Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
k3yYC4F6nT.exe

Overview

General Information

Sample Name:k3yYC4F6nT.exe
Original Sample Name:f9d4a14f2de2540ca26fc868055c65b3.exe
Analysis ID:1292564
MD5:f9d4a14f2de2540ca26fc868055c65b3
SHA1:0b2422f5f44e2fc58d969af28c90d224a6555486
SHA256:5b92db9823ea621b158edcff6963b63b22b00b58750d74de1f6dc7fb3e962cd3
Tags:32exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Contains VNC / remote desktop functionality (version string found)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Creates driver files
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • k3yYC4F6nT.exe (PID: 5332 cmdline: C:\Users\user\Desktop\k3yYC4F6nT.exe MD5: F9D4A14F2DE2540CA26FC868055C65B3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: k3yYC4F6nT.exeReversingLabs: Detection: 18%
Source: k3yYC4F6nT.exeVirustotal: Detection: 27%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exeReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00BD0B60 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptEncrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptReleaseContext,GetLastError,0_2_00BD0B60
Source: k3yYC4F6nT.exe, 00000000.00000000.368345967.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: k3yYC4F6nT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile opened: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dllJump to behavior
Source: k3yYC4F6nT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Release\onekey.pdb source: k3yYC4F6nT.exe
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr71.pdb\ source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl71.pdbT source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source: Binary string: bootmgfw.pdb source: k3yYC4F6nT.exe, 00000000.00000003.383923114.00000000070AB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_AMD64\amd64\ISODrive.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_AMD64\amd64\ISODrive.pdb! source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.dr
Source: Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.dr
Source: Binary string: \fbinst\myfbinst\Release\myfbinst.pdb source: fbinsttweak.exe.0.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_x86\i386\ISODrive.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\isocmd\objfre_wnet_x86\i386\isocmd.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B32AA0 FindFirstFileW,FindNextFileW,FindClose,0_2_00B32AA0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C87A27 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_00C87A27
Source: global trafficTCP traffic: 192.168.2.3:49720 -> 175.43.23.67:80
Source: global trafficTCP traffic: 192.168.2.3:49729 -> 123.6.40.84:80
Source: global trafficTCP traffic: 192.168.2.3:49731 -> 61.243.158.204:80
Source: global trafficTCP traffic: 192.168.2.3:49757 -> 61.243.158.136:80
Source: global trafficTCP traffic: 192.168.2.3:49760 -> 218.24.84.71:80
Source: global trafficTCP traffic: 192.168.2.3:49762 -> 116.153.56.77:80
Source: global trafficTCP traffic: 192.168.2.3:49765 -> 36.249.86.56:80
Source: global trafficTCP traffic: 192.168.2.3:49767 -> 61.243.158.244:80
Source: global trafficTCP traffic: 192.168.2.3:49768 -> 36.248.64.77:80
Source: global trafficTCP traffic: 192.168.2.3:49769 -> 123.6.40.190:80
Source: global trafficTCP traffic: 192.168.2.3:49770 -> 61.243.158.194:80
Source: iwll.dat.0.drString found in binary or memory: http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=1
Source: QEMU.exe.0.drString found in binary or memory: http://bellard.org/qemu/user-doc.html
Source: QEMU.exe.0.drString found in binary or memory: http://bellard.org/qemu/user-doc.htmlQEMU
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s
Source: XLBugReport.exe.0.drString found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s&
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%sr
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0O
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: fbinsttweak.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dh.newitboy.com
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dh.newitboy.comgD
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sHTTP://http://
Source: iwll.dat.0.drString found in binary or memory: http://freedos.sourceforge.net/freecom
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://gnu.org/licenses/gpl.html
Source: iwll.dat.0.drString found in binary or memory: http://grub4dos.chenall.net
Source: iwll.dat.0.drString found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: iwll.dat.0.drString found in binary or memory: http://ipxe.org/wimboot
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat8aa3b4b96fc537f1f8cec9dd81c451e39c91dbb9165
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat
Source: fbinsttweak.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmp, fbinsttweak.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: fbinsttweak.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ExtendedSSLSHA256CACross0
Source: fbinsttweak.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: iwll.dat.0.drString found in binary or memory: http://shsucdx.adoxa.cjb.net/
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.paycenter.uc.cn
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tjonekeynew.klmsdn.com/
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tjonekeynew.klmsdn.com//or
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: iwll.dat.0.drString found in binary or memory: http://upx.sf.net
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: iwll.dat.0.drString found in binary or memory: http://www.diskgenius.cn
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007620000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ezbsystems.com
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ezbsystems.comDVarFileInfo$
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gamani.com).
