Hash: 19118B70504B90AED320CF69D805B1BBBE4EF19714F008A5EE48A87B81D7B9A508CBD6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00552100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,0055200A), ref: 0055211A
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000, U,00000000,00000000,0055200A), ref: 0055214A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID: U
                                                                                      • API String ID: 626452242-2085870877
                                                                                      • Opcode ID: ee5a59f4ac988d56eb673c4b09d135a0ac0f9a58fb340a166edfd918ee52e803
                                                                                      • Instruction ID: 0b132648f7774e7442f2f0b6957801b08d55499a66d80b09d0b1d43035632599
                                                                                      • Opcode Fuzzy Hash: ee5a59f4ac988d56eb673c4b09d135a0ac0f9a58fb340a166edfd918ee52e803
                                                                                      • Instruction Fuzzy Hash: 38F09632B8522436E63066AA5C0BF577A5CDB47F71F20036AFF18AA1D0D9E1681092DA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004141D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141EF
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414216
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000590000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.3349183063.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_2zdult23rz.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@
                                                                                      • API String ID: 2659868963-2656153907
                                                                                      • Opcode ID: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                      • Instruction ID: 79755fa87b84676f4e4474023142464d524d45420b01c2d18704369f933ac59c
                                                                                      • Opcode Fuzzy Hash: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                      • Instruction Fuzzy Hash: 1CF012B6910B16AB8751DF65D440882F7FCFE55310350872BA51597A00F7B4F5588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.1%
                                                                                      Dynamic/Decrypted Code Coverage:1.1%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:1094
                                                                                      Total number of Limit Nodes:17
                                                                                      execution_graph 60852 453c30 61082 42efb0 60852->61082 60856 453c4f 61087 43bb47 60856->61087 60862 453c97 __fread_nolock __Strxfrm 61099 4032a0 60862->61099 60868 453d39 60869 4032a0 43 API calls 60868->60869 60870 453d67 60869->60870 60871 413fa0 41 API calls 60870->60871 60872 453d72 60871->60872 60873 4031c0 std::_Throw_Cpp_error 41 API calls 60872->60873 60874 453d7e 60873->60874 60875 4032a0 43 API calls 60874->60875 60876 453db1 60875->60876 60877 413fa0 41 API calls 60876->60877 60878 453dbc 60877->60878 60879 4031c0 std::_Throw_Cpp_error 41 API calls 60878->60879 60880 453dc8 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter 60879->60880 61111 45a5c0 GetCursorPos 60880->61111 60882 453dea SetThreadExecutionState 60884 453e13 60882->60884 60885 4f80f0 GetSystemTimeAsFileTime 60884->60885 60886 453e1a 60885->60886 60887 433e2c 41 API calls 60886->60887 60888 453e20 LoadLibraryA 60887->60888 60889 45412a __fread_nolock 60888->60889 60890 45413e GetModuleFileNameA 60889->60890 61119 403260 60890->61119 60894 45417c 61132 4f3350 60894->61132 60896 45418d __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60897 454675 GetProcessId 60896->60897 60898 45474f __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60897->60898 60899 454d28 SetThreadExecutionState 60898->60899 60900 454d4b GetPEB 60899->60900 60901 454e10 LoadLibraryA 60900->60901 61152 4fa570 GetProcAddress 60901->61152 60904 454f81 60905 45517d CreateThread FindCloseChangeNotification 60904->60905 60906 455268 60905->60906 61765 4d23c0 60905->61765 60907 403260 std::_Throw_Cpp_error 43 API calls 60906->60907 60908 45532c GetTempPathA 60907->60908 60910 4f2470 43 API calls 60908->60910 60911 45536f 60910->60911 60912 403260 std::_Throw_Cpp_error 43 API calls 60911->60912 60913 45543b 60912->60913 60914 417fd0 43 API calls 60913->60914 60915 45544f 60914->60915 60916 418040 43 API calls 60915->60916 60917 455460 60916->60917 60918 413fa0 41 API calls 60917->60918 60919 45546e 60918->60919 60920 4031c0 std::_Throw_Cpp_error 41 API calls 60919->60920 60921 45547a 60920->60921 60922 4031c0 std::_Throw_Cpp_error 41 API calls 60921->60922 60923 455486 60922->60923 60924 4031c0 std::_Throw_Cpp_error 41 API calls 60923->60924 60925 455492 60924->60925 60926 403260 std::_Throw_Cpp_error 43 API calls 60925->60926 60927 45555e 60926->60927 60928 417fd0 43 API calls 60927->60928 60929 455572 60928->60929 60930 418040 43 API calls 60929->60930 60931 455583 60930->60931 60932 4031c0 std::_Throw_Cpp_error 41 API calls 60931->60932 60933 455592 60932->60933 60934 4031c0 std::_Throw_Cpp_error 41 API calls 60933->60934 60935 45559e 60934->60935 60936 4f2cd0 53 API calls 60935->60936 60937 4555af 60936->60937 60938 4f2cd0 53 API calls 60937->60938 60939 4555d7 60938->60939 60940 4555fa CreateDirectoryA 60939->60940 60941 455619 60940->60941 60942 455627 CreateDirectoryA 60941->60942 60943 4556ac 60942->60943 60944 4556b8 GetPEB 60943->60944 60945 4556d0 SetCurrentDirectoryA 60944->60945 60947 413f70 43 API calls 60945->60947 60948 45577f 60947->60948 60949 4df790 49 API calls 60948->60949 60950 455784 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 60949->60950 60951 417f00 43 API calls 60950->60951 60952 455bd6 60951->60952 60953 418040 43 API calls 60952->60953 60954 455be2 60953->60954 60955 4081e0 46 API calls 60954->60955 60956 455bf2 60955->60956 60957 4031c0 std::_Throw_Cpp_error 41 API calls 60956->60957 60958 455c05 60957->60958 60959 4031c0 std::_Throw_Cpp_error 41 API calls 60958->60959 60960 455c11 60959->60960 60961 4d3280 53 API calls 60960->60961 60962 455cf9 60961->60962 60963 413f70 43 API calls 60962->60963 60964 455d0d 60963->60964 60965 403260 std::_Throw_Cpp_error 43 API calls 60964->60965 60966 455f28 60965->60966 60967 403260 std::_Throw_Cpp_error 43 API calls 60966->60967 60968 455fec 60967->60968 60969 403260 std::_Throw_Cpp_error 43 API calls 60968->60969 60970 4560b0 60969->60970 60971 403260 std::_Throw_Cpp_error 43 API calls 60970->60971 60972 456174 60971->60972 60973 403260 std::_Throw_Cpp_error 43 API calls 60972->60973 60974 456238 60973->60974 60975 403260 std::_Throw_Cpp_error 43 API calls 60974->60975 60976 4562fc 60975->60976 60977 403260 std::_Throw_Cpp_error 43 API calls 60976->60977 60978 4563c0 60977->60978 60979 403260 std::_Throw_Cpp_error 43 API calls 60978->60979 60980 456484 60979->60980 60981 403260 std::_Throw_Cpp_error 43 API calls 60980->60981 60982 456548 60981->60982 60983 403260 std::_Throw_Cpp_error 43 API calls 60982->60983 60984 45660c 60983->60984 60985 410c00 102 API calls 60984->60985 60986 456639 60985->60986 60987 4567e4 OutputDebugStringA 60986->60987 60988 4d20b0 47 API calls 60987->60988 60989 4567f6 60988->60989 60990 4d1f60 47 API calls 60989->60990 60991 4573ed 60990->60991 60992 403260 std::_Throw_Cpp_error 43 API calls 60991->60992 60993 4573fe 60992->60993 60994 403260 std::_Throw_Cpp_error 43 API calls 60993->60994 60995 45740f 60994->60995 60996 403260 std::_Throw_Cpp_error 43 API calls 60995->60996 60997 457420 60996->60997 60998 415520 43 API calls 60997->60998 60999 457458 60998->60999 61000 4f60d0 43 API calls 60999->61000 61001 458d38 61000->61001 61002 4d2120 47 API calls 61001->61002 61040 458db4 61001->61040 61004 458d4d 61002->61004 61003 4031c0 std::_Throw_Cpp_error 41 API calls 61005 45a248 61003->61005 61006 4d2040 47 API calls 61004->61006 61008 4031c0 std::_Throw_Cpp_error 41 API calls 61005->61008 61009 458d52 61006->61009 61007 4119d0 43 API calls 61010 45a1ce 61007->61010 61012 45a254 61008->61012 61013 4d1fd0 47 API calls 61009->61013 61011 4119d0 43 API calls 61010->61011 61014 45a1dd 61011->61014 61015 4031c0 std::_Throw_Cpp_error 41 API calls 61012->61015 61020 458d57 61013->61020 61016 4119d0 43 API calls 61014->61016 61017 45a260 61015->61017 61018 45a1ec 61016->61018 61019 410cb0 41 API calls 61017->61019 61021 4119d0 43 API calls 61018->61021 61022 45a26c 61019->61022 61025 410e60 41 API calls 61020->61025 61023 45a1fb 61021->61023 61024 410d10 41 API calls 61022->61024 61026 4119d0 43 API calls 61023->61026 61027 45a278 61024->61027 61028 458d6b OutputDebugStringA 61025->61028 61029 45a20a 61026->61029 61030 4031c0 std::_Throw_Cpp_error 41 API calls 61027->61030 61031 410e60 41 API calls 61028->61031 61032 4119d0 43 API calls 61029->61032 61033 45a284 61030->61033 61034 458d7c CreateThread CreateThread 61031->61034 61035 45a219 61032->61035 61036 4031c0 std::_Throw_Cpp_error 41 API calls 61033->61036 61037 408980 LoadLibraryA 61034->61037 61038 414090 std::_Throw_Cpp_error 43 API calls 61035->61038 61039 45a290 OutputDebugStringA 61036->61039 61037->61040 61041 45a22b 61038->61041 61042 45a2ac 61039->61042 61043 45a521 Sleep shutdown closesocket 61039->61043 61040->61007 61040->61041 61041->61003 61042->61043 61045 4119d0 43 API calls 61042->61045 61046 45a569 61043->61046 61047 45a55a 61043->61047 61048 45a2c3 61045->61048 61050 4031c0 std::_Throw_Cpp_error 41 API calls 61046->61050 61047->61046 61049 45a55e 61047->61049 61051 4119d0 43 API calls 61048->61051 61052 45a560 Sleep 61049->61052 61053 45a577 61050->61053 61054 45a2d2 61051->61054 61052->61052 61055 4031c0 std::_Throw_Cpp_error 41 API calls 61053->61055 61056 4119d0 43 API calls 61054->61056 61057 45a583 61055->61057 61058 45a2e1 61056->61058 61059 4031c0 std::_Throw_Cpp_error 41 API calls 61057->61059 61060 4119d0 43 API calls 61058->61060 61061 45a58f 61059->61061 61062 45a2f0 61060->61062 61064 4031c0 std::_Throw_Cpp_error 41 API calls 61061->61064 61063 4119d0 43 API calls 61062->61063 61066 45a2ff 61063->61066 61065 45a5ab 61064->61065 61067 4119d0 43 API calls 61066->61067 61068 45a30e 61067->61068 61069 414090 std::_Throw_Cpp_error 43 API calls 61068->61069 61070 45a320 61069->61070 61070->61043 61071 417f70 43 API calls 61070->61071 61072 45a3f8 61071->61072 61073 45a402 CreateMutexA 61072->61073 61074 4031c0 std::_Throw_Cpp_error 41 API calls 61073->61074 61075 45a419 GetLastError 61074->61075 61075->61046 61076 45a42a Sleep 61075->61076 61077 403260 std::_Throw_Cpp_error 43 API calls 61076->61077 61078 45a4f9 61077->61078 61079 4d2190 117 API calls 61078->61079 61080 45a4fe 61079->61080 61080->61043 61081 45a510 Sleep 61080->61081 61081->61043 61081->61081 61083 42efc4 Sleep 61082->61083 61084 4e2fa0 61083->61084 61162 42d8f9 61084->61162 61086 4e2fa6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61086->60856 61088 43bb5a ___std_exception_copy 61087->61088 61170 437f35 61088->61170 61090 43bb74 61180 43322c 61090->61180 61093 4f80f0 61200 43c1fb GetSystemTimeAsFileTime 61093->61200 61095 453c8c 61096 433e2c 61095->61096 61202 4446d2 GetLastError 61096->61202 61247 4034e0 61099->61247 61101 4032c5 61102 413fa0 61101->61102 61103 413fb3 61102->61103 61104 413fae 61102->61104 61106 4031c0 61103->61106 61105 4031c0 std::_Throw_Cpp_error 41 API calls 61104->61105 61105->61103 61107 4031cb 61106->61107 61108 4031e6 error_info_injector 61106->61108 61107->61108 61295 433500 41 API calls 2 library calls 61107->61295 61108->60868 61112 45a5d5 GetCursorPos 61111->61112 61113 45a6a8 GetPEB 61112->61113 61116 45a5e7 61112->61116 61113->61116 61114 45a5f3 GetPEB 61114->61116 61115 45a71d Sleep 61115->61112 61116->61113 61116->61114 61116->61115 61116->61116 61117 45a668 Sleep GetCursorPos 61116->61117 61118 45a747 61116->61118 61117->61113 61117->61116 61118->60882 61120 403283 61119->61120 61120->61120 61121 4034e0 std::_Throw_Cpp_error 43 API calls 61120->61121 61122 403295 61121->61122 61123 414090 61122->61123 61124 4140b8 61123->61124 61125 41412c 61124->61125 61129 4140c2 61124->61129 61296 403110 43 API calls 2 library calls 61125->61296 61126 4140c7 61126->60894 61128 414131 61128->60894 61129->61126 61130 4036f0 std::_Throw_Cpp_error 43 API calls 61129->61130 61131 41410a __Strxfrm 61130->61131 61131->60894 61133 42df02 std::_Facet_Register 43 API calls 61132->61133 61134 4f339b 61133->61134 61297 4340b0 61134->61297 61138 4f3526 error_info_injector 61138->60896 61140 4f34fa 61140->61138 61332 433500 41 API calls 2 library calls 61140->61332 61145 437e86 68 API calls 61146 4f34a7 61145->61146 61148 4f34c0 61146->61148 61312 416930 61146->61312 61323 43c92f 61148->61323 61153 4fa73d 61152->61153 61154 4fa6f8 GetProcAddress 61152->61154 61156 4fa82b 61153->61156 61157 4fa7eb GetProcAddress 61153->61157 61154->61153 61158 4fa8d9 GetProcAddress 61156->61158 61160 4fa919 61156->61160 61157->61156 61158->61160 61159 4faa07 GetProcAddress 61160->61159 61161 4fa9c7 GetProcAddress 61160->61161 61161->61159 61165 42dead 61162->61165 61166 42dee9 GetSystemTimeAsFileTime 61165->61166 61167 42dedd GetSystemTimePreciseAsFileTime 61165->61167 61168 42d907 61166->61168 61167->61168 61168->61086 61186 437709 61170->61186 61172 437f8f 61178 437fb3 61172->61178 61194 438a60 41 API calls 2 library calls 61172->61194 61173 437f47 61173->61172 61174 437f5c 61173->61174 61179 437f77 _strftime 61173->61179 61193 433473 41 API calls 2 library calls 61174->61193 61178->61179 61195 437724 44 API calls 2 library calls 61178->61195 61179->61090 61181 433238 61180->61181 61182 43324f 61181->61182 61198 4332d7 41 API calls 2 library calls 61181->61198 61185 433262 61182->61185 61199 4332d7 41 API calls 2 library calls 61182->61199 61185->61093 61187 437721 61186->61187 61188 43770e 61186->61188 61187->61173 61196 43bf8f 14 API calls __dosmaperr 61188->61196 61190 437713 61197 4334f0 41 API calls ___std_exception_copy 61190->61197 61192 43771e 61192->61173 61193->61179 61194->61178 61195->61178 61196->61190 61197->61192 61198->61182 61199->61185 61201 43c234 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61200->61201 61201->61095 61203 4446ee 61202->61203 61204 4446e8 61202->61204 61208 4446f2 SetLastError 61203->61208 61230 445f2b 6 API calls __FrameHandler3::FrameUnwindToState 61203->61230 61229 445eec 6 API calls __FrameHandler3::FrameUnwindToState 61204->61229 61207 44470a 61207->61208 61231 444eea 61207->61231 61212 444787 61208->61212 61213 433e36 61208->61213 61244 43ea56 41 API calls __FrameHandler3::FrameUnwindToState 61212->61244 61213->60862 61214 444727 61238 445f2b 6 API calls __FrameHandler3::FrameUnwindToState 61214->61238 61215 444738 61239 445f2b 6 API calls __FrameHandler3::FrameUnwindToState 61215->61239 61219 44478c 61220 444744 61221 44475f 61220->61221 61222 444748 61220->61222 61242 444500 14 API calls __dosmaperr 61221->61242 61240 445f2b 6 API calls __FrameHandler3::FrameUnwindToState 61222->61240 61226 44476a 61243 4458aa 14 API calls 2 library calls 61226->61243 61227 444735 61241 4458aa 14 API calls 2 library calls 61227->61241 61229->61203 61230->61207 61236 444ef7 _strftime 61231->61236 61232 444f22 RtlAllocateHeap 61234 44471f 61232->61234 61232->61236 61233 444f37 61246 43bf8f 14 API calls __dosmaperr 61233->61246 61234->61214 61234->61215 61236->61232 61236->61233 61245 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61236->61245 61238->61227 61239->61220 61240->61227 61241->61208 61242->61226 61243->61208 61244->61219 61245->61236 61246->61234 61248 403568 61247->61248 61250 4034f2 61247->61250 61269 403110 43 API calls 2 library calls 61248->61269 61252 4034f7 __Strxfrm 61250->61252 61255 4036f0 61250->61255 61251 40356d 61251->61101 61252->61101 61254 403543 __Strxfrm 61254->61101 61256 403702 61255->61256 61260 403726 61255->61260 61257 403709 61256->61257 61258 40373f 61256->61258 61270 42df02 61257->61270 61281 403070 43 API calls 3 library calls 61258->61281 61259 403738 61259->61254 61260->61259 61262 42df02 std::_Facet_Register 43 API calls 61260->61262 61265 403730 61262->61265 61264 40370f 61266 403718 61264->61266 61282 433500 41 API calls 2 library calls 61264->61282 61265->61254 61266->61254 61269->61251 61273 42df07 61270->61273 61272 42df21 61272->61264 61273->61272 61276 403070 Concurrency::cancel_current_task 61273->61276 61283 43cc7c 61273->61283 61292 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61273->61292 61275 42df2d 61275->61275 61276->61275 61290 42fc4b