Source: iwll.dat.0.drString found in binary or memory: http://www.gamers.org/~quinet/lilo/).
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository/0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository/03
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository09
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.huogeit.com/wllinfo/newoemjsyunion/oemjsy.data1b9747a70db5912249a530d5451e719047a1fbd1086
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.huogeit.com/wllinfo/newoemjsyunion/oemsq.datx
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.klmsdn.com/wllinfo/newoemjsyunion/oemjsy.dat6233d2fd1ebc70bc7aa7c981176dec31974e5c4615088
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.klmsdn.com/wllinfo/newoemjsyunion/oemsq.datv
Source: QEMU.exe.0.drString found in binary or memory: http://www.libsdl.org
Source: QEMU.exe.0.drString found in binary or memory: http://www.libsdl.orgsdl_callbackSAMPLESSize
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat35e2c62b4b8eb143f46183cd0ce37e7adf53a2ca48d
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat
Source: k3yYC4F6nT.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll-
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://www.xunlei.com/
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xunlei.com/GET
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drString found in binary or memory: http://www.xunlei.com/no-cache
Source: k3yYC4F6nT.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: k3yYC4F6nT.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: k3yYC4F6nT.exeString found in binary or memory: https://http://piwik.php://
Source: fbinsttweak.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tj.klmsdn.com/piwik.php
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wimlib.net/forums/.
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownDNS traffic detected: queries for: jsy.newitboy.com
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: k3yYC4F6nT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C47B600_2_00C47B60
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B690900_2_00B69090
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DC40260_2_00DC4026
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DE02ED0_2_00DE02ED
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B674900_2_00B67490
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C564400_2_00C56440
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C154500_2_00C15450
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00CD95520_2_00CD9552
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C1A5300_2_00C1A530
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C198A00_2_00C198A0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00BC09200_2_00BC0920
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DD09300_2_00DD0930
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B43BA00_2_00B43BA0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C0FBE00_2_00C0FBE0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B36B200_2_00B36B20
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DC9B2D0_2_00DC9B2D
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B43CE00_2_00B43CE0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: String function: 00B44260 appears 234 times
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: String function: 00DBE02B appears 40 times
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: String function: 00DBF942 appears 33 times
Source: k3yYC4F6nT.exeStatic PE information: Resource name: BINARY type: 7-zip archive data, version 0.4
Source: k3yYC4F6nT.exeStatic PE information: Resource name: BINARY type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PECMD.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SDL.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: bootmgr.exe.mui.0.drStatic PE information: No import functions for PE file found
Source: bootmgfw.efi.0.drStatic PE information: No import functions for PE file found
Source: bootmgfw.efi.mui.0.drStatic PE information: No import functions for PE file found
Source: k3yYC4F6nT.exe, 00000000.00000003.396218067.0000000007920000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexldl4 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameultraiso.exeB vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexldl4 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSVCR71.DLL\ vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameThunderFW2 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameThunderFW( vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXLBugHan.dll8 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXLBugReport.exe. vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameisocmd.exe. vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISODrive.sys2 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.383923114.00000000070AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exej% vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.383923114.00000000070AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebootmgr.exe.muij% vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniThunderPlatform4 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiniTPFw.exeJ vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameminizip.dll> vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMSVCP71.DLL\ vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameATL71.DLL< vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedl_peer_id2 vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedl_peer_id( vs k3yYC4F6nT.exe
Source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedownload_interface.dll0 vs k3yYC4F6nT.exe
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sysJump to behavior
Source: bootmgr.exe.mui.0.drStatic PE information: Section .rsrc
Source: bootmgfw.efi.mui.0.drStatic PE information: Section .rsrc
Source: bootice.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9968455481150794
Source: PECMD.exe.0.drStatic PE information: Section: .MPRESS1 ZLIB complexity 1.0003401131465517
Source: k3yYC4F6nT.exeReversingLabs: Detection: 18%
Source: k3yYC4F6nT.exeVirustotal: Detection: 27%
Source: k3yYC4F6nT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuDJump to behavior
Source: classification engineClassification label: mal76.troj.evad.winEXE@1/68@2/11
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeMutant created: \Sessions\1\BaseNamedObjects\?????????