RaiseException 61276->61290 61278 40308c 61291 42f3a5 42 API calls ___std_exception_copy 61278->61291 61280 4030b3 61280->61264 61281->61264 61288 445924 _strftime 61283->61288 61284 445962 61294 43bf8f 14 API calls __dosmaperr 61284->61294 61286 44594d RtlAllocateHeap 61287 445960 61286->61287 61286->61288 61287->61273 61288->61284 61288->61286 61293 440319 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 61288->61293 61290->61278 61291->61280 61292->61273 61293->61288 61294->61287 61296->61128 61333 433fee 61297->61333 61300 437e86 61301 437e99 ___std_exception_copy 61300->61301 61386 437bdd 61301->61386 61304 43322c ___std_exception_copy 41 API calls 61305 437ebb 61304->61305 61306 433c3b 61305->61306 61307 433c4e ___std_exception_copy 61306->61307 61524 433551 61307->61524 61310 43322c ___std_exception_copy 41 API calls 61311 433c66 61310->61311 61311->61145 61313 416981 61312->61313 61317 416952 __fread_nolock 61312->61317 61314 416990 61313->61314 61315 416a86 61313->61315 61319 4036f0 std::_Throw_Cpp_error 43 API calls 61314->61319 61575 403110 43 API calls 2 library calls 61315->61575 61317->61148 61321 4169d6 __fread_nolock __Strxfrm 61319->61321 61322 416a3d __fread_nolock error_info_injector __Strxfrm 61321->61322 61576 433500 41 API calls 2 library calls 61321->61576 61322->61148 61577 43c94c 61323->61577 61326 437938 61327 43794b ___std_exception_copy 61326->61327 61698 437813 61327->61698 61329 437957 61330 43322c ___std_exception_copy 41 API calls 61329->61330 61331 437963 61330->61331 61331->61140 61336 433ffa __FrameHandler3::FrameUnwindToState 61333->61336 61334 434001 61358 43bf8f 14 API calls __dosmaperr 61334->61358 61336->61334 61338 434021 61336->61338 61337 434006 61359 4334f0 41 API calls ___std_exception_copy 61337->61359 61340 434033 61338->61340 61341 434026 61338->61341 61350 44517f 61340->61350 61360 43bf8f 14 API calls __dosmaperr 61341->61360 61343 434011 61343->61140 61343->61300 61346 434043 61361 43bf8f 14 API calls __dosmaperr 61346->61361 61347 434050 61362 43408e LeaveCriticalSection __fread_nolock 61347->61362 61351 44518b __FrameHandler3::FrameUnwindToState 61350->61351 61363 43eadb EnterCriticalSection 61351->61363 61353 445199 61364 445223 61353->61364 61358->61337 61359->61343 61360->61343 61361->61343 61362->61343 61363->61353 61372 445246 61364->61372 61365 44529e 61366 444eea __dosmaperr 14 API calls 61365->61366 61367 4452a7 61366->61367 61382 4458aa 14 API calls 2 library calls 61367->61382 61370 4452b0 61376 4451a6 61370->61376 61383 446084 6 API calls __FrameHandler3::FrameUnwindToState 61370->61383 61372->61365 61372->61376 61380 43bae0 EnterCriticalSection 61372->61380 61381 43baf4 LeaveCriticalSection 61372->61381 61374 4452cf 61384 43bae0 EnterCriticalSection 61374->61384 61377 4451df 61376->61377 61385 43eb23 LeaveCriticalSection 61377->61385 61379 43403c 61379->61346 61379->61347 61380->61372 61381->61372 61382->61370 61383->61374 61384->61376 61385->61379 61391 437be9 __FrameHandler3::FrameUnwindToState 61386->61391 61387 437bef 61407 433473 41 API calls 2 library calls 61387->61407 61389 437c32 61397 43bae0 EnterCriticalSection 61389->61397 61390 437c0a 61390->61304 61391->61387 61391->61389 61393 437c3e 61398 437d60 61393->61398 61395 437c54 61408 437c7d LeaveCriticalSection __fread_nolock 61395->61408 61397->61393 61399 437d73 61398->61399 61400 437d86 61398->61400 61399->61395 61409 437c87 61400->61409 61402 437e37 61402->61395 61403 437da9 61403->61402 61413 434321 61403->61413 61407->61390 61408->61390 61410 437c98 61409->61410 61411 437cf0 61409->61411 61410->61411 61422 43ce8d 43 API calls 2 library calls 61410->61422 61411->61403 61414 434361 61413->61414 61415 43433a 61413->61415 61419 43cecd 61414->61419 61415->61414 61423 444a79 61415->61423 61417 434356 61430 443f08 61417->61430 61500 43cdac 61419->61500 61421 43cee6 61421->61402 61422->61411 61424 444a85 61423->61424 61425 444a9a 61423->61425 61441 43bf8f 14 API calls __dosmaperr 61424->61441 61425->61417 61427 444a8a 61442 4334f0 41 API calls ___std_exception_copy 61427->61442 61429 444a95 61429->61417 61433 443f14 __FrameHandler3::FrameUnwindToState 61430->61433 61431 443f1c 61431->61414 61432 443f55 61472 433473 41 API calls 2 library calls 61432->61472 61433->61431 61433->61432 61435 443f9b 61433->61435 61443 448f52 EnterCriticalSection 61435->61443 61437 443fa1 61438 443fbf 61437->61438 61444 444019 61437->61444 61473 444011 LeaveCriticalSection __wsopen_s 61438->61473 61441->61427 61442->61429 61443->61437 61445 444041 61444->61445 61448 444064 __wsopen_s 61444->61448 61446 444045 61445->61446 61449 4440a0 61445->61449 61481 433473 41 API calls 2 library calls 61446->61481 61448->61438 61450 4440be 61449->61450 61451 43cecd __wsopen_s 43 API calls 61449->61451 61474 443b5e 61450->61474 61451->61450 61454 4440d6 61458 444105 61454->61458 61459 4440de 61454->61459 61455 44411d 61456 444186 WriteFile 61455->61456 61457 444131 61455->61457 61456->61448 61462 4441a8 GetLastError 61456->61462 61460 444172 61457->61460 61461 444139 61457->61461 61483 44372f 47 API calls 5 library calls 61458->61483 61459->61448 61482 443af6 6 API calls __wsopen_s 61459->61482 61486 443bdb 7 API calls 2 library calls 61460->61486 61464 44415e 61461->61464 61465 44413e 61461->61465 61462->61448 61485 443d9f 8 API calls 3 library calls 61464->61485 61465->61448 61468 444147 61465->61468 61484 443cb6 7 API calls 2 library calls 61468->61484 61470 444118 61470->61448 61472->61431 61473->61431 61487 44e474 61474->61487 61476 443bd4 61476->61454 61476->61455 61477 443b70 61477->61476 61478 443b9e 61477->61478 61496 438a60 41 API calls 2 library calls 61477->61496 61478->61476 61480 443bb8 GetConsoleMode 61478->61480 61480->61476 61481->61448 61482->61448 61483->61470 61484->61448 61485->61470 61486->61470 61488 44e481 61487->61488 61489 44e48e 61487->61489 61497 43bf8f 14 API calls __dosmaperr 61488->61497 61492 44e49a 61489->61492 61498 43bf8f 14 API calls __dosmaperr 61489->61498 61491 44e486 61491->61477 61492->61477 61494 44e4bb 61499 4334f0 41 API calls ___std_exception_copy 61494->61499 61496->61478 61497->61491 61498->61494 61499->61491 61506 4491ce 61500->61506 61502 43cdbe 61503 43cdda SetFilePointerEx 61502->61503 61505 43cdc6 __wsopen_s 61502->61505 61504 43cdf2 GetLastError 61503->61504 61503->61505 61504->61505 61505->61421 61507 4491f0 61506->61507 61508 4491db 61506->61508 61513 449215 61507->61513 61521 43bf7c 14 API calls __dosmaperr 61507->61521 61519 43bf7c 14 API calls __dosmaperr 61508->61519 61510 4491e0 61520 43bf8f 14 API calls __dosmaperr 61510->61520 61513->61502 61514 449220 61522 43bf8f 14 API calls __dosmaperr 61514->61522 61516 4491e8 61516->61502 61517 449228 61523 4334f0 41 API calls ___std_exception_copy 61517->61523 61519->61510 61520->61516 61521->61514 61522->61517 61523->61516 61525 43355d __FrameHandler3::FrameUnwindToState 61524->61525 61526 433585 61525->61526 61527 433564 61525->61527 61535 43bae0 EnterCriticalSection 61526->61535 61539 433473 41 API calls 2 library calls 61527->61539 61530 43357d 61530->61310 61531 433590 61536 433660 61531->61536 61535->61531 61541 433692 61536->61541 61538 43359f 61540 4335c7 LeaveCriticalSection __fread_nolock 61538->61540 61539->61530 61540->61530 61542 4336a1 61541->61542 61543 4336c9 61541->61543 61558 433473 41 API calls 2 library calls 61542->61558 61545 444a79 __fread_nolock 41 API calls 61543->61545 61546 4336d2 61545->61546 61555 43ce6f 61546->61555 61549 43377c 61559 4339fe 46 API calls 4 library calls 61549->61559 61551 43378b 61554 4336bc __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61551->61554 61552 433793 61552->61554 61560 433833 45 API calls 2 library calls 61552->61560 61554->61538 61561 43cc87 61555->61561 61558->61554 61559->61551 61560->61554 61563 43cc93 __FrameHandler3::FrameUnwindToState 61561->61563 61562 43ccd6 61573 433473 41 API calls 2 library calls 61562->61573 61563->61562 61565 43cd1c 61563->61565 61571 4336f0 61563->61571 61572 448f52 EnterCriticalSection 61565->61572 61567 43cd22 61568 43cd43 61567->61568 61569 43cdac __fread_nolock 43 API calls 61567->61569 61574 43cda4 LeaveCriticalSection __wsopen_s 61568->61574 61569->61568 61571->61549 61571->61552 61571->61554 61572->61567 61573->61571 61574->61571 61575->61321 61578 43c958 __FrameHandler3::FrameUnwindToState 61577->61578 61579 43c9a2 61578->61579 61584 43c96b __fread_nolock 61578->61584 61589 43c947 61578->61589 61590 43bae0 EnterCriticalSection 61579->61590 61581 43c9ac 61591 43c756 61581->61591 61604 43bf8f 14 API calls __dosmaperr 61584->61604 61585 43c985 61605 4334f0 41 API calls ___std_exception_copy 61585->61605 61589->61326 61590->61581 61593 43c768 __fread_nolock 61591->61593 61597 43c785 61591->61597 61592 43c775 61672 43bf8f 14 API calls __dosmaperr 61592->61672 61593->61592 61593->61597 61600 43c7c6 __fread_nolock 61593->61600 61595 43c77a 61673 4334f0 41 API calls ___std_exception_copy 61595->61673 61606 43c9e1 LeaveCriticalSection __fread_nolock 61597->61606 61598 43c8f1 __fread_nolock 61675 43bf8f 14 API calls __dosmaperr 61598->61675 61600->61597 61600->61598 61602 444a79 __fread_nolock 41 API calls 61600->61602 61607 4431a0 61600->61607 61674 43777b 41 API calls 4 library calls 61600->61674 61602->61600 61604->61585 61605->61589 61606->61589 61608 4431b2 61607->61608 61609 4431ca 61607->61609 61676 43bf7c 14 API calls __dosmaperr 61608->61676 61610 44350c 61609->61610 61616 44320d 61609->61616 61695 43bf7c 14 API calls __dosmaperr 61610->61695 61613 4431b7 61677 43bf8f 14 API calls __dosmaperr 61613->61677 61615 443511 61696 43bf8f 14 API calls __dosmaperr 61615->61696 61617 4431bf 61616->61617 61619 443218 61616->61619 61625 443248 61616->61625 61617->61600 61678 43bf7c 14 API calls __dosmaperr 61619->61678 61620 443225 61697 4334f0 41 API calls ___std_exception_copy 61620->61697 61622 44321d 61679 43bf8f 14 API calls __dosmaperr 61622->61679 61626 443261 61625->61626 61627 44326e 61625->61627 61630 44329c 61625->61630 61626->61627 61629 44328a 61626->61629 61680 43bf7c 14 API calls __dosmaperr 61627->61680 61634 44e474 __fread_nolock 41 API calls 61629->61634 61683 445924 15 API calls 3 library calls 61630->61683 61631 443273 61681 43bf8f 14 API calls __dosmaperr 61631->61681 61637 4433e8 61634->61637 61635 4432ad 61684 4458aa 14 API calls 2 library calls 61635->61684 61636 44327a 61682 4334f0 41 API calls ___std_exception_copy 61636->61682 61641 44345c 61637->61641 61644 443401 GetConsoleMode 61637->61644 61639 4432b6 61685 4458aa 14 API calls 2 library calls 61639->61685 61643 443460 ReadFile 61641->61643 61646 4434d4 GetLastError 61643->61646 61647 443478 61643->61647 61644->61641 61648 443412 61644->61648 61645 4432bd 61649 4432c7 61645->61649 61650 4432e2 61645->61650 61651 4434e1 61646->61651 61652 443438 61646->61652 61647->61646 61653 443451 61647->61653 61648->61643 61654 443418 ReadConsoleW 61648->61654 61686 43bf8f 14 API calls __dosmaperr 61649->61686 61688 43ce8d 43 API calls 2 library calls 61650->61688 61693 43bf8f 14 API calls __dosmaperr 61651->61693 61670 443285 __fread_nolock 61652->61670 61689 43bf35 14 API calls 2 library calls 61652->61689 61665 4434b4 61653->61665 61666 44349d 61653->61666 61653->61670 61654->61653 61659 443432 GetLastError 61654->61659 61659->61652 61660 4432cc 61687 43bf7c 14 API calls __dosmaperr 61660->61687 61661 4434e6 61694 43bf7c 14 API calls __dosmaperr 61661->61694 61667 4434cd 61665->61667 61665->61670 61691 442eb2 46 API calls 4 library calls 61666->61691 61692 442cf8 44 API calls __fread_nolock 61667->61692 61690 4458aa 14 API calls 2 library calls 61670->61690 61671 4434d2 61671->61670 61672->61595 61673->61597 61674->61600 61675->61595 61676->61613 61677->61617 61678->61622 61679->61620 61680->61631 61681->61636 61682->61670 61683->61635 61684->61639 61685->61645 61686->61660 61687->61670 61688->61629 61689->61670 61690->61617 61691->61670 61692->61671 61693->61661 61694->61670 61695->61615 61696->61620 61697->61617 61699 43781f __FrameHandler3::FrameUnwindToState 61698->61699 61700 437829 61699->61700 61701 43784c 61699->61701 61724 433473 41 API calls 2 library calls 61700->61724 61702 437844 61701->61702 61709 43bae0 EnterCriticalSection 61701->61709 61702->61329 61705 43786a 61710 4378aa 61705->61710 61707 437877 61725 4378a2 LeaveCriticalSection __fread_nolock 61707->61725 61709->61705 61711 4378b7 61710->61711 61712 4378da 61710->61712 61737 433473 41 API calls 2 library calls 61711->61737 61714 434321 ___scrt_uninitialize_crt 66 API calls 61712->61714 61722 4378d2 61712->61722 61715 4378f2 61714->61715 61726 4458e4 61715->61726 61718 444a79 __fread_nolock 41 API calls 61719 437906 61718->61719 61730 4435bc 61719->61730 61722->61707 61724->61702 61725->61702 61727 4378fa 61726->61727 61728 4458fb 61726->61728 61727->61718 61728->61727 61739 4458aa 14 API calls 2 library calls 61728->61739 61731 43790d 61730->61731 61733 4435e5 61730->61733 61731->61722 61738 4458aa 14 API calls 2 library calls 61731->61738 61732 443634 61748 433473 41 API calls 2 library calls 61732->61748 61733->61732 61735 44360c 61733->61735 61740 44352b 61735->61740 61737->61722 61738->61722 61739->61727 61741 443537 __FrameHandler3::FrameUnwindToState 61740->61741 61749 448f52 EnterCriticalSection 61741->61749 61743 443545 61744 443576 61743->61744 61750 44368f 61743->61750 61763 4435b0 LeaveCriticalSection __wsopen_s 61744->61763 61747 443599 61747->61731 61748->61731 61749->61743 61751 4491ce __wsopen_s 41 API calls 61750->61751 61753 44369f 61751->61753 61752 4436a5 61764 44913d 15 API calls 3 library calls 61752->61764 61753->61752 61755 4436d7 61753->61755 61756 4491ce __wsopen_s 41 API calls 61753->61756 61755->61752 61757 4491ce __wsopen_s 41 API calls 61755->61757 61758 4436ce 61756->61758 61759 4436e3 FindCloseChangeNotification 61757->61759 61760 4491ce __wsopen_s 41 API calls 61758->61760 61759->61752 61761 4436ef GetLastError 61759->61761 61760->61755 61761->61752 61762 4436fd __wsopen_s 61762->61744 61763->61747 61764->61762 61766 4d2870 61765->61766 61784 4d23fe __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z error_info_injector 61765->61784 61767 4d2447 setsockopt recv WSAGetLastError 61767->61766 61767->61784 61769 42d8f9 __Xtime_get_ticks 2 API calls 61769->61784 61770 4d285b Sleep 61770->61766 61770->61784 61771 4d27c8 recv 61772 4d284d Sleep 61771->61772 61772->61770 61773 416930 43 API calls 61774 4d24d8 recv 61773->61774 61775 4d24f9 recv 61774->61775 61774->61784 61775->61784 61777 416930 43 API calls 61780 4d2561 setsockopt recv 61777->61780 61778 414090 std::_Throw_Cpp_error 43 API calls 61778->61784 61779 4d2885 61892 433500 41 API calls 2 library calls 61779->61892 61780->61784 61784->61767 61784->61769 61784->61770 61784->61771 61784->61772 61784->61773 61784->61777 61784->61778 61784->61779 61785 4d3150 WSAStartup 61784->61785 61798 4d2890 61784->61798 61880 4081e0 61784->61880 61786 4d3256 61785->61786 61787 4d3188 61785->61787 61786->61784 61787->61786 61788 4d31be getaddrinfo 61787->61788 61789 4d3206 61788->61789 61790 4d3250 WSACleanup 61788->61790 61791 4d3264 freeaddrinfo 61789->61791 61793 4d3214 socket 61789->61793 61790->61786 61791->61790 61792 4d3270 61791->61792 61792->61784 61793->61790 61794 4d322a connect 61793->61794 61795 4d323c closesocket 61794->61795 61796 4d3260 61794->61796 61795->61793 61797 4d3246 freeaddrinfo 61795->61797 61796->61791 61797->61790 61799 4d2946 61798->61799 61800 4d28e3 61798->61800 61802 4d294e 61799->61802 61803 4d2970 61799->61803 61801 4081e0 46 API calls 61800->61801 61813 4d2909 61801->61813 61940 413df0 43 API calls 3 library calls 61802->61940 61804 4d299d 61803->61804 61805 4d2978 61803->61805 61808 4d29cc 61804->61808 61809 4d29a5 61804->61809 61941 413df0 43 API calls 3 library calls 61805->61941 61810 4d29d4 61808->61810 61811 4d29f2 61808->61811 61809->61813 61942 413df0 43 API calls 3 library calls 61809->61942 61814 43bb47 44 API calls 61810->61814 61811->61813 61815 4d2f16 61811->61815 61816 4d2a12 61811->61816 61817 4d2941 error_info_injector 61813->61817 61958 433500 41 API calls 2 library calls 61813->61958 61814->61813 61820 4d2f1e 61815->61820 61821 4d2f54 61815->61821 61893 404b10 50 API calls std::_Throw_Cpp_error 61816->61893 61817->61784 61947 4186a0 48 API calls 61820->61947 61822 4d2f5c 61821->61822 61823 4d2f92 61821->61823 61949 4186a0 48 API calls 61822->61949 61827 4d2f9a 61823->61827 61828 4d2fd0 61823->61828 61824 4d30bd 61959 433500 41 API calls 2 library calls 61824->61959 61951 4186a0 48 API calls 61827->61951 61835 4d300e 61828->61835 61836 4d2fd8 61828->61836 61830 4d2f3b 61948 411960 43 API calls 61830->61948 61831 4d2f79 61950 411960 43 API calls 