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00CCDB7C FindResourceW,LoadResource,LockResource,SizeofResource,FreeResource,0_2_00CCDB7C
Source: k3yYC4F6nT.exeString found in binary or memory: No errorUnsupported protocolFailed initializationURL using bad/illegal format or missing URLA requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.Couldn't resolve proxy nameCouldn't resolve host nameCouldn't connect to serverWeird server replyAccess denied to remote resourceFTP: The server failed to connect to data portFTP: Accepting server connect has timed outFTP: The server did not accept the PRET command.FTP: unknown PASS replyFTP: unknown PASV replyFTP: unknown 227 response formatFTP: can't figure out the host in the PASV responseError in the HTTP2 framing layerFTP: couldn't set file typeTransferred a partial fileFTP: couldn't retrieve (RETR failed) the specified fileQuote command returned errorHTTP response code said errorFailed writing received data to disk/applicationUpload failed (at start/before it took off)Failed to open/read local data from file/applicationTimeout was reachedFTP: command PORT failedFTP: command REST failedRequested range was not delivered by the serverInternal problem setting up the POSTSSL connect errorCouldn't resume downloadCouldn't read a file:// fileLDAP: cannot bindLDAP: search failedA required function in the library was not foundOperation was aborted by an application callbackA libcurl function was given a bad argumentFailed binding local connection endNumber of redirects hit maximum amountAn unknown option was passed in to libcurlMalformed telnet optionServer returned nothing (no headers, no data)SSL crypto engine not foundCan not set SSL crypto engine as defaultFailed to initialise SSL crypto engineFailed sending data to the peerFailure when receiving data from the peerProblem with the local SSL certificateCouldn't use specified SSL cipherSSL peer certificate or SSH remote key was not OKProblem with the SSL CA cert (path? access rights?)Unrecognized or bad HTTP Content or Transfer-EncodingInvalid LDAP URLRequested SSL level failedFailed to shut down the SSL connectionFailed to load CRL file (path? access rights?, format?)Issuer check against peer certificate failedSend failed since rewinding of the data stream failedLogin deniedTFTP: File Not FoundTFTP: Access ViolationDisk full or allocation exceededTFTP: Illegal operationTFTP: Unknown transfer IDRemote file already existsTFTP: No such userConversion failedCaller must register CURLOPT_CONV_ callback optionsRemote file not foundError in the SSH layerSocket not ready for send/recvRTSP CSeq mismatch or invalid CSeqRTSP session errorUnable to parse FTP file listChunk callback failedThe max connection limit is reachedSSL public key does not match pinned public keySSL server certificate status verification FAILEDStream error in the HTTP/2 framing layerAPI function called from within callbackUnknown errorCall interruptedBad fileBad accessBad argumentInvalid argumentsOut of file descriptorsCall would blockBlocking call in progressDescriptor is not a socketNeed destination addressBad message sizeBad protocolProto
Source: k3yYC4F6nT.exeString found in binary or memory: set-addPolicy
Source: k3yYC4F6nT.exeString found in binary or memory: .\crypto\comp\comp_lib.cbuffer.\crypto\bio\bf_buff.cDiffie-Hellman part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\dh\dh_lib.clhash part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\lhash\lhash.csetct-PIsetct-PIDatasetct-PIDataUnsignedsetct-HODInputsetct-AuthResBaggagesetct-AuthRevReqBaggagesetct-AuthRevResBaggagesetct-CapTokenSeqsetct-PInitResDatasetct-PI-TBSsetct-PResDatasetct-AuthReqTBSsetct-AuthResTBSsetct-AuthResTBSXsetct-AuthTokenTBSsetct-CapTokenDatasetct-CapTokenTBSsetct-AcqCardCodeMsgsetct-AuthRevReqTBSsetct-AuthRevResDatasetct-AuthRevResTBSsetct-CapReqTBSsetct-CapReqTBSXsetct-CapResDatasetct-CapRevReqTBSsetct-CapRevReqTBSXsetct-CapRevResDatasetct-CredReqTBSsetct-CredReqTBSXsetct-CredResDatasetct-CredRevReqTBSsetct-CredRevReqTBSXsetct-CredRevResDatasetct-PCertReqDatasetct-PCertResTBSsetct-BatchAdminReqDatasetct-BatchAdminResDatasetct-CardCInitResTBSsetct-MeAqCInitResTBSsetct-RegFormResTBSsetct-CertReqDatasetct-CertReqTBSsetct-CertResDatasetct-CertInqReqTBSsetct-ErrorTBSsetct-PIDualSignedTBEsetct-PIUnsignedTBEsetct-AuthReqTBEsetct-AuthResTBEsetct-AuthResTBEXsetct-AuthTokenTBEsetct-CapTokenTBEsetct-CapTokenTBEXsetct-AcqCardCodeMsgTBEsetct-AuthRevReqTBEsetct-AuthRevResTBEsetct-AuthRevResTBEBsetct-CapReqTBEsetct-CapReqTBEXsetct-CapResTBEsetct-CapRevReqTBEsetct-CapRevReqTBEXsetct-CapRevResTBEsetct-CredReqTBEsetct-CredReqTBEXsetct-CredResTBEsetct-CredRevReqTBEsetct-CredRevReqTBEXsetct-CredRevResTBEsetct-BatchAdminReqTBEsetct-BatchAdminResTBEsetct-RegFormReqTBEsetct-CertReqTBEsetct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoP
Source: k3yYC4F6nT.exeString found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile written: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\uikey.iniJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWindow detected: Number of UI elements: 103
Source: k3yYC4F6nT.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile opened: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dllJump to behavior
Source: k3yYC4F6nT.exeStatic file information: File size 30775808 > 1048576
Source: k3yYC4F6nT.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3aca00
Source: k3yYC4F6nT.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2b8200
Source: k3yYC4F6nT.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1688600
Source: k3yYC4F6nT.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: k3yYC4F6nT.exeStatic PE information: More than 200 imports for USER32.dll
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: k3yYC4F6nT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: k3yYC4F6nT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Release\onekey.pdb source: k3yYC4F6nT.exe
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr71.pdb\ source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: atl71.pdbT source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source: Binary string: bootmgfw.pdb source: k3yYC4F6nT.exe, 00000000.00000003.383923114.00000000070AB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_AMD64\amd64\ISODrive.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_AMD64\amd64\ISODrive.pdb! source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.dr
Source: Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.dr
Source: Binary string: \fbinst\myfbinst\Release\myfbinst.pdb source: fbinsttweak.exe.0.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\driver\objfre_wnet_x86\i386\ISODrive.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr71.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\winddk\isodrive\isocmd\objfre_wnet_x86\i386\isocmd.pdb source: k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp
Source: k3yYC4F6nT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: k3yYC4F6nT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: k3yYC4F6nT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: k3yYC4F6nT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: k3yYC4F6nT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DBEACB push ecx; ret 0_2_00DBEADE
Source: k3yYC4F6nT.exeStatic PE information: section name: .giats
Source: k3yYC4F6nT.exeStatic PE information: section name: .detourc
Source: k3yYC4F6nT.exeStatic PE information: section name: .detourd
Source: 7z.dll.0.drStatic PE information: section name: .sxdata
Source: MiniThunderPlatform.exe.0.drStatic PE information: section name: .textbss
Source: aria2c.exe.0.drStatic PE information: section name: /4
Source: GDisk.exe.0.drStatic PE information: section name: .mixcrt
Source: libwim-15.dll.0.drStatic PE information: section name: /4
Source: PECMD.exe.0.drStatic PE information: section name: .MPRESS1
Source: PECMD.exe.0.drStatic PE information: section name: .MPRESS2
Source: libpdcurses.dll.0.drStatic PE information: section name: /4
Source: libssp-0.dll.0.drStatic PE information: section name: /4
Source: QEMU.exe.0.drStatic PE information: section name: /4
Source: wimlib-imagex.exe.0.drStatic PE information: section name: /4
Source: bootmgfw.efi.0.drStatic PE information: section name: PAGER32C
Source: bootmgfw.efi.0.drStatic PE information: section name: PAGER32R
Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
Source: libssp-0.dll.0.drStatic PE information: 0x68AC6D00 [Mon Aug 25 14:02:40 2025 UTC]
Source: initial sampleStatic PE information: section name: .MPRESS1 entropy: 7.999318130327087