61831->61950 61832 4d2efe 61944 42d43a 61832->61944 61838 4d304c 61835->61838 61839 4d3016 61835->61839 61953 4186a0 48 API calls 61836->61953 61838->61813 61957 453390 46 API calls 3 library calls 61838->61957 61955 4186a0 48 API calls 61839->61955 61842 4d2fb7 61952 411960 43 API calls 61842->61952 61846 4d2ff5 61954 411960 43 API calls 61846->61954 61848 4d3033 61956 411960 43 API calls 61848->61956 61849 4034e0 std::_Throw_Cpp_error 43 API calls 61857 4d2a34 error_info_injector 61849->61857 61852 4d3066 61853 413fa0 41 API calls 61852->61853 61854 4d3071 61853->61854 61856 4031c0 std::_Throw_Cpp_error 41 API calls 61854->61856 61856->61813 61857->61824 61857->61832 61857->61849 61858 4d2c75 61857->61858 61894 41c4c0 61857->61894 61859 4032a0 43 API calls 61858->61859 61860 4d2c96 61859->61860 61933 4e2cc0 43 API calls 3 library calls 61860->61933 61862 4d2ca7 61863 4031c0 std::_Throw_Cpp_error 41 API calls 61862->61863 61864 4d2cb6 61863->61864 61865 4d2d7c 61864->61865 61866 4d2d54 GetCurrentProcess 61864->61866 61869 4340b0 43 API calls 61865->61869 61867 414090 std::_Throw_Cpp_error 43 API calls 61866->61867 61868 4d2d6d 61867->61868 61943 4db380 56 API calls 3 library calls 61868->61943 61870 4d2e18 61869->61870 61879 4d2e4a 61870->61879 61934 43beb8 61870->61934 61872 4d2d74 61872->61879 61875 437938 71 API calls 61875->61879 61876 4031c0 std::_Throw_Cpp_error 41 API calls 61876->61832 61877 4031c0 std::_Throw_Cpp_error 41 API calls 61877->61879 61878 4d2ea0 error_info_injector 61878->61824 61878->61876 61879->61877 61879->61878 61881 414090 std::_Throw_Cpp_error 43 API calls 61880->61881 61884 40822d 61881->61884 61882 4031c0 std::_Throw_Cpp_error 41 API calls 61883 408392 61882->61883 61885 416930 43 API calls 61883->61885 61887 4083dd __Strxfrm 61883->61887 61884->61882 61885->61887 61886 4084b0 GetModuleHandleA GetProcAddress WSASend 61886->61887 61888 40859e error_info_injector 61886->61888 61887->61886 61887->61888 61890 40860a error_info_injector 61888->61890 62015 433500 41 API calls 2 library calls 61888->62015 61890->61784 61893->61857 61895 41c55d 61894->61895 61901 41c4e2 __Strxfrm 61894->61901 61896 41c64c 61895->61896 61897 41c56c 61895->61897 61960 403110 43 API calls 2 library calls 61896->61960 61900 4036f0 std::_Throw_Cpp_error 43 API calls 61897->61900 61902 41c5b1 __Strxfrm 61900->61902 61901->61857 61919 41c60c error_info_injector __Strxfrm 61902->61919 61961 433500 41 API calls 2 library calls 61902->61961 61919->61857 61933->61862 61935 43becb ___std_exception_copy 61934->61935 61962 43bc9a 61935->61962 61937 43bee0 61938 43322c ___std_exception_copy 41 API calls 61937->61938 61939 43beed 61938->61939 61939->61875 61940->61813 61941->61813 61942->61813 61943->61872 61945 42d446 ReleaseSRWLockExclusive 61944->61945 61946 42d454 61944->61946 61945->61946 61946->61813 61947->61830 61948->61813 61949->61831 61950->61813 61951->61842 61952->61813 61953->61846 61954->61813 61955->61848 61956->61813 61957->61852 61960->61902 61963 43bcd0 61962->61963 61964 43bca8 61962->61964 61963->61937 61964->61963 61965 43bcd7 61964->61965 61966 43bcb5 61964->61966 61970 43bbf3 61965->61970 61978 433473 41 API calls 2 library calls 61966->61978 61971 43bbff __FrameHandler3::FrameUnwindToState 61970->61971 61979 43bae0 EnterCriticalSection 61971->61979 61973 43bc0d 61980 43bc4e 61973->61980 61977 43bc2b 61977->61937 61978->61963 61979->61973 61988 44713a 61980->61988 61986 43bc1a 61987 43bc42 LeaveCriticalSection __fread_nolock 61986->61987 61987->61977 62005 4470fc 61988->62005 61990 43bc66 61995 43bd11 61990->61995 61991 44714b 61991->61990 62012 445924 15 API calls 3 library calls 61991->62012 61993 4471a4 62013 4458aa 14 API calls 2 library calls 61993->62013 61998 43bd23 61995->61998 61999 43bc84 61995->61999 61996 43bd31 62014 433473 41 API calls 2 library calls 61996->62014 61998->61996 61998->61999 62002 43bd67 __Strxfrm 61998->62002 62004 4471e5 66 API calls ___scrt_uninitialize_crt 61999->62004 62000 434321 ___scrt_uninitialize_crt 66 API calls 62000->62002 62001 444a79 __fread_nolock 41 API calls 62001->62002 62002->61999 62002->62000 62002->62001 62003 443f08 __wsopen_s 66 API calls 62002->62003 62003->62002 62004->61986 62007 447108 62005->62007 62006 447132 62006->61991 62007->62006 62008 444a79 __fread_nolock 41 API calls 62007->62008 62009 447123 62008->62009 62010 44e474 __fread_nolock 41 API calls 62009->62010 62011 447129 62010->62011 62011->61991 62012->61993 62013->61990 62014->61999 62016 444c92 62017 444a79 __fread_nolock 41 API calls 62016->62017 62018 444c9f 62017->62018 62019 444cab 62018->62019 62020 444cf7 62018->62020 62033 444e5a 43 API calls __wsopen_s 62018->62033 62020->62019 62022 444d59 62020->62022 62023 4470fc 41 API calls 62020->62023 62034 444d88 66 API calls 2 library calls 62022->62034 62026 444d4c 62023->62026 62025 444d6a 62026->62022 62028 447f13 62026->62028 62029 444eea __dosmaperr 14 API calls 62028->62029 62030 447f30 62029->62030 62035 4458aa 14 API calls 2 library calls 62030->62035 62032 447f3a 62032->62022 62033->62020 62034->62025 62035->62032 62036 447223 62037 447230 62036->62037 62040 447248 62036->62040 62086 43bf8f 14 API calls __dosmaperr 62037->62086 62039 447235 62087 4334f0 41 API calls ___std_exception_copy 62039->62087 62042 447f13 14 API calls 62040->62042 62044 4472a7 62040->62044 62050 447240 62040->62050 62042->62044 62043 444a79 __fread_nolock 41 API calls 62045 4472c0 62043->62045 62044->62043 62056 443087 62045->62056 62048 444a79 __fread_nolock 41 API calls 62049 4472f9 62048->62049 62049->62050 62051 444a79 __fread_nolock 41 API calls 62049->62051 62052 447307 62051->62052 62052->62050 62053 444a79 __fread_nolock 41 API calls 62052->62053 62054 447315 62053->62054 62055 444a79 __fread_nolock 41 API calls 62054->62055 62055->62050 62057 443093 __FrameHandler3::FrameUnwindToState 62056->62057 62058 44309b 62057->62058 62060 4430b6 62057->62060 62089 43bf7c 14 API calls __dosmaperr 62058->62089 62062 4430cd 62060->62062 62065 443108 62060->62065 62061 4430a0 62090 43bf8f 14 API calls __dosmaperr 62061->62090 62091 43bf7c 14 API calls __dosmaperr 62062->62091 62067 443126 62065->62067 62068 443111 62065->62068 62066 4430d2 62092 43bf8f 14 API calls __dosmaperr 62066->62092 62088 448f52 EnterCriticalSection 62067->62088 62094 43bf7c 14 API calls __dosmaperr 62068->62094 62072 44312c 62075 443160 62072->62075 62076 44314b 62072->62076 62073 4430da 62093 4334f0 41 API calls ___std_exception_copy 62073->62093 62074 443116 62095 43bf8f 14 API calls __dosmaperr 62074->62095 62080 4431a0 __fread_nolock 53 API calls 62075->62080 62096 43bf8f 14 API calls __dosmaperr 62076->62096 62082 44315b 62080->62082 62081 443150 62097 43bf7c 14 API calls __dosmaperr 62081->62097 62098 443198 LeaveCriticalSection __wsopen_s 62082->62098 62085 4430a8 62085->62048 62085->62050 62086->62039 62087->62050 62088->62072 62089->62061 62090->62085 62091->62066 62092->62073 62093->62085 62094->62074 62095->62073 62096->62081 62097->62082 62098->62085 62099 5df5026 62100 5df5035 62099->62100 62103 5df57c6 62100->62103 62104 5df57e1 62103->62104 62105 5df57ea CreateToolhelp32Snapshot 62104->62105 62106 5df5806 Module32First 62104->62106 62105->62104 62105->62106 62107 5df503e 62106->62107 62108 5df5815 62106->62108 62110 5df5485 62108->62110 62111 5df54b0 62110->62111 62112 5df54f9 62111->62112 62113 5df54c1 VirtualAlloc 62111->62113 62112->62112 62113->62112 62114 44550f 62119 4452e5 62114->62119 62117 44554e 62120 445304 62119->62120 62121 445317 62120->62121 62128 44532c 62120->62128 62139 43bf8f 14 API calls __dosmaperr 62121->62139 62123 44531c 62140 4334f0 41 API calls ___std_exception_copy 62123->62140 62125 445327 62125->62117 62136 43d543 62125->62136 62127 4454fd 62145 4334f0 41 API calls ___std_exception_copy 62127->62145 62134 44544c 62128->62134 62141 43b83e 41 API calls 2 library calls 62128->62141 62131 44549c 62131->62134 62142 43b83e 41 API calls 2 library calls 62131->62142 62133 4454ba 62133->62134 62143 43b83e 41 API calls 2 library calls 62133->62143 62134->62125 62144 43bf8f 14 API calls __dosmaperr 62134->62144 62146 43ceeb 62136->62146 62139->62123 62140->62125 62141->62131 62142->62133 62143->62134 62144->62127 62145->62125 62149 43cef7 __FrameHandler3::FrameUnwindToState 62146->62149 62147 43cefe 62166 43bf8f 14 API calls __dosmaperr 62147->62166 62149->62147 62151 43cf29 62149->62151 62150 43cf03 62167 4334f0 41 API calls ___std_exception_copy 62150->62167 62157 43d4d5 62151->62157 62156 43cf0d 62156->62117 62169 437a37 62157->62169 62162 43d50b 62164 43cf4d 62162->62164 62224 4458aa 14 API calls 2 library calls 62162->62224 62168 43cf80 LeaveCriticalSection __wsopen_s 62164->62168 62166->62150 62167->62156 62168->62156 62225 433e3e 62169->62225 62173 437a5b 62174 437a1a 62173->62174 62236 437968 62174->62236 62177 43d563 62261 43d2b1 62177->62261 62180 43d595 62293 43bf7c 14 API calls __dosmaperr 62180->62293 62181 43d5ae 62279 44902a 62181->62279 62185 43d5d3 62292 43d21c CreateFileW 62185->62292 62186 43d5bc 62295 43bf7c 14 API calls __dosmaperr 62186->62295 62190 43d5c1 62296 43bf8f 14 API calls __dosmaperr 62190->62296 62192 43d689 GetFileType 62195 43d694 GetLastError 62192->62195 62196 43d6db 62192->62196 62193 43d60c 62193->62192 62198 43d65e GetLastError 62193->62198 62297 43d21c CreateFileW 62193->62297 62194 43d5a7 62194->62162 62299 43bf35 14 API calls 2 library calls 62195->62299 62301 448f75 15 API calls 3 library calls 62196->62301 62197 43d59a 62294 43bf8f 14 API calls __dosmaperr 62197->62294 62298 43bf35 14 API calls 2 library calls 62198->62298 62201 43d6a2 CloseHandle 62201->62197 62203 43d6cb 62201->62203 62300 43bf8f 14 API calls __dosmaperr 62203->62300 62205 43d651 62205->62192 62205->62198 62207 43d6fc 62208 43d748 62207->62208 62302 43d42b 75 API calls 4 library calls 62207->62302 62213 43d74f 62208->62213 62304 43cfc6 75 API calls 4 library calls 62208->62304 62209 43d6d0 62209->62197 62212 43d77d 62212->62213 62214 43d78b 62212->62214 62303 44365f 44 API calls 2 library calls 62213->62303 62214->62194 62216 43d807 CloseHandle 62214->62216 62305 43d21c CreateFileW 62216->62305 62218 43d832 62219 43d868 62218->62219 62220 43d83c GetLastError 62218->62220 62219->62194 62306 43bf35 14 API calls 2 library calls 62220->62306 62222 43d848 62307 44913d 15 API calls 3 library calls 62222->62307 62224->62164 62226 433e5c 62225->62226 62232 433e55 62225->62232 62227 4446d2 _unexpected 41 API calls 62226->62227 62226->62232 62228 433e7d 62227->62228 62234 4449bd 41 API calls __Getctype 62228->62234 62230 433e93 62235 444a1b 41 API calls _strftime 62230->62235 62232->62173 62233 445d9e 5 API calls std::_Locinfo::_Locinfo_ctor 62232->62233 62233->62173 62234->62230 62235->62232 62237 437990 62236->62237 62238 437976 62236->62238 62240 437997 62237->62240 62241 4379b6 62237->62241 62254 437a76 14 API calls ___std_exception_copy 62238->62254 62253 437980 62240->62253 62255 437a90 15 API calls _strftime 62240->62255 62256 445a0a MultiByteToWideChar _strftime 62241->62256 62243 4379c5 62245 4379cc GetLastError 62243->62245 62247 4379f2 62243->62247 62259 437a90 15 API calls _strftime 62243->62259 62257 43bf35 14 API calls 2 library calls 62245->62257 62247->62253 62260 445a0a MultiByteToWideChar _strftime 62247->62260 62248 4379d8 62258 43bf8f 14 API calls __dosmaperr 62248->62258 62251 437a09 62251->62245 62251->62253 62253->62162 62253->62177 62254->62253 62255->62253 62256->62243 62257->62248 62258->62253 62259->62247 62260->62251 62262 43d2d2 62261->62262 62263 43d2ec 62261->62263 62262->62263 62315 43bf8f 14 API calls __dosmaperr 62262->62315 62308 43d241 62263->62308 62266 43d2e1 62316 4334f0 41 API calls ___std_exception_copy 62266->62316 62268 43d324 62269 43d353 62268->62269 62317 43bf8f 14 API calls __dosmaperr 62268->62317 62272 43d3a6 62269->62272 62319 4412b0 41 API calls 2 library calls 62269->62319 62272->62180 62272->62181 62273 43d3a1 62273->62272 62275 43d41e 62273->62275 62274 43d348 62318 4334f0 41 API calls ___std_exception_copy 62274->62318 62320 43351d 11 API calls __FrameHandler3::FrameUnwindToState 62275->62320 62278 43d42a 62280 449036 __FrameHandler3::FrameUnwindToState 62279->62280 62323 43eadb EnterCriticalSection 62280->62323 62283 449062 62327 448e04 15 API calls 3 library calls 62283->62327 62286 44903d 62286->62283 62288 4490d1 EnterCriticalSection 62286->62288 62291 449084 62286->62291 62287 449067 62287->62291 62328 448f52 EnterCriticalSection 62287->62328 62290 4490de LeaveCriticalSection 62288->62290 62288->62291 62290->62286 62324 449134 62291->62324 62292->62193 62293->62197 62294->62194 62295->62190 62296->62197 62297->62205 62298->62197 62299->62201 62300->62209 62301->62207 62302->62208 62303->62194 62304->62212 62305->62218 62306->62222 62307->62219 62310 43d259 62308->62310 62309 43d274 62309->62268 62310->62309 62321 43bf8f 14 API calls __dosmaperr 62310->62321 62312 43d298 62322 4334f0 41 API calls ___std_exception_copy 62312->62322 62314 43d2a3 62314->62268 62315->62266 62316->62263 62317->62274 62318->62269 62319->62273 62320->62278 62321->62312 62322->62314 62323->62286 62329 43eb23 LeaveCriticalSection 62324->62329 62326 43d5b3 62326->62185 62326->62186 62327->62287 62328->62291 62329->62326 62330 4f2d70 62331 4340b0 43 API calls 62330->62331 62332 4f2e12 62331->62332 62333 4f2e1f 62332->62333 62334 437938 71 API calls 62332->62334 62335 4f2e52 error_info_injector 62333->62335 62338 433500 41 API calls 2 library calls 62333->62338 62334->62333

                                                                                      Executed Functions

                                                                                      Function 00453C30 Relevance: 75.1, APIs: 33, Strings: 9, Instructions: 1568sleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 453c30-453cfe call 42efb0 Sleep call 4e2fa0 call 403420 call 43bb47 call 4f80f0 call 433e2c call 430240 call 4031b0 call 403420 call 42fcc0 call 4031b0 call 403420 call 42fcc0 call 403420 29 453d01-453d06 0->29 29->29 30 453d08-453d43 call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 29->30 41 453d46-453d4b 30->41 41->41 42 453d4d-453d8b call 403420 call 4032a0 call 413fa0 call 4031c0 call 403420 41->42 53 453d90-453d95 42->53 53->53 54 453d97-454e07 call 403420 call 4032a0 call 413fa0 call 4031c0 GetCurrentProcess SetPriorityClass SetUnhandledExceptionFilter call 45a5c0 SetThreadExecutionState call 4f80f0 call 433e2c LoadLibraryA call 430240 GetModuleFileNameA call 403260 call 414090 call 4f3350 call 4031b0 call 416680 call 452ef0 * 2 GetProcessId call 413b90 * 5 call 452ef0 SetThreadExecutionState GetPEB 53->54 112 454e10-454e33 54->112 113 454e35-454e3a 112->113 114 454e88-454e8a 112->114 113->114 115 454e3c-454e42 113->115 114->112 116 454e44-454e5b 115->116 117 454e7d-454e86 116->117 118 454e5d 116->118 117->114 117->116 119 454e60-454e73 118->119 119->119 120 454e75-454e7b 119->120 120->117 121 454e8c-455338 LoadLibraryA call 4fa570 call 413b90 CreateThread FindCloseChangeNotification call 403260 120->121 132 455340-455349 121->132 132->132 133 45534b-4556c9 GetTempPathA call 4f2470 call 403260 call 417fd0 call 418040 call 413fa0 call 4031c0 * 3 call 403260 call 417fd0 call 418040 call 4031c0 * 2 call 403420 call 4f2cd0 call 403420 call 4f2cd0 call 403420 CreateDirectoryA call 403420 CreateDirectoryA call 403420 GetPEB 132->133 178 4556d0-4556f3 133->178 179 4556f5-4556fa 178->179 180 455748-45574a 178->180 179->180 181 4556fc-455702 179->181 180->178 182 455704-45571b 181->182 183 45573d-455746 182->183 184 45571d 182->184 183->180 183->182 185 455720-455733 184->185 185->185 186 455735-45573b 185->186 186->183 187 45574c-4567f1 SetCurrentDirectoryA call 413f70 call 4df790 call 452ef0 call 4f0b00 call 4f6620 call 417f00 call 418040 call 4081e0 call 4031c0 * 2 call 4d3280 call 413f70 call 403420 call 42f8b0 call 403260 * 10 call 410f30 call 410c00 call 42e2a7 call 418e00 OutputDebugStringA call 4d20b0 186->187 252 4567f6-458d42 call 4116a0 call 4d1f60 call 403260 * 3 call 411510 call 4114a0 call 415520 call 4f60d0 187->252 273 45a1a7-45a1ae 252->273 274 458d48-458f77 call 4d2120 call 4d2040 call 4d1fd0 call 48a680 call 489370 call 410e60 OutputDebugStringA call 410e60 CreateThread * 2 call 408980 call 4a2ee0 252->274 276 45a1b4-45a1b9 273->276 277 45a23c-45a2a6 call 4031c0 * 3 call 410cb0 call 410d10 call 4031c0 * 2 OutputDebugStringA 273->277 274->273 276->277 280 45a1bf-45a235 call 4119d0 * 6 call 414090 call 4d7e10 276->280 322 45a2ac-45a2ae 277->322 323 45a52a 277->323 280->277 336 45a237 call 4dd9d0 280->336 322->323 324 45a2b4-45a32a call 4119d0 * 6 call 414090 call 4d7e10 322->324 325 45a530-45a558 Sleep shutdown closesocket 323->325 324->323 363 45a330-45a424 call 417f70 call 403420 CreateMutexA call 4031c0 GetLastError 324->363 329 45a569-45a598 call 4031c0 * 3 325->329 330 45a55a-45a55c 325->330 350 45a59f-45a5b2 call 4031c0 329->350 351 45a59a call 4040b0 329->351 330->329 334 45a55e 330->334 338 45a560-45a567 Sleep 334->338 336->277 338->338 351->350 363->329 370 45a42a-45a50c Sleep call 403260 call 4d2190 363->370 375 45a521-45a528 370->375 376 45a50e 370->376 375->325 377 45a510-45a51f Sleep 376->377 377->375 377->377
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(00000025), ref: 00453C44
                                                                                        • Part of subcall function 004E2FA0: __Xtime_get_ticks.LIBCPMT ref: 004E2FA1
                                                                                        • Part of subcall function 004E2FA0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E2FAF
                                                                                      • GetCurrentProcess.KERNEL32(00008000,00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00000001), ref: 00453DCD
                                                                                      • SetPriorityClass.KERNELBASE(00000000), ref: 00453DD4
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(0045A780), ref: 00453DDF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassCurrentExceptionFilterPriorityProcessSleepUnhandledUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                                      • String ID: /*************/$131$131$147.45.47.93:58709$149.18.24.96$43t res tgy45yfhyrt$Dk43l_dwmk438*$er ert 346 34634 6ch$futer
                                                                                      • API String ID: 1211644118-3050393103
                                                                                      • Opcode ID: d815512b09ebf0c0998b3e8d6d46b6c6c8f98991f312bd21f85900f769a006aa
                                                                                      • Instruction ID: 58df280d1c5bcf31294a4ea42ed0208b52652377ae8c263acff41185647b5a58
                                                                                      • Opcode Fuzzy Hash: d815512b09ebf0c0998b3e8d6d46b6c6c8f98991f312bd21f85900f769a006aa
                                                                                      • Instruction Fuzzy Hash: F70326B45083829FC324DF29C491AABBBE4FFD8345F40491EE98997352DB30A549CF96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0045A5C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156sleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 762 45a5c0-45a5d3 GetCursorPos 763 45a5d5-45a5e1 GetCursorPos 762->763 764 45a5e7-45a5ed 763->764 765 45a6a8-45a6b1 GetPEB 763->765 764->765 767 45a5f3-45a5ff GetPEB 764->767 766 45a6b4-45a6c8 765->766 768 45a719-45a71b 766->768 769 45a6ca-45a6cf 766->769 770 45a600-45a614 767->770 768->766 769->768 771 45a6d1-45a6d9 769->771 772 45a664-45a666 770->772 773 45a616-45a61b 770->773 774 45a6e0-45a6f3 771->774 772->770 773->772 775 45a61d-45a623 773->775 776 45a6f5-45a708 774->776 777 45a712-45a717 774->777 778 45a625-45a638 775->778 776->776 779 45a70a-45a710 776->779 777->768 777->774 780 45a65d-45a662 778->780 781 45a63a 778->781 779->777 782 45a71d-45a742 Sleep 779->782 780->772 780->778 783 45a640-45a653 781->783 782->763 783->783 784 45a655-45a65b 783->784 784->780 785 45a668-45a69a Sleep GetCursorPos 784->785 785->765 786 45a69c-45a6a2 785->786 786->765 787 45a747-45a758 call 4f6620 786->787 790 45a75e 787->790 791 45a75a-45a75c 787->791 792 45a760-45a77d call 4f6620 790->792 791->792
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D3
                                                                                      • GetCursorPos.USER32(?), ref: 0045A5D9
                                                                                      • Sleep.KERNELBASE(000003E9,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A688
                                                                                      • GetCursorPos.USER32(?), ref: 0045A68E
                                                                                      • Sleep.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00453DEA), ref: 0045A73A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$Sleep
                                                                                      • String ID: =E
                                                                                      • API String ID: 1847515627-2289002813
                                                                                      • Opcode ID: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                      • Instruction ID: 823f227e19ebc1f4262c84ee3b7a9e46c16cc5b48225767440be61142120e435
                                                                                      • Opcode Fuzzy Hash: 87aaf06eb3feef4bfb938811ad3031e6b1e2923ec5a892cc3e26860d6edd803d
                                                                                      • Instruction Fuzzy Hash: B151CC35A00215CFCB18CF58C4C4EAAB7B1FF49705F19429AD945AB312D739ED1ACB81
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004DF790 Relevance: 8.0, APIs: 5, Instructions: 540libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 795 4df790-4df7f3 call 430240 GetModuleFileNameA 798 4df7f6-4df7fb 795->798 798->798 799 4df7fd-4df889 call 4034e0 798->799 802 4df890-4df895 799->802 802->802 803 4df897-4df8bd call 419950 802->803 806 4dfa33 803->806 807 4df8c3-4df93d 803->807 809 4dfa37-4dfa3a 806->809 808 4df940-4df945 807->808 808->808 810 4df947-4df96d call 419950 808->810 811 4dfa3c-4dfa45 809->811 812 4dfa61-4dfa6c 809->812 810->806 820 4df973-4df9fc 810->820 814 4dfa57-4dfa5e call 42e183 811->814 815 4dfa47-4dfa55 811->815 814->812 815->814 817 4dfa6d-4dfae1 call 433500 call 430240 815->817 828 4dfaea 817->828 829 4dfae3-4dfae8 817->829 823 4dfa00-4dfa05 820->823 823->823 825 4dfa07-4dfa31 call 419950 823->825 825->806 825->809 831 4dfaef-4dfc13 call 4f6620 GetModuleHandleA GetProcAddress 828->831 829->831 834 4dfc1a-4dfc50 call 4f6620 831->834 835 4dfc15 831->835 839 4dfd0e-4dfd14 834->839 840 4dfc56-4dfc78 call 4f6620 GetPEB 834->840 835->834 841 4dfd3e-4dfd50 839->841 842 4dfd16-4dfd22 839->842 849 4dfc80-4dfc94 840->849 844 4dfd34-4dfd3b call 42e183 842->844 845 4dfd24-4dfd32 842->845 844->841 845->844 847 4dfd51-4dfd9e call 433500 845->847 857 4dfda0 847->857 858 4dfda2-4dfdbe MultiByteToWideChar 847->858 851 4dfce7-4dfce9 849->851 852 4dfc96-4dfc9b 849->852 851->849 852->851 854 4dfc9d-4dfca3 852->854 856 4dfca5-4dfcba 854->856 859 4dfcdd-4dfce5 856->859 860 4dfcbc 856->860 857->858 861 4dfdc0-4dfdf4 call 4164d0 858->861 862 4dfe33-4dfe54 858->862 859->851 859->856 864 4dfcc0-4dfcd3 860->864 869 4dfdf8-4dfe31 MultiByteToWideChar 861->869 870 4dfdf6 861->870 863 4dfe57-4dfe6b 862->863 864->864 866 4dfcd5-4dfcdb 864->866 866->859 868 4dfceb-4dfd0a 866->868 868->839 869->863 870->869
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNELBASE(00000000,?,00000200,?,?,811C9DC5), ref: 004DF7D2
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 004DFBF1
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004DFBFC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Module$AddressFileHandleNameProc
                                                                                      • String ID:
                                                                                      • API String ID: 3556842501-0
                                                                                      • Opcode ID: f5ef7e5a0093e01301607f7d42f07229371b5a2fad561cb305fd20bd82fb37b4
                                                                                      • Instruction ID: 1c398614b8e40d06d673246c6905bd3bbdd575ff32f9acac0e67e79eca0af1e2
                                                                                      • Opcode Fuzzy Hash: f5ef7e5a0093e01301607f7d42f07229371b5a2fad561cb305fd20bd82fb37b4
                                                                                      • Instruction Fuzzy Hash: 393258B4D00249AFDB10CF98D995BEEFBB1FF48314F20425AE849AB381D7346A45CB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D23C0 Relevance: 18.4, APIs: 12, Instructions: 351networksleepCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 378 4d23c0-4d23f8 379 4d23fe 378->379 380 4d2870-4d2884 378->380 381 4d2404-4d240c 379->381 382 4d240e-4d2434 call 4d3150 381->382 383 4d2447-4d2490 setsockopt recv WSAGetLastError 381->383 386 4d2439-4d2441 382->386 383->380 385 4d2496-4d2499 383->385 387 4d249f-4d24a6 385->387 388 4d27da-4d2804 call 42d8f9 call 452ef0 385->388 386->383 390 4d285b-4d286a Sleep 386->390 391 4d24ac-4d24f3 call 416930 recv 387->391 392 4d27c8-4d27d8 recv 387->392 393 4d284d-4d2855 Sleep 388->393 403 4d2806 388->403 390->380 390->381 398 4d24f9-4d2514 recv 391->398 399 4d2784-4d2791 391->399 392->393 393->390 398->399 401 4d251a-4d2551 398->401 399->393 402 4d2797-4d27a3 399->402 404 4d25b4-4d25e4 call 414090 401->404 405 4d2553-4d25b1 call 416930 setsockopt recv 401->405 406 4d27b9-4d27c3 call 42e183 402->406 407 4d27a5-4d27b3 402->407 408 4d2808-4d280e 403->408 409 4d2810-4d2837 call 4081e0 403->409 421 4d25ea 404->421 422 4d2704-4d2741 call 4d2890 404->422 405->404 406->393 407->406 413 4d2885-4d288a call 433500 407->413 408->393 408->409 415 4d283c-4d2848 409->415 415->393 423 4d25f0-4d2608 421->423 425 4d2746-4d2753 422->425 426 4d261a-4d2629 423->426 427 4d260a-4d2615 423->427 425->399 428 4d2755-4d2764 425->428 429 4d2639-4d2645 426->429 430 4d262b-4d2634 426->430 431 4d26e9 427->431 432 4d277a-4d2781 call 42e183 428->432 433 4d2766-4d2774 428->433 434 4d2655-4d2661 429->434 435 4d2647-4d2650 429->435 430->431 436 4d26ec-4d26fe 431->436 432->399 433->413 433->432 438 4d266e-4d267a 434->438 439 4d2663-4d266c 434->439 435->431 436->422 436->423 440 4d267c-4d2685 438->440 441 4d2687-4d2693 438->441 439->431 440->431 443 4d2695-4d269e 441->443 444 4d26a0-4d26ac 441->444 443->431 445 4d26ae-4d26b7 444->445 446 4d26b9-4d26c5 444->446 445->431 447 4d26c7-4d26d0 446->447 448 4d26d2-4d26db 446->448 447->431 448->436 449 4d26dd-4d26e5 448->449 449->431
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                        • Part of subcall function 004D3150: WSAStartup.WS2_32 ref: 004D317A
                                                                                        • Part of subcall function 004D3150: getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                        • Part of subcall function 004D3150: socket.WS2_32(?,?,?), ref: 004D321D
                                                                                        • Part of subcall function 004D3150: connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                        • Part of subcall function 004D3150: closesocket.WS2_32(00000000), ref: 004D323D
                                                                                        • Part of subcall function 004D3150: freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                        • Part of subcall function 004D3150: WSACleanup.WS2_32 ref: 004D3250
                                                                                      • recv.WS2_32(?,00000004,00000008), ref: 004D27D6
                                                                                      • __Xtime_get_ticks.LIBCPMT ref: 004D27DA
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D27E8
                                                                                      • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004D284F
                                                                                      • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004D285D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                                                                                      • String ID:
                                                                                      • API String ID: 4125349891-0
                                                                                      • Opcode ID: 741e4aba1a023d42f8cda5b1c611e4a31a37109a2d99ce0121b9f219ece0da7f
                                                                                      • Instruction ID: 15ea99ae058cf58d21446cf462f8f8b9c5c04bab4b96d95aa166a16db5b48a04
                                                                                      • Opcode Fuzzy Hash: 741e4aba1a023d42f8cda5b1c611e4a31a37109a2d99ce0121b9f219ece0da7f
                                                                                      • Instruction Fuzzy Hash: 55E13230900244DFDB15DBA4CDA07ADBBF1BF66310F24425BE841AB2D2DBB45C8ADB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043D563 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 450 43d563-43d593 call 43d2b1 453 43d595-43d5a0 call 43bf7c 450->453 454 43d5ae-43d5ba call 44902a 450->454 461 43d5a2-43d5a9 call 43bf8f 453->461 459 43d5d3-43d61c call 43d21c 454->459 460 43d5bc-43d5d1 call 43bf7c call 43bf8f 454->460 469 43d689-43d692 GetFileType 459->469 470 43d61e-43d627 459->470 460->461 471 43d888-43d88c 461->471 472 43d694-43d6c5 GetLastError call 43bf35 CloseHandle 469->472 473 43d6db-43d6de 469->473 475 43d629-43d62d 470->475 476 43d65e-43d684 GetLastError call 43bf35 470->476 472->461 487 43d6cb-43d6d6 call 43bf8f 472->487 479 43d6e0-43d6e5 473->479 480 43d6e7-43d6ed 473->480 475->476 481 43d62f-43d65c call 43d21c 475->481 476->461 484 43d6f1-43d73f call 448f75 479->484 480->484 485 43d6ef 480->485 481->469 481->476 492 43d741-43d74d call 43d42b 484->492 493 43d75e-43d786 call 43cfc6 484->493 485->484 487->461 492->493 499 43d74f 492->499 500 43d78b-43d7cc 493->500 501 43d788-43d789 493->501 502 43d751-43d759 call 44365f 499->502 503 43d7ce-43d7d2 500->503 504 43d7ed-43d7fb 500->504 501->502 502->471 503->504 506 43d7d4-43d7e8 503->506 507 43d801-43d805 504->507 508 43d886 504->508 506->504 507->508 509 43d807-43d83a CloseHandle call 43d21c 507->509 508->471 513 43d86e-43d882 509->513 514 43d83c-43d868 GetLastError call 43bf35 call 44913d 509->514 513->508 514->513
                                                                                      APIs
                                                                                        • Part of subcall function 0043D21C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                      • GetLastError.KERNEL32 ref: 0043D677
                                                                                      • __dosmaperr.LIBCMT ref: 0043D67E
                                                                                      • GetFileType.KERNELBASE(00000000), ref: 0043D68A
                                                                                      • GetLastError.KERNEL32 ref: 0043D694
                                                                                      • __dosmaperr.LIBCMT ref: 0043D69D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0043D6BD
                                                                                      • CloseHandle.KERNEL32(?), ref: 0043D80A
                                                                                      • GetLastError.KERNEL32 ref: 0043D83C
                                                                                      • __dosmaperr.LIBCMT ref: 0043D843
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                      • String ID: H
                                                                                      • API String ID: 4237864984-2852464175
                                                                                      • Opcode ID: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                      • Instruction ID: deea7823187220b22c69116efca66525af397024c1424d0dae53dd4a9d4c69af
                                                                                      • Opcode Fuzzy Hash: 63c00d4ff725a68de22716b4a375591cf024028e2c9fd4940c7fbe6601f7ac47