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sysJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrv64.sysJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\7z.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\SDL.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\zlib1.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugHandler.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\atl71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bcdedit.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootsect.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniTPFw.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\GDisk.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libpdcurses.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinst.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\xldl.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2c.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootice.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugReport.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISOCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\QEMU.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\download_engine.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrv64.sysJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libz-1.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\UltraISO.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\libwim-15.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\wimlib-imagex.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\oscdimg.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinsttweak.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\minizip.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi.muiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\devcon.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2cxp.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sysJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile created: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr.exe.muiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeSystem information queried: FirmwareTableInformationJump to behavior
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController WHERE (description IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController WHERE (description IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\SDL.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\zlib1.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugHandler.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\atl71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bcdedit.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootsect.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniTPFw.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\GDisk.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libpdcurses.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\xldl.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinst.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2c.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootice.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugReport.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISOCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\QEMU.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\download_engine.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrv64.sysJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libz-1.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\UltraISO.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\libwim-15.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\wimlib-imagex.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\oscdimg.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinsttweak.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\minizip.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\devcon.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi.muiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2cxp.exeJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sysJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr.exe.muiJump to dropped file
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem WHERE (Model IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (Product IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (Product IS NOT NULL)
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00B32AA0 FindFirstFileW,FindNextFileW,FindClose,0_2_00B32AA0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C87A27 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_00C87A27
Source: QEMU.exe.0.drBinary or memory string: QEMU MICRODRIVE
Source: QEMU.exe.0.drBinary or memory string: QEMU Microsoft Mouse
Source: QEMU.exe.0.drBinary or memory string: bootorderfw_cfgctl_iobasedata_iobaseQEMU
Source: QEMU.exe.0.drBinary or memory string: Eusb-hubhubQEMU USB Hub)
Source: QEMU.exe.0.drBinary or memory string: host:btbt:qemu: could not add USB device '%s'
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_aer.c
Source: QEMU.exe.0.drBinary or memory string: ^cardchipvmware_vga_internal2jd
Source: QEMU.exe.0.drBinary or memory string: isa-debugconiobasechardevreadbackqemu: multiboot knows VBE. we don't.