                                                                                      • Instruction Fuzzy Hash: 47A17C31E14114AFCF19AF68EC467AE3BB1EB0A324F14215EF811DB391DB388816DB55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D2190 Relevance: 16.9, APIs: 11, Instructions: 404networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 519 4d2190-4d21d6 call 42d429 522 4d21dc-4d21e6 519->522 523 4d238f-4d2391 call 42cdc4 519->523 525 4d21ec-4d2262 522->525 526 4d2396-4d23a2 call 42cdc4 522->526 523->526 528 4d2266-4d226b 525->528 529 4d23a7 call 403110 526->529 528->528 530 4d226d-4d227b 528->530 533 4d23ac call 433500 529->533 530->529 531 4d2281-4d22ae call 41b4a0 530->531 538 4d22b0-4d22d1 531->538 539 4d22d3-4d22e2 call 420640 531->539 537 4d23b1-4d23f8 call 433500 533->537 551 4d23fe 537->551 552 4d2870-4d2884 537->552 541 4d22e5-4d22ec 538->541 539->541 545 4d22ee-4d22fa 541->545 546 4d231a-4d2350 call 42d43a call 414090 call 4081e0 541->546 548 4d22fc-4d230a 545->548 549 4d2310-4d2317 call 42e183 545->549 568 4d237d-4d238e 546->568 569 4d2352-4d235e 546->569 548->533 548->549 549->546 556 4d2404-4d240c 551->556 559 4d240e-4d2441 call 4d3150 556->559 560 4d2447-4d2490 setsockopt recv WSAGetLastError 556->560 559->560 571 4d285b-4d286a Sleep 559->571 560->552 563 4d2496-4d2499 560->563 566 4d249f-4d24a6 563->566 567 4d27da-4d2804 call 42d8f9 call 452ef0 563->567 572 4d24ac-4d24f3 call 416930 recv 566->572 573 4d27c8-4d27d8 recv 566->573 576 4d284d-4d2855 Sleep 567->576 588 4d2806 567->588 574 4d2370-4d237a call 42e183 569->574 575 4d2360-4d236e 569->575 571->552 571->556 582 4d24f9-4d2514 recv 572->582 583 4d2784-4d2791 572->583 573->576 574->568 575->537 575->574 576->571 582->583 586 4d251a-4d2551 582->586 583->576 587 4d2797-4d27a3 583->587 589 4d25b4-4d25e4 call 414090 586->589 590 4d2553-4d25b1 call 416930 setsockopt recv 586->590 591 4d27b9-4d27c3 call 42e183 587->591 592 4d27a5-4d27b3 587->592 593 4d2808-4d280e 588->593 594 4d2810-4d2848 call 4081e0 588->594 606 4d25ea 589->606 607 4d2704-4d2753 call 4d2890 589->607 590->589 591->576 592->591 598 4d2885-4d288a call 433500 592->598 593->576 593->594 594->576 608 4d25f0-4d2608 606->608 607->583 613 4d2755-4d2764 607->613 611 4d261a-4d2629 608->611 612 4d260a-4d2615 608->612 614 4d2639-4d2645 611->614 615 4d262b-4d2634 611->615 616 4d26e9 612->616 617 4d277a-4d2781 call 42e183 613->617 618 4d2766-4d2774 613->618 619 4d2655-4d2661 614->619 620 4d2647-4d2650 614->620 615->616 621 4d26ec-4d26fe 616->621 617->583 618->598 618->617 623 4d266e-4d267a 619->623 624 4d2663-4d266c 619->624 620->616 621->607 621->608 625 4d267c-4d2685 623->625 626 4d2687-4d2693 623->626 624->616 625->616 628 4d2695-4d269e 626->628 629 4d26a0-4d26ac 626->629 628->616 630 4d26ae-4d26b7 629->630 631 4d26b9-4d26c5 629->631 630->616 632 4d26c7-4d26d0 631->632 633 4d26d2-4d26db 631->633 632->616 633->621 634 4d26dd-4d26e5 633->634 634->616
                                                                                      APIs
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D2391
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004D23A2
                                                                                      • setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 004D2466
                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 004D2481
                                                                                      • WSAGetLastError.WS2_32 ref: 004D2485
                                                                                      • recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 004D24EE
                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 004D250F
                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004D258B
                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 004D25AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: recv$Cpp_errorThrow_setsockoptstd::_$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 4262120464-0
                                                                                      • Opcode ID: c1582d6184370410a97c32afa1233909a04efc10503d3efc906a2629de16cee2
                                                                                      • Instruction ID: f7b17b8e68668ba49e7fca0522a5bdce23b6917c1ff1aba89fdf03a1c4391d3e
                                                                                      • Opcode Fuzzy Hash: c1582d6184370410a97c32afa1233909a04efc10503d3efc906a2629de16cee2
                                                                                      • Instruction Fuzzy Hash: 8AF10070D00248DBDB14DFA8DD95BAEBBB1FF54314F10821AE804AB392DB786985DF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004431A0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 635 4431a0-4431b0 636 4431b2-4431c5 call 43bf7c call 43bf8f 635->636 637 4431ca-4431cc 635->637 651 443524 636->651 638 4431d2-4431d8 637->638 639 44350c-443519 call 43bf7c call 43bf8f 637->639 638->639 642 4431de-443207 638->642 656 44351f call 4334f0 639->656 642->639 646 44320d-443216 642->646 649 443230-443232 646->649 650 443218-44322b call 43bf7c call 43bf8f 646->650 654 443508-44350a 649->654 655 443238-44323c 649->655 650->656 657 443527-44352a 651->657 654->657 655->654 659 443242-443246 655->659 656->651 659->650 662 443248-44325f 659->662 664 443294-44329a 662->664 665 443261-443264 662->665 668 44329c-4432a3 664->668 669 44326e-443285 call 43bf7c call 43bf8f call 4334f0 664->669 666 443266-44326c 665->666 667 44328a-443292 665->667 666->667 666->669 671 443307-443326 667->671 672 4432a5 668->672 673 4432a7-4432c5 call 445924 call 4458aa * 2 668->673 700 44343f 669->700 675 4433e2-4433eb call 44e474 671->675 676 44332c-443338 671->676 672->673 704 4432c7-4432dd call 43bf8f call 43bf7c 673->704 705 4432e2-443305 call 43ce8d 673->705 688 44345c 675->688 689 4433ed-4433ff 675->689 676->675 680 44333e-443340 676->680 680->675 684 443346-443367 680->684 684->675 690 443369-44337f 684->690 693 443460-443476 ReadFile 688->693 689->688 695 443401-443410 GetConsoleMode 689->695 690->675 691 443381-443383 690->691 691->675 696 443385-4433a8 691->696 698 4434d4-4434df GetLastError 693->698 699 443478-44347e 693->699 695->688 701 443412-443416 695->701 696->675 703 4433aa-4433c0 696->703 706 4434e1-4434f3 call 43bf8f call 43bf7c 698->706 707 4434f8-4434fb 698->707 699->698 708 443480 699->708 702 443442-44344c call 4458aa 700->702 701->693 709 443418-443430 ReadConsoleW 701->709 702->657 703->675 711 4433c2-4433c4 703->711 704->700 705->671 706->700 718 443501-443503 707->718 719 443438-44343e call 43bf35 707->719 715 443483-443495 708->715 716 443451-44345a 709->716 717 443432 GetLastError 709->717 711->675 721 4433c6-4433dd 711->721 715->702 725 443497-44349b 715->725 716->715 717->719 718->702 719->700 721->675 729 4434b4-4434c1 725->729 730 44349d-4434ad call 442eb2 725->730 732 4434c3 call 443009 729->732 733 4434cd-4434d2 call 442cf8 729->733 742 4434b0-4434b2 730->742 740 4434c8-4434cb 732->740 733->740 740->742 742->702
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3907804496
                                                                                      • Opcode ID: f312eda8249cc3069f08ad3250047b362f1821e8ea6b527c5d9c004b485e982e
                                                                                      • Instruction ID: e3239ec4e1ee32b8324d570a22e522ef24bddbe65fd960e714ad45a7b0e040b8
                                                                                      • Opcode Fuzzy Hash: f312eda8249cc3069f08ad3250047b362f1821e8ea6b527c5d9c004b485e982e
                                                                                      • Instruction Fuzzy Hash: 77B12670A04244AFEB01DF59C881BBE7BB1FF49715F14419AE90197382CB789E41CBA9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D3150 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 743 4d3150-4d3182 WSAStartup 744 4d3188-4d31b2 call 4f6620 * 2 743->744 745 4d3256-4d325f 743->745 750 4d31be-4d3204 getaddrinfo 744->750 751 4d31b4-4d31b8 744->751 752 4d3206-4d320c 750->752 753 4d3250 WSACleanup 750->753 751->745 751->750 754 4d320e 752->754 755 4d3264-4d326e freeaddrinfo 752->755 753->745 757 4d3214-4d3228 socket 754->757 755->753 756 4d3270-4d3278 755->756 757->753 758 4d322a-4d323a connect 757->758 759 4d323c-4d3244 closesocket 758->759 760 4d3260 758->760 759->757 761 4d3246-4d324a freeaddrinfo 759->761 760->755 761->753
                                                                                      APIs
                                                                                      • WSAStartup.WS2_32 ref: 004D317A
                                                                                      • getaddrinfo.WS2_32(?,?,?,00588CC0), ref: 004D31FC
                                                                                      • socket.WS2_32(?,?,?), ref: 004D321D
                                                                                      • connect.WS2_32(00000000,0055F6D1,?), ref: 004D3231
                                                                                      • closesocket.WS2_32(00000000), ref: 004D323D
                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D324A
                                                                                      • WSACleanup.WS2_32 ref: 004D3250
                                                                                      • freeaddrinfo.WS2_32(?,?,?,?,00588CC0,?,?), ref: 004D3265
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                      • String ID:
                                                                                      • API String ID: 58224237-0
                                                                                      • Opcode ID: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                      • Instruction ID: 66b7f2af6e1e00109afe9fd9f1c3058fd8df4c895de65cf13c46908161227474
                                                                                      • Opcode Fuzzy Hash: 9e6883013388f64e9fa16a16f0073357cf9f7d6acb3b040fdaf446918f01256a
                                                                                      • Instruction Fuzzy Hash: 7731E631A047009BD7209F29DC4862BB7E5FF85735F104B5FF9A4933E0D37899489696
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004081E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 332libraryloadernetworkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 871 4081e0-408232 call 414090 874 408354-4083db call 4031c0 call 4f6620 871->874 875 408238-40823b 871->875 891 4083f1-4083f9 call 416930 874->891 892 4083dd-4083ef 874->892 876 408240-408266 875->876 878 408278-408287 876->878 879 408268-408273 876->879 882 408297-4082a3 878->882 883 408289-408292 878->883 881 408347 879->881 885 40834a-40834e 881->885 886 4082b3-4082bf 882->886 887 4082a5-4082ae 882->887 883->881 885->874 885->876 889 4082c1-4082ca 886->889 890 4082cc-4082d8 886->890 887->881 889->881 893 4082e5-4082f1 890->893 894 4082da-4082e3 890->894 895 4083fe-408451 call 4f6620 * 2 891->895 892->895 898 4082f3-4082fc 893->898 899 4082fe-40830a 893->899 894->881 908 408453-408482 call 4f6620 call 42fcc0 895->908 909 408485-40849b call 4f6620 895->909 898->881 900 408317-408323 899->900 901 40830c-408315 899->901 903 408330-408339 900->903 904 408325-40832e 900->904 901->881 903->885 907 40833b-408343 903->907 904->881 907->881 908->909 915 4084a1-4084a7 909->915 916 40859e 909->916 919 4084b0-40858e GetModuleHandleA GetProcAddress WSASend 915->919 917 4085a2-4085a8 916->917 920 4085d2-4085ea 917->920 921 4085aa-4085b6 917->921 922 408590-408598 919->922 923 40860c-408610 919->923 926 40861c-408631 920->926 927 4085ec-4085f8 920->927 924 4085c8-4085cf call 42e183 921->924 925 4085b8-4085c6 921->925 922->916 922->919 923->917 924->920 925->924 928 408632-408637 call 433500 925->928 930 408612-408619 call 42e183 927->930 931 4085fa-408608 927->931 930->926 931->928 934 40860a 931->934 934->930
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408566
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00408574
                                                                                      • WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005588D8,00000000,00000000,-00589220), ref: 00408589
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressHandleModuleProcSend
                                                                                      • String ID: Ws2_32.dll
                                                                                      • API String ID: 2819740048-3093949381
                                                                                      • Opcode ID: 605ac2d7a3170708ba1039c723fe4127dad6931d4a4a67f7d388f1b1f58ff418
                                                                                      • Instruction ID: b889a33a35ddf0adef0218ac58701f77bdbbaba15cb1320cc4c9efeef27d22b6
                                                                                      • Opcode Fuzzy Hash: 605ac2d7a3170708ba1039c723fe4127dad6931d4a4a67f7d388f1b1f58ff418
                                                                                      • Instruction Fuzzy Hash: 1BE1BC70D00258EFDF15CBA4DD917EDBBB0AF56704F14029EE8857B282DB34198ACB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2CD0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 938 4f2cd0-4f2ce7 call 42d429 941 4f2d4c-4f2d4e call 42cdc4 938->941 942 4f2ce9-4f2cf3 938->942 945 4f2d53-4f2d64 call 42cdc4 941->945 944 4f2cf5-4f2cf7 942->944 942->945 946 4f2cf9-4f2cfe 944->946 947 4f2d35 944->947 949 4f2d00-4f2d05 946->949 951 4f2d37-4f2d4b call 42d43a 947->951 949->949 952 4f2d07-4f2d09 949->952 952->947 955 4f2d0b-4f2d15 GetFileAttributesA 952->955 956 4f2d17-4f2d20 GetLastError 955->956 957 4f2d31-4f2d33 955->957 956->957 958 4f2d22-4f2d25 956->958 957->951 958->957 959 4f2d27-4f2d2a 958->959 959->957 960 4f2d2c-4f2d2f 959->960 960->947 960->957
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(?,00000005,00000005,?), ref: 004F2D0C
                                                                                      • GetLastError.KERNEL32(?,00000005,00000005,?), ref: 004F2D17
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D4E
                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 004F2D5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 995686243-0
                                                                                      • Opcode ID: 1a30c07ed28fe703679387aa5b2d6d259f589d07aea0d83f312770283b1f14c8
                                                                                      • Instruction ID: 325128bde6972141eaafbb0e95bf719766b08d5b5670bbe0189b29004b96e682
                                                                                      • Opcode Fuzzy Hash: 1a30c07ed28fe703679387aa5b2d6d259f589d07aea0d83f312770283b1f14c8
                                                                                      • Instruction Fuzzy Hash: 3401C071641118129A342A35ED4907F370D8713328BA80F1BEE25973D5D9DFCC45875A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D2890 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 560COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 961 4d2890-4d28e1 962 4d2946-4d294c 961->962 963 4d28e3-4d2904 call 4081e0 961->963 965 4d294e-4d296e call 413df0 962->965 966 4d2970-4d2976 962->966 969 4d2909 963->969 975 4d290c-4d2915 965->975 967 4d299d-4d29a3 966->967 968 4d2978-4d2998 call 413df0 966->968 973 4d29cc-4d29d2 967->973 974 4d29a5-4d29a9 967->974 968->975 969->975 980 4d29d4-4d29ed call 43bb47 973->980 981 4d29f2-4d29f8 973->981 974->975 977 4d29af-4d29c7 call 413df0 974->977 978 4d291b-4d2927 975->978 979 4d30a4-4d30b7 975->979 977->975 983 4d292d-4d293b 978->983 984 4d309a-4d30a1 call 42e183 978->984 980->975 986 4d29fa-4d2a01 981->986 987 4d2a06-4d2a0c 981->987 992 4d30b8 call 433500 983->992 993 4d2941 983->993 984->979 986->975 989 4d2f16-4d2f1c 987->989 990 4d2a12-4d2a36 call 404b10 987->990 998 4d2f1e-4d2f4f call 4186a0 call 411960 989->998 999 4d2f54-4d2f5a 989->999 1006 4d2a40-4d2a58 990->1006 1003 4d30bd-4d3105 call 433500 setsockopt 992->1003 993->984 998->975 1000 4d2f5c-4d2f8d call 4186a0 call 411960 999->1000 1001 4d2f92-4d2f98 999->1001 1000->975 1007 4d2f9a-4d2fcb call 4186a0 call 411960 1001->1007 1008 4d2fd0-4d2fd6 1001->1008 1012 4d2efe-4d2f0b call 42d43a 1006->1012 1013 4d2a5e-4d2a90 1006->1013 1007->975 1016 4d300e-4d3014 1008->1016 1017 4d2fd8-4d3009 call 4186a0 call 411960 1008->1017 1012->975 1022 4d2a93-4d2a98 1013->1022 1019 4d304c-4d3052 1016->1019 1020 4d3016-4d3047 call 4186a0 call 411960 1016->1020 1017->975 1019->975 1031 4d3058-4d3083 call 453390 call 413fa0 call 4031c0 1019->1031 1020->975 1022->1022 1029 4d2a9a-4d2b3c call 4034e0 1022->1029 1044 4d2b40-4d2b45 1029->1044 1031->975 1044->1044 1046 4d2b47-4d2ba8 call 41c4c0 1044->1046 1052 4d2bac-4d2bc6 call 419950 1046->1052 1053 4d2baa 1046->1053 1056 4d2bc8-4d2bd7 1052->1056 1057 4d2bf7-4d2c1f 1052->1057 1053->1052 1058 4d2bed-4d2bf4 call 42e183 1056->1058 1059 4d2bd9-4d2be7 1056->1059 1060 4d2c21-4d2c30 1057->1060 1061 4d2c50-4d2c6f 1057->1061 1058->1057 1059->1003 1059->1058 1063 4d2c46-4d2c4d call 42e183 1060->1063 1064 4d2c32-4d2c40 1060->1064 1065 4d2c75-4d2d52 call 4032a0 call 4e2cc0 call 4031c0 call 413b90 1061->1065 1066 4d2f10-4d2f11 1061->1066 1063->1061 1064->1003 1064->1063 1078 4d2d7c-4d2e0a 1065->1078 1079 4d2d54-4d2d77 GetCurrentProcess call 414090 call 4db380 1065->1079 1066->1006 1081 4d2e0c 1078->1081 1082 4d2e0e-4d2e1f call 4340b0 1078->1082 1087 4d2e4d-4d2e62 1079->1087 1081->1082 1082->1087 1088 4d2e21-4d2e3f call 43beb8 1082->1088 1091 4d2e64-4d2e66 1087->1091 1092 4d2ea6-4d2eac 1087->1092 1093 4d2e44-4d2e4a call 437938 1088->1093 1094 4d2e68-4d2e90 call 4031c0 1091->1094 1095 4d2e93-4d2e9e 1091->1095 1096 4d2eae-4d2eb8 1092->1096 1097 4d2eda-4d2ef9 call 4031c0 1092->1097 1093->1087 1094->1095 1095->1091 1101 4d2ea0 1095->1101 1102 4d2eba-4d2ec8 1096->1102 1103 4d2ed0-4d2ed7 call 42e183 1096->1103 1097->1012 1101->1092 1102->1003 1104 4d2ece 1102->1104 1103->1097 1104->1103