Source: QEMU.exe.0.drBinary or memory string: Warning: vmware_vga not available, using standard VGA instead
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\libpdcurses.dll
Source: QEMU.exe.0.drBinary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-bus.cbus->devs[dev->id] != NULLi != bus->ndev%s@%xbad scsi device id: %dscsi-genericscsi-diskscsi-idremovabledrive
Source: QEMU.exe.0.drBinary or memory string: mon:qemu: only one watchdog option may be given
Source: QEMU.exe.0.drBinary or memory string: qemu: warning: error while loading state section id %d
Source: QEMU.exe.0.drBinary or memory string: hdad:/src/qemu/repo.or.cz/qemu/ar7/hw/hda-audio.cnode->stindex < ARRAY_SIZE(a->st)mutedr-lio?%s: nid %d (%s), verb 0x%x, payload 0x%x
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/aes.c
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\QEMU.exedll
Source: QEMU.exe.0.drBinary or memory string: qemu_st8
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-disk.c
Source: QEMU.exe.0.drBinary or memory string: QEMU (%s)%s
Source: QEMU.exe.0.drBinary or memory string: qemu: too many serial ports
Source: QEMU.exe.0.drBinary or memory string: { 'enabled': false }{ 'enabled': true, 'clients': %p }d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc.c*ret_data != NULLvnc: out of memory
Source: QEMU.exe.0.drBinary or memory string: media=cdromqemu: unknown boot parameter '%s' in '%s'
Source: QEMU.exe.0.drBinary or memory string: qemu_timer
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc-enc-zrle-template.cpalette_size(palette) < 171.2.3VNC: error initializing zlib
Source: QEMU.exe.0.drBinary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/nbd.c%s:%s():L%d: write failed
Source: QEMU.exe.0.drBinary or memory string: TxOkRxOkTxERRRxERRMissPktFAETx1ColTxMColRxOkPhyRxOkBrdTxAbtTxUndrnd:/src/qemu/repo.or.cz/qemu/ar7/hw/tnetw1130.c!(addr & 3)!(addr & 1)0x%08xaddr < TNETW1130_MEM1_SIZEACX111%-24saddr %s = 0x%08x
Source: QEMU.exe.0.drBinary or memory string: spice is not supported by this qemu build.
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block.c
Source: QEMU.exe.0.drBinary or memory string: QEMU USB SERIAL
Source: QEMU.exe.0.drBinary or memory string: qemu: warning: socket type=%d for fd=%d is not SOCK_DGRAM or SOCK_STREAM
Source: QEMU.exe.0.drBinary or memory string: QEMU PS/2 Mouse
Source: QEMU.exe.0.drBinary or memory string: nodenodeidmemqemu: invalid numa mem size: %s
Source: QEMU.exe.0.drBinary or memory string: QEMU HARDDISK
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/efi32.bin
Source: QEMU.exe.0.drBinary or memory string: qemu: too many IDE bus
Source: QEMU.exe.0.drBinary or memory string: opt->desc && opt->desc->type == QEMU_OPT_BOOL
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-serial-bus.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/multiboot.c
Source: QEMU.exe.0.drBinary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/nbd.c
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dll
Source: QEMU.exe.0.drBinary or memory string: ide.0ide.1smbus-eepromaddressdata486pc-0.14pcStandard PCpc-0.13pc-0.12pc-0.11Standard PC, qemu 0.11pc-0.10Standard PC, qemu 0.10isapcISA-only PCvirtio-9p-pcivectors0VGArombarvmware-svgaPCIcommand_serr_enableoffvirtio-serial-pcimax_ports1virtio-blk-pciide-drivever0.11scsi-diskclass0x01800x0380virtio-net-pci0.10mingwm10.dll__mingwthr_remove_key_dtor__mingwthr_key_dtor
Source: QEMU.exe.0.drBinary or memory string: qemu_ld32
Source: QEMU.exe.0.drBinary or memory string: `usb_createaddrstateremote_wakeupsetup_statesetup_lensetup_indexsetup_bufportd:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-desc.cdesc != NULLusb: port/device speed mismatch for "%s"
Source: QEMU.exe.0.drBinary or memory string: modechardevdefaulthci0nullhosthci,vlan=qemu: Unknown bluetooth HCI `%s'.