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,6F2977B7,?,?,?,?,?,?,?,00000000,00000001,761B23A0,00000000), ref: 004D2D54
                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 004DB3EA
                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(00000000,00000000,t-M,?,00000000), ref: 004DB406
                                                                                        • Part of subcall function 004DB380: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004DB43F
                                                                                        • Part of subcall function 004DB380: VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004DB469
                                                                                        • Part of subcall function 0042D43A: ReleaseSRWLockExclusive.KERNEL32(-00000008,?,004D2F08,00588C44,761B23A0,00000000), ref: 0042D44E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$AllocMemoryVirtualWrite$CurrentExclusiveLockRelease
                                                                                      • String ID: 149.18.24.96
                                                                                      • API String ID: 666592346-171400976
                                                                                      • Opcode ID: 1d6045fd94a867466258dc9314ed6a82bc2f10a032054fb872e25da8cf31b458
                                                                                      • Instruction ID: 26b9c72b6ddc4c31c1f3b4b91af9721e671e16450a7e1798ce2a3c04c8b5f315
                                                                                      • Opcode Fuzzy Hash: 1d6045fd94a867466258dc9314ed6a82bc2f10a032054fb872e25da8cf31b458
                                                                                      • Instruction Fuzzy Hash: 7432DF70900208CBDB14DF68C9957EDBBB1FF58304F14419AE8096B392DB789E85CFA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F8D20 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 250COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1109 4f8d20-4f8d58 1110 4f8d5e-4f8d84 1109->1110 1111 4f8d5a-4f8d5c 1109->1111 1112 4f8d87-4f8db1 1110->1112 1111->1112 1114 4f8db3-4f8ddc call 419780 1112->1114 1115 4f8de1-4f8e07 GetLastError 1112->1115 1119 4f8edb-4f8ee1 1114->1119 1120 4f8e0d-4f8e68 call 419780 call 42e191 1115->1120 1121 4f8eaa-4f8ed7 call 419780 1115->1121 1124 4f8f15-4f8f31 1119->1124 1125 4f8ee3-4f8ef5 1119->1125 1147 4f8e6a-4f8e6f 1120->1147 1148 4f8e89-4f8ea8 call 42e1c2 1120->1148 1121->1119 1126 4f8f3b-4f8f3e 1124->1126 1127 4f8f33-4f8f39 1124->1127 1130 4f8f0b-4f8f12 call 42e183 1125->1130 1131 4f8ef7-4f8f05 1125->1131 1133 4f8f41-4f8f58 1126->1133 1127->1133 1130->1124 1131->1130 1135 4f9028-4f902f call 433500 1131->1135 1137 4f8f6c-4f8f7e call 41e890 1133->1137 1138 4f8f5a-4f8f6a 1133->1138 1141 4f8f81-4f8fa3 call 416aa0 1137->1141 1138->1141 1152 4f8fcd-4f8fd2 call 4f8120 1141->1152 1153 4f8fa5-4f8fb1 1141->1153 1150 4f8e70-4f8e79 1147->1150 1148->1119 1150->1150 1155 4f8e7b-4f8e84 call 413750 1150->1155 1160 4f8fd7-4f8fe0 1152->1160 1157 4f8fc3-4f8fca call 42e183 1153->1157 1158 4f8fb3-4f8fc1 1153->1158 1155->1148 1157->1152 1158->1135 1158->1157 1163 4f9013-4f9025 1160->1163 1164 4f8fe2-4f8ff4 1160->1164 1165 4f9006-4f9010 call 42e183 1164->1165 1166 4f8ff6-4f9004 1164->1166 1165->1163 1166->1135 1166->1165
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID: -1L$-2L
                                                                                      • API String ID: 1452528299-3975959154
                                                                                      • Opcode ID: 691346873af9f375a3fd3bec6b454848e53a0b4af0cd965a2b75b339649d0642
                                                                                      • Instruction ID: 8532e58cabc42239c9a206463210862c2cf1955d45b676afb1905f123e481057
                                                                                      • Opcode Fuzzy Hash: 691346873af9f375a3fd3bec6b454848e53a0b4af0cd965a2b75b339649d0642
                                                                                      • Instruction Fuzzy Hash: 8BA1A071E102489BDB18DBA4CC95BFEB771FF58304F14821EE905BB281EB746A85CB54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00433692 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1169 433692-43369f 1170 4336a1-4336c4 call 433473 1169->1170 1171 4336c9-4336dd call 444a79 1169->1171 1176 433830-433832 1170->1176 1177 4336e2-4336eb call 43ce6f 1171->1177 1178 4336df 1171->1178 1180 4336f0-4336ff 1177->1180 1178->1177 1181 433701 1180->1181 1182 43370f-433718 1180->1182 1183 433707-433709 1181->1183 1184 4337d9-4337de 1181->1184 1185 43371a-433727 1182->1185 1186 43372c-433760 1182->1186 1183->1182 1183->1184 1189 43382e-43382f 1184->1189 1190 43382c 1185->1190 1187 433762-43376c 1186->1187 1188 4337bd-4337c9 1186->1188 1191 433793-43379f 1187->1191 1192 43376e-43377a 1187->1192 1193 4337e0-4337e3 1188->1193 1194 4337cb-4337d2 1188->1194 1189->1176 1190->1189 1191->1193 1196 4337a1-4337bb call 433ba9 1191->1196 1192->1191 1195 43377c-43378e call 4339fe 1192->1195 1197 4337e6-4337ee 1193->1197 1194->1184 1195->1189 1196->1197 1200 4337f0-4337f6 1197->1200 1201 43382a 1197->1201 1204 4337f8-43380c call 433833 1200->1204 1205 43380e-433812 1200->1205 1201->1190 1204->1189 1207 433825-433827 1205->1207 1208 433814-433822 call 452ef0 1205->1208 1207->1201 1208->1207
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: d A
                                                                                      • API String ID: 0-616623946
                                                                                      • Opcode ID: 5716fe010b3ef8e82fbddee052f2b6988042c47bb628807dafe6179510680c26
                                                                                      • Instruction ID: 8d691b3f4dbeef2f936747217c2848be1b4780fc272094865f28ed7dea4c0760
                                                                                      • Opcode Fuzzy Hash: 5716fe010b3ef8e82fbddee052f2b6988042c47bb628807dafe6179510680c26
                                                                                      • Instruction Fuzzy Hash: 7B51E3B4A00104AFDB14DF59CC85AAABBF1EF4D324F24915AF8099B352D379EE41CB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00444019 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1212 444019-44403b 1213 444041-444043 1212->1213 1214 44422e 1212->1214 1215 444045-444064 call 433473 1213->1215 1216 44406f-444092 1213->1216 1217 444230-444234 1214->1217 1225 444067-44406a 1215->1225 1219 444094-444096 1216->1219 1220 444098-44409e 1216->1220 1219->1220 1222 4440a0-4440b1 1219->1222 1220->1215 1220->1222 1223 4440c4-4440d4 call 443b5e 1222->1223 1224 4440b3-4440c1 call 43cecd 1222->1224 1230 4440d6-4440dc 1223->1230 1231 44411d-44412f 1223->1231 1224->1223 1225->1217 1234 444105-44411b call 44372f 1230->1234 1235 4440de-4440e1 1230->1235 1232 444186-4441a6 WriteFile 1231->1232 1233 444131-444137 1231->1233 1240 4441b1 1232->1240 1241 4441a8-4441ae GetLastError 1232->1241 1236 444172-444184 call 443bdb 1233->1236 1237 444139-44413c 1233->1237 1250 4440fe-444100 1234->1250 1238 4440e3-4440e6 1235->1238 1239 4440ec-4440fb call 443af6 1235->1239 1262 444159-44415c 1236->1262 1244 44415e-444170 call 443d9f 1237->1244 1245 44413e-444141 1237->1245 1238->1239 1246 4441c6-4441c9 1238->1246 1239->1250 1243 4441b4-4441bf 1240->1243 1241->1240 1251 4441c1-4441c4 1243->1251 1252 444229-44422c 1243->1252 1244->1262 1253 4441cc-4441ce 1245->1253 1254 444147-444154 call 443cb6 1245->1254 1246->1253 1250->1243 1251->1246 1252->1217 1258 4441d0-4441d5 1253->1258 1259 4441fc-444208 1253->1259 1254->1262 1263 4441d7-4441e9 1258->1263 1264 4441ee-4441f7 call 43bf58 1258->1264 1265 444212-444224 1259->1265 1266 44420a-444210 1259->1266 1262->1250 1263->1225 1264->1225 1265->1225 1266->1214 1266->1265
                                                                                      APIs
                                                                                        • Part of subcall function 0044372F: GetConsoleOutputCP.KERNEL32(DB9B5AE9,00000000,00000000,00000000), ref: 00443792
                                                                                      • WriteFile.KERNELBASE(?,00000000,?,00000000,00000000,00000000,00000000,0000000C,?,00000000,00578C88,00000014,0043BE32,00000000,00000000,00000000), ref: 0044419E
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 004441A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                                                      • String ID:
                                                                                      • API String ID: 2915228174-0
                                                                                      • Opcode ID: a2902c3c69c25210d81bcce29da4bc8cd80d89380b950bcc4e5f7a79d08526b7
                                                                                      • Instruction ID: 0628d0172fcac0a10c399004d6184d52a202fa31f39ed19b8586a1ab0f8a80ff
                                                                                      • Opcode Fuzzy Hash: a2902c3c69c25210d81bcce29da4bc8cd80d89380b950bcc4e5f7a79d08526b7
                                                                                      • Instruction Fuzzy Hash: 2B61C471900119AFEF11CFA8DC84BEFBBB9BF99304F14014AE900A7202D779D955DB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044368F Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1269 44368f-4436a3 call 4491ce 1272 4436a5-4436a7 1269->1272 1273 4436a9-4436b1 1269->1273 1274 4436f7-443717 call 44913d 1272->1274 1275 4436b3-4436ba 1273->1275 1276 4436bc-4436bf 1273->1276 1286 443729 1274->1286 1287 443719-443727 call 43bf58 1274->1287 1275->1276 1278 4436c7-4436db call 4491ce * 2 1275->1278 1279 4436c1-4436c5 1276->1279 1280 4436dd-4436ed call 4491ce FindCloseChangeNotification 1276->1280 1278->1272 1278->1280 1279->1278 1279->1280 1280->1272 1289 4436ef-4436f5 GetLastError 1280->1289 1291 44372b-44372e 1286->1291 1287->1291 1289->1274
                                                                                      APIs
                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436E5
                                                                                      • GetLastError.KERNEL32(?,00443576,00000000,CF830579,00578C68,0000000C,00443632,0043790D,?), ref: 004436EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                      • String ID:
                                                                                      • API String ID: 1687624791-0
                                                                                      • Opcode ID: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                      • Instruction ID: 5b9e54e71ebf2813978f3334a6ac8d2e590d94fd15b88a1802dc34040f0fcd9e
                                                                                      • Opcode Fuzzy Hash: b78c23c39475fb946a6917cc79ada02ff23f82b2eae8cc914a7116fd1dd25ee2
                                                                                      • Instruction Fuzzy Hash: 0B118C326041153AF6302A34AC4DB3F67898B82F39F26014FF908873C2DE6D8D409658
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043CDAC Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0043CEE6,00000000,00000000,00000000,00000002,00000000), ref: 0043CDE8
                                                                                      • GetLastError.KERNEL32(00000000,?,0043CEE6,00000000,00000000,00000000,00000002,00000000,?,004440BE,00000000,00000000,00000000,00000002,00000000,00000000), ref: 0043CDF5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastPointer
                                                                                      • String ID:
                                                                                      • API String ID: 2976181284-0
                                                                                      • Opcode ID: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                      • Instruction ID: 056746620e1e5b2230fb06e89194d4bad5ac0bf9516e57b03a2b19a767fcc837
                                                                                      • Opcode Fuzzy Hash: 0af088d07c5e9b5a66b5e22e0931705f94c426e6b0292fcf303bea830e5f1f74
                                                                                      • Instruction Fuzzy Hash: 62012632614119AFCF058F59CC49D9E3F2AEF89320F24020AF811AB2D0EA75ED41DBD4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05DF57C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 05DF57EE
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 05DF580E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, Offset: 05DF5000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5df5000_MPGPH131.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: 42ac6b8f834d7d3206d9174c2dcaf544f4b5ef46d58161cf60c1eaae62856923
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: A0F06D32200710BFD7203BB9B88DAAE76E8BF89625F15062AE743910C0DA70E8458B61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004D20B0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(00000065), ref: 004D2103
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID: 131
                                                                                      • API String ID: 3472027048-2136814527
                                                                                      • Opcode ID: 7fcd9baa8a9375f207873d3bd77103b4ea8c4e2924f330d05fd9db3092bf82de
                                                                                      • Instruction ID: 16727208b5f08e4bea599353fbf53a6d413f31fbfb73884cdf8f34aab55cbcc4
                                                                                      • Opcode Fuzzy Hash: 7fcd9baa8a9375f207873d3bd77103b4ea8c4e2924f330d05fd9db3092bf82de
                                                                                      • Instruction Fuzzy Hash: B8F0A731B0025416EA26736D7E06B3B3F8997A5765F48009FEE403BBD2DDD9280987D6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F3350 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: __fread_nolock
                                                                                      • String ID:
                                                                                      • API String ID: 2638373210-0
                                                                                      • Opcode ID: abf0a6e3a039cfc2225a60bdc02679f11cf7d85a06e03d077f7d644c137d6ab0
                                                                                      • Instruction ID: 6ce4f48939319f72f3aec6a6d9b50e6fff9bcb1e6f6dae555552d8831335830b
                                                                                      • Opcode Fuzzy Hash: abf0a6e3a039cfc2225a60bdc02679f11cf7d85a06e03d077f7d644c137d6ab0
                                                                                      • Instruction Fuzzy Hash: 2551A0B0D002099FDB14DF59D981BAEFBB0FF49704F14825EE8146B341E779AA41CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044550F Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wsopen_s
                                                                                      • String ID:
                                                                                      • API String ID: 3347428461-0
                                                                                      • Opcode ID: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                      • Instruction ID: e92d0ab7a98c68cd7689e4ea664d55cb742e11440dbe97f573872f5ababe4450
                                                                                      • Opcode Fuzzy Hash: 74b1a02970c39c47b45041c200990e685aac7fc35223ed5dd6a5c291d0407c3c
                                                                                      • Instruction Fuzzy Hash: D6112A71A0410AAFDF05DF58E94199F7BF5EF48304F14405AF805EB352D670DA15CB69
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004036F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 0040373F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                      • String ID:
                                                                                      • API String ID: 118556049-0
                                                                                      • Opcode ID: c8f910bf03f94a0f0c294a8cbb5c47e77f87340cd5e2596aba26795b41fc774c
                                                                                      • Instruction ID: 1f83190ccb7284a945d627c352a8af0deec80e54417847a9b28e6d6de5687d5d
                                                                                      • Opcode Fuzzy Hash: c8f910bf03f94a0f0c294a8cbb5c47e77f87340cd5e2596aba26795b41fc774c
                                                                                      • Instruction Fuzzy Hash: F6F024F26000009BCB14AF61E4429FAB7ECDE243A7750447FF989D7282E73EDA448788
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00444EEA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,0042C58A,?,?,00444870,00000001,00000364,?,00000008,000000FF,?,0042F3CF,?,?,00000000,?), ref: 00444F2B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                      • Instruction ID: 086544c5e523b8e02c2757f3417cf7e9bd7439c420b709eac9e7cfb6d4d974b4
                                                                                      • Opcode Fuzzy Hash: a67815bf3a869f96681a983d491eb3b40caf69aff6fa6519728d0dfc96a736c8
                                                                                      • Instruction Fuzzy Hash: CEF0B4316155246BBB215E629C05B7B7788ABD17A1F158417FD04E7280CE38D80886E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00445924 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,0042F3CF,?,?,00000000,?,?,0040390D,0042C58A,?,?,0042C58A), ref: 00445956
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                      • Instruction ID: 47241cb67a9c7b30d4e0b830f1b418076ccf533a730137c1b779a77b3e9f7ccf
                                                                                      • Opcode Fuzzy Hash: f2b14cbab143d06f1f7f7dbb6931a5cb890e65deebc000058d543e0d14a0fef9
                                                                                      • Instruction Fuzzy Hash: 1CE0E571202A20EBFE252F265C0576B3648DB413B0F080113FD05F6292DB68CC0482ED
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043D21C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043D239
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                      • Instruction ID: 7ae74b51c889a2cb05e6a06522f477e8d6926b4a8c7f3733491aa3a38d366a2c
                                                                                      • Opcode Fuzzy Hash: a91d23867b62d5b96c41623edd2e8bd3ad87182c46de236b94739b51406d3068
                                                                                      • Instruction Fuzzy Hash: 92D06C3200010DBBDF028F84DC06EDA3BAAFB4C714F014040FA1866120C772E822EB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05DF5485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 05DF54D6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, Offset: 05DF5000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_5df5000_MPGPH131.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: e5a9e8f3a25edc37c38790a172b31c15b11300ccdb9fd42d5bc88643d1435af7
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: C8112B79A00208EFDB01DF98C985E99BBF5EF08350F068095FA489B361D371EA90DB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 0044D3EB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004446D2: GetLastError.KERNEL32(00000000,?,0044A0B9), ref: 004446D6
                                                                                        • Part of subcall function 004446D2: SetLastError.KERNEL32(00000000,00000000,?,00000008,000000FF), ref: 00444778
                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0044D4AA
                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441B90,?,?,?,00000055,?,-00000050,?,?), ref: 0044D4E1
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0044D644
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                      • String ID: utf8
                                                                                      • API String ID: 607553120-905460609
                                                                                      • Opcode ID: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                      • Instruction ID: 2cfea991c2b2acc9964e98fc6b5fb71baa63820d9a3b6a37bb74a83d3ed0bc3b
                                                                                      • Opcode Fuzzy Hash: c45a0186f4581b71202d969cc458f697c66e26bf91fa0bd1cdd2ae7615315ff2
                                                                                      • Instruction Fuzzy Hash: F771D671A00605AAFB24AB75CC86BBB73A8EF05748F14442BF905D7281EF7CE944C769
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2150 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 154windowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004F2189
                                                                                      • GetSystemMetrics.USER32(00000001), ref: 004F219F
                                                                                      • GetSystemMetrics.USER32(00000000), ref: 004F21A5
                                                                                      • GetDC.USER32(00000000), ref: 004F21AB
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 004F21BF
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 004F21D3
                                                                                      • SelectObject.GDI32(?,00000000), ref: 004F21E8
                                                                                      • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 004F2201
                                                                                      • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004F2217
                                                                                      • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004F2233
                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F225A
                                                                                      • GdipSaveImageToFile.GDIPLUS(00000000,?,?,?), ref: 004F22FD
                                                                                      • DeleteObject.GDI32(?), ref: 004F2306
                                                                                      • GdipDisposeImage.GDIPLUS(00000000), ref: 004F230D
                                                                                      • DeleteObject.GDI32(?), ref: 004F2316
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 004F231F
                                                                                      • GdiplusShutdown.GDIPLUS(?), ref: 004F2328
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Gdip$Image$CreateObject$BitmapCompatibleDeleteEncodersGdiplusMetricsSystem$DisposeFileFromReleaseSaveSelectShutdownSizeStartup
                                                                                      • String ID: d$image/png
                                                                                      • API String ID: 258367123-2616758285
                                                                                      • Opcode ID: d93c92cf953bbe82929a5a79100fd7e348d6b079dbf9517b437a49d65dcd1284
                                                                                      • Instruction ID: db5a99caf6ac0e95f343f652cfce475829ccb6d2aa326760d5af157a7b9552c8
                                                                                      • Opcode Fuzzy Hash: d93c92cf953bbe82929a5a79100fd7e348d6b079dbf9517b437a49d65dcd1284
                                                                                      • Instruction Fuzzy Hash: C8516D71D00209AFDF109FA4DD49BEEBBB8FF18314F100065EA05B72A1D7B99948DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00432056 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
                                                                                      • String ID: L;V$csm$csm$csm
                                                                                      • API String ID: 944608866-3339109018
                                                                                      • Opcode ID: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                      • Instruction ID: 1a3b2e3aada59ff5ba11aad393d6dbbfac41e5171332123353ed96db4a75ae81
                                                                                      • Opcode Fuzzy Hash: f219870799de8bf8d93d667d8b8260d42bea9e02fac3f36c4a5e93c416ed644d
                                                                                      • Instruction Fuzzy Hash: 81B19971800219EFCF18DFA5CA819AFBBB5FF08314F14605BE9106B252D7B8DA51CB99
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00452273 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00451BDF), ref: 0045228C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: DecodePointer
                                                                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                      • API String ID: 3527080286-3064271455
                                                                                      • Opcode ID: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                      • Instruction ID: bc8b7c0c72404b0f1092b03344519f1b29bd64598f75d1cbe0b332ea915a13b4
                                                                                      • Opcode Fuzzy Hash: 78e946a8a646183d16df3de3d23e88c0ab9a8f5197b1dee8433a7cf1ad31b41b
                                                                                      • Instruction Fuzzy Hash: 40513B70A0050ADBCF148F69DA481AE7FB4FB46306F144147EC81A7266C7FC8A6EDB59
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551130 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00551780: GetVersionExA.KERNEL32(?), ref: 005517A6
                                                                                      • GetVersionExA.KERNEL32(?), ref: 00551173
                                                                                      • DeleteFileW.KERNEL32(00000000), ref: 00551192
                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00551199
                                                                                      • GetLastError.KERNEL32 ref: 005511A6
                                                                                      • Sleep.KERNEL32(00000064), ref: 005511BC
                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 005511C5
                                                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 005511CC
                                                                                      • GetLastError.KERNEL32 ref: 005511D9
                                                                                      • Sleep.KERNEL32(00000064), ref: 005511EF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesDeleteErrorLastSleepVersion
                                                                                      • String ID:
                                                                                      • API String ID: 1421123951-0
                                                                                      • Opcode ID: 254916c3e086d8c6bc62c099ca2d2d4904ded30bcc8ed0b7d7c71cfea1b2b4f0
                                                                                      • Instruction ID: 2cf516fa490645c339834e1360d609708cb136430ee32b1ceb257c2769835cc0
                                                                                      • Opcode Fuzzy Hash: 254916c3e086d8c6bc62c099ca2d2d4904ded30bcc8ed0b7d7c71cfea1b2b4f0
                                                                                      • Instruction Fuzzy Hash: 5F21F635900E149BCB20AB78AC9C2AD7EB4FB6A336F100197EE1AD3280DA704849D751
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004FA2D0 Relevance: 12.2, APIs: 8, Instructions: 165networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 004FA320
                                                                                      • GetLastError.KERNEL32 ref: 004FA415
                                                                                      • InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 004FA440
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: InternetOption$ErrorLastQuery
                                                                                      • String ID:
                                                                                      • API String ID: 3980908186-0
                                                                                      • Opcode ID: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                      • Instruction ID: f01b2b404452f55ee339e3d54677c8633c7154c7c4ff77dbfa4ec76481364019
                                                                                      • Opcode Fuzzy Hash: 13505afe8bee8b3cefde12bb8587481c6416af93cd2c35f6481ac9ff60e3cb98
                                                                                      • Instruction Fuzzy Hash: B7515EB5D40318ABEB20CF94DC85BFEBBB4EB48711F10411AEE14B7380D7B46A059BA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004463F6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strrchr
                                                                                      • String ID:
                                                                                      • API String ID: 3213747228-0
                                                                                      • Opcode ID: 34bc779386904af94e3a65745d8093cf5441aa8cc4e4cdc27bc5775c85d1135f
                                                                                      • Instruction ID: 2b99461290635fdf7c51841e77c4c0c2a1f842bf94a4ab4c5a5740794f6651be
                                                                                      • Opcode Fuzzy Hash: 34bc779386904af94e3a65745d8093cf5441aa8cc4e4cdc27bc5775c85d1135f
                                                                                      • Instruction Fuzzy Hash: F7B16A72900255AFFB118F24CC81BAF7BA5EF17354F16415BE804AB382D67CD901CBAA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0041A2A0 Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2CA
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0041A2EC
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A30C
                                                                                      • __Getcoll.LIBCPMT ref: 0041A3AF
                                                                                      • std::_Facet_Register.LIBCPMT ref: 0041A413
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0041A42B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
                                                                                      • String ID:
                                                                                      • API String ID: 1184649410-0
                                                                                      • Opcode ID: 076d0fe7c93981d2d41f397725067e6f3a6359fb17fddf899550ac6be59329cf
                                                                                      • Instruction ID: 4dfe593e994f1a936f3b51d0b47bc881a4e76fe992b8c8e0f1a10b66f2d188dc
                                                                                      • Opcode Fuzzy Hash: 076d0fe7c93981d2d41f397725067e6f3a6359fb17fddf899550ac6be59329cf
                                                                                      • Instruction Fuzzy Hash: C751F0B0901218DFCB11DF59E9857EEBBB0EF04314F14411EE806AB381D738AE85CB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00551220 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 005512E3
                                                                                      • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 00551313
                                                                                      • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 0055131B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile$Version
                                                                                      • String ID:
                                                                                      • API String ID: 1715692615-0
                                                                                      • Opcode ID: a50e396471c21bd5292f2ea255f87583e8432b1e27d6808c766b3da514bf39bc
                                                                                      • Instruction ID: b4edcec529d807a06da9efb1c5396e9c71554b609393fe2db9d6cd66cb1a39d6
                                                                                      • Opcode Fuzzy Hash: a50e396471c21bd5292f2ea255f87583e8432b1e27d6808c766b3da514bf39bc
                                                                                      • Instruction Fuzzy Hash: C561CC71604702ABDB10DF29D854BABBFE4FF84315F04492AFC99D6280EB35D9098B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004073FD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@$ror
                                                                                      • API String ID: 2659868963-919343903
                                                                                      • Opcode ID: 54ef4146cc9973e50abdb5aac5b5de4deb1e0ccdb64d7a1b44ba731a5b074de1
                                                                                      • Instruction ID: 2d5b59f1ef23ddaf1b3783c953f764ee005f0a1066ad4b0af46aed6f156e7821
                                                                                      • Opcode Fuzzy Hash: 54ef4146cc9973e50abdb5aac5b5de4deb1e0ccdb64d7a1b44ba731a5b074de1
                                                                                      • Instruction Fuzzy Hash: 0981E471D002149FDB14DF98DC81BADBBB1FF49304F14826EE858AB392D774A980DB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00407080 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004071FE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@$ange
                                                                                      • API String ID: 2659868963-373280750
                                                                                      • Opcode ID: ec8c38be1f093bccec6f39d26ed8a8a50c4b02158e6fab184ee58c429a3f3a88
                                                                                      • Instruction ID: 288f119f4ccb4c7cf0b8972ea0ca9e4329cc491e57a4aee3b53e0c7375ef9e73
                                                                                      • Opcode Fuzzy Hash: ec8c38be1f093bccec6f39d26ed8a8a50c4b02158e6fab184ee58c429a3f3a88
                                                                                      • Instruction Fuzzy Hash: 3E51F371D002449BDB18CFA8DC847ADBBB0FF85304F24836EE4157B391E7B8A9848B55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041417F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141A6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                      • Instruction ID: a7d6c344e60e7f18edcee1d7e68ac694af1bcf80748ebca3b88f48a52b3fdaf1
                                                                                      • Opcode Fuzzy Hash: a0ec767d29c154d107e2924c90945eb70bd3bcc0216d37c8e4efd4af5cc58e06
                                                                                      • Instruction Fuzzy Hash: 53F0FFB6910B16AB8751DFA6D440882FBFCFE55310750872BA51597A00F7B4F5588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00414230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 0041424F
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414276
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@$0f@
                                                                                      • API String ID: 2659868963-4245790314
                                                                                      • Opcode ID: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                      • Instruction ID: c81a8536ff326cbba859ccac6298cb5db3856efc80ffb62d725151cad3de68e9
                                                                                      • Opcode Fuzzy Hash: 7df463b482ac48a62a19cdfd521df996d263433cd12c62f8aacd95f3aeb874f2
                                                                                      • Instruction Fuzzy Hash: D8F0FFB6910B16AB8751DF65D440882FBFCFE55324350872BA5159BA00F7B4F6588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00446260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(A{C,?,00437B41,?), ref: 00446268
                                                                                      • GetLastError.KERNEL32(?,00437B41,?), ref: 00446272
                                                                                      • __dosmaperr.LIBCMT ref: 00446279
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteErrorFileLast__dosmaperr
                                                                                      • String ID: A{C
                                                                                      • API String ID: 1545401867-2902953714
                                                                                      • Opcode ID: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                      • Instruction ID: 82298aed12121fbb76aae4bd86d3a8824ef8c8c9545724addf748e8f9a95ec58
                                                                                      • Opcode Fuzzy Hash: d06e79dd3ba0cf7262f3e9d2e22031695f25905068d46e1a3810f42683731183
                                                                                      • Instruction Fuzzy Hash: E2D02232018A093B8B002BFAFC0C81B3F1CDAC23B4B112212F12CC21A0DF79C880E540
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0043E299 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                      • Instruction ID: 2126f9bf5856ab37efc9431dc69293eb0664d4eadafdfeefbb5e8820937b8c22
                                                                                      • Opcode Fuzzy Hash: 7511f47f2b8d2fe514c419f7a8a5e884613d924f38ebbfd2c945a9fddd631bd9
                                                                                      • Instruction Fuzzy Hash: 0D41D572A00204AFD7259F3ACC42B6BBBA9EB8C714F10552FF951DB3C1D2B9A9408784
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044A27A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                      • GetLastError.KERNEL32 ref: 0044A2DE
                                                                                      • __dosmaperr.LIBCMT ref: 0044A2E5
                                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 0044A31F
                                                                                      • __dosmaperr.LIBCMT ref: 0044A326
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1913693674-0
                                                                                      • Opcode ID: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                      • Instruction ID: e808a53d57fca8bd1b61f112aec170daf55b4bc7c6cded0a037d44453b824fae
                                                                                      • Opcode Fuzzy Hash: 4aeb7d56512abd99a56e580aa898e1e8254ab7db8b2fd6091a031305fb940926
                                                                                      • Instruction Fuzzy Hash: E8210A31644205AFEB20AF62CC8096B77A8FF44368700841FFD19C3340EB79EC619B96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0044B21E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044B226
                                                                                        • Part of subcall function 004494E3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004450F2,?,00000000,-00000008), ref: 00449544
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B25E
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B27E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 158306478-0
                                                                                      • Opcode ID: 72d3ac7b96c30aebca4f7b81977510e4ddf762ba545c488265c91b440556a14b
                                                                                      • Instruction ID: e8caac45197e5b900f97a91f35687491d1a7555c8db139f57b1f8df2d9843390
                                                                                      • Opcode Fuzzy Hash: 72d3ac7b96c30aebca4f7b81977510e4ddf762ba545c488265c91b440556a14b
                                                                                      • Instruction Fuzzy Hash: 9311A1B56099157F7A1127769C8EC7F696CFE95398710006AF905D2101EFACCD0192B9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00490040 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00490044
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0049004C
                                                                                      • SetEvent.KERNEL32 ref: 00490069
                                                                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 00490077
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: Current$EventObjectProcessSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 977356572-0
                                                                                      • Opcode ID: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                      • Instruction ID: 68696a4330ff011d049e89e8b4814e5f18df6cd1e962ac77584aedc126b31ea8
                                                                                      • Opcode Fuzzy Hash: 07ad26c9a8193a9c403b999b7260b6d74736513c4a61b8b242bc8500957e93da
                                                                                      • Instruction Fuzzy Hash: CCE0467104A615EFCB049F68EC0C865BFA5FB297717408222FC09977B0DB708888EF80
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00406140 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_fs_get_full_path_name@12.LIBCPMT ref: 004061F2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_fs_get_full_path_name@12
                                                                                      • String ID: absolute$h<W
                                                                                      • API String ID: 319883303-1227054036
                                                                                      • Opcode ID: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                      • Instruction ID: a39a9e8cd5e7c649dec9d62c81c2f08022a5113abdb27f993b439c29f203247c
                                                                                      • Opcode Fuzzy Hash: fc19779bb5a5af7582c79339770b481127d2738d3652d52236bc829e3857b7da
                                                                                      • Instruction Fuzzy Hash: C651AEB0E00315ABDB14DF58C9047AABBF4FF48314F10466EE815A7380D775A950CBE5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004F2340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 004F2360
                                                                                      • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 004F238D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodersGdipImage$Size
                                                                                      • String ID: image/png
                                                                                      • API String ID: 864223233-2966254431
                                                                                      • Opcode ID: e21b857071d1cb9bc6449797421194390e2296bc93f2d18b0a27c6bddf1e72aa
                                                                                      • Instruction ID: 99d255883ba5ce217efe5dd06ccd874c50b7054dcb2a8d5064865148aeb1c457
                                                                                      • Opcode Fuzzy Hash: e21b857071d1cb9bc6449797421194390e2296bc93f2d18b0a27c6bddf1e72aa
                                                                                      • Instruction Fuzzy Hash: E7213BB2E0011CABDB109BB4DD816BEB7A8EF25314F1001B6ED08E7311E7799A44C655
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00404120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00404141
                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404190
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                      • String ID: bad locale name
                                                                                      • API String ID: 3988782225-1405518554
                                                                                      • Opcode ID: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                      • Instruction ID: 95f085b47d10799f27f930042da3a8dc43f911f11589ebef340e3e8cf28b8f7c
                                                                                      • Opcode Fuzzy Hash: 2d018156623b56751fe73bdace615048a592e1be14230173648bc4ea361b1185
                                                                                      • Instruction Fuzzy Hash: 19118B70504B90AED320CF69D805B1BBBE4EF19714F008A5EE48A87B81D7B9A508CBD6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00552100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,0055200A), ref: 0055211A
                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000, U,00000000,00000000,0055200A), ref: 0055214A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID: U
                                                                                      • API String ID: 626452242-2085870877
                                                                                      • Opcode ID: ee5a59f4ac988d56eb673c4b09d135a0ac0f9a58fb340a166edfd918ee52e803
                                                                                      • Instruction ID: 0b132648f7774e7442f2f0b6957801b08d55499a66d80b09d0b1d43035632599
                                                                                      • Opcode Fuzzy Hash: ee5a59f4ac988d56eb673c4b09d135a0ac0f9a58fb340a166edfd918ee52e803
                                                                                      • Instruction Fuzzy Hash: 38F09632B8522436E63066AA5C0BF577A5CDB47F71F20036AFF18AA1D0D9E1681092DA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 004141D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 004141EF
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00414216
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000009.00000002.3349156602.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000590000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      • Associated: 00000009.00000002.3349156602.0000000000593000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_400000_MPGPH131.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___std_exception_copy
                                                                                      • String ID: 0f@
                                                                                      • API String ID: 2659868963-2656153907
                                                                                      • Opcode ID: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                      • Instruction ID: 79755fa87b84676f4e4474023142464d524d45420b01c2d18704369f933ac59c
                                                                                      • Opcode Fuzzy Hash: ba255ed8c3bc32c490ad3c9a6150c2f47abf7cac3b88d1f1c6bb2e2459164e61
                                                                                      • Instruction Fuzzy Hash: 1CF012B6910B16AB8751DF65D440882F7FCFE55310350872BA51597A00F7B4F5588BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%