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/blockdev.c
Source: QEMU.exe.0.drBinary or memory string: qemu: %s: %s
Source: QEMU.exe.0.drBinary or memory string: QEMU BT dongle
Source: QEMU.exe.0.drBinary or memory string: qemu: hardware error:
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/event_notifier.c
Source: QEMU.exe.0.drBinary or memory string: qemu: unsupported keyboard cmd=0x%02x
Source: QEMU.exe.0.drBinary or memory string: (qemu)
Source: QEMU.exe.0.drBinary or memory string: QEMU emulator version 0.14.50, Copyright (c) 2003-2008 Fabrice Bellard
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/exec.csize >= TARGET_PAGE_SIZEBad ram pointer %p
Source: QEMU.exe.0.drBinary or memory string: QEMU DVD-ROM
Source: k3yYC4F6nT.exeBinary or memory string: nfdfiedeZVt75W68+tYMPDd3GuYuuhdPv3gHNDomMSAqNZ2j0JDoEeYiQqHOdaKO63bC8bj6Z2Nw7XVjMPDU/hTRtG1S6a6fbThKYJoEnsb2bnk/RWcdbhyakMgAAhbZu5Oe722g8c/HFfLoaOD94nKs26+iAoUoM4/BFztcfLK+HDWmgu+Y/4/XNeGzjWmU1xDPeoA9VKcmS0KnIAod3NF5IZUkO70aWUP3Bdh6qGHCwLZtWzzrGg42YtApHXD7rZfg5ptG4obrL8S/3DaKry/BiOFFpOlWgO8u/RaffvI5xo49F9u2HkDPE0/Ga/MWcjzAB0s+RJ+T+iKg+1GQY2BtyTqPSU89ZRjemP8O/jBrFu8DnHf2CMx5YTZLxsWmjevQRCYl/6FT+w5Y9OZCjB09gu2KTJFMEIhNeOXlxWwhw5Cf1w1799Tgqx0VOFDZgm/K6rBhwy7sK6/jDEO09tlkQ/lcLsZfNhUn95qE/r2vQdHxV6IXjx5drkGfoglchAIClh/hfBJmA3zBGNfE561NnB573frVuO32O3EjNdbidxd5LorpwvZtpSjI78CWFPVabjhCtqHuEnNwuHFIwAhIHHox2XL+j+/4uhYFLplkIOnYttpj6RfAzHnACwuA1V+2IFcrxKDe+VyoANJae2wpM7FqSwplBE1KFDMbsurE4KdyP1QEg7LLy4oSemNiKIWwZk0ZOnQswLFdSNe26W1QiZWULUVJgtSNwSqU9qTrQbIPx1VSjOqaStx9zyN4fOajPC+B/v374757ZqNXz94E10CYNBiNdHZZ0Vx0Pe4E9n4Df/rzxxSoKzwdteitd7Fxw7fwE/jbtpRh4esfEDAGXdax1DkPI0Z9IMBqamjB448+haxQPupj270jYe3FDVOG47wRJ2HIsK74xe2X4qrrRrAYqOmYEouIGTVmCIrXvYGSzQtQuu9NbC5dQAZfgK/K5+Grsjdx29TRYIfycuE3sph7na6tGlOnTkXVd9/i8isuxdOzfo85r8zifOdj
Source: QEMU.exe.0.drBinary or memory string: qemu ...
Source: QEMU.exe.0.drBinary or memory string: vvfatfatvvfat_write_target1.2.3d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2.c(acb->cluster_offset & 511) == 0acb->hd_qiov.size <= QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sizeCluster size must be a power of two between %d and %dk
Source: QEMU.exe.0.drBinary or memory string: qemu.sstep
Source: k3yYC4F6nT.exe, 00000000.00000003.383923114.00000000070AB000.00000004.00000020.00020000.00000000.sdmp, bootmgfw.efi.mui.0.drBinary or memory string: Hyper-V
Source: QEMU.exe.0.drBinary or memory string: qemu-vlan%d.pcap
Source: QEMU.exe.0.drBinary or memory string: QEMU Virtual CPU version 0.14.50
Source: QEMU.exe.0.drBinary or memory string: QEMU CD-ROM
Source: QEMU.exe.0.drBinary or memory string: balloon{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/balloon.cvaluedo_balloondo_info_balloonvirtio-blk missing headersvirtio-blk header not in correct elementvirtio-blk-pci: drive property not setDevice needs media, but drive is emptyvirtio-blk/disk@0,0actuald:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLvirtio-balloonunable to start vhost net: %d: falling back on userspace virtiod:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-net.c!n->vhost_startedvirtio-net ctrl missing headersvirtio-net ctrl header not in correct elementvirtio-net ctrl invalid rx mode commandvirtio-net ctrl invalid vlan commandn->vdev.vm_runningvirtio-net header not in first elementvirtio-net unexpected empty queue: i %zd mergeable %d offset %zd, size %zd, guest hdr len %zd, host hdr len %zd guest features 0x%xvirtio-net receive queue contains no in buffersvirtio-net: saved image requires vnet_hdr=onvirtio-net: saved image requires TUN_F_UFO supportvirtio-nettimerbhvirtio-net: Unknown option tx=%s, valid options: "timer" "bh"Defaulting to "bh"/ethernet-phy@0
Source: QEMU.exe.0.drBinary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/qdict.ce != NULLe->key != NULLe->value != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLobj != NULLqobject_type(obj) == typeobj
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_bridge.c
Source: QEMU.exe.0.drBinary or memory string: qemu32
Source: QEMU.exe.0.drBinary or memory string: qemu: multiboot knows VBE. we don't.
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-bus.c
Source: QEMU.exe.0.drBinary or memory string: qemu: invalid numa mem size: %s
Source: QEMU.exe.0.drBinary or memory string: vmware-svga
Source: QEMU.exe.0.drBinary or memory string: isabus-bridgeisa irq %d invalidd:/src/qemu/repo.or.cz/qemu/ar7/hw/isa-bus.cdev->nirqs < ARRAY_SIZE(dev->isairq)dev->nioports < ARRAY_SIZE(dev->ioports)Tried to create isa device %s with no isa bus present.isaISA0x%016llxtaddrVGAvgabios-stdvga.binvga
Source: QEMU.exe.0.drBinary or memory string: qemu: error reading initrd %s
Source: QEMU.exe.0.drBinary or memory string: %dcylsheadssecstransqemu: too many NUMA nodes
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vdi.cacb->bmap_first != VDI_UNALLOCATED!acb->header_modifiedsizestatic<<< QEMU VM Virtual Disk Image >>>
Source: QEMU.exe.0.drBinary or memory string: ZGQEMU Microsoft Moused:/src/qemu/repo.or.cz/qemu/ar7/hw/ps2.c%s:%u %s(%d)
Source: QEMU.exe.0.drBinary or memory string: RNDIS/QEMU USB Network Device
Source: QEMU.exe.0.drBinary or memory string: { 'offset': %d }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLd:/src/qemu/repo.or.cz/qemu/ar7/vl.cdev != NULL || suffix != NULLTwo devices with same boot index %d
Source: QEMU.exe.0.drBinary or memory string: virtfs is not supported by this qemu build.
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\vgabios-stdvga.binJZ
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci.csize == pci_config_size(container_of(pv, PCIDevice, config))len == 1 || len == 2 || len == 4pci%04x,%04x%s@%x,%xi/omemVGA controllerClass %04x%*sclass %s, addr %02x:%02x.%x, pci id %04x:%04x (sub %04x:%04x)
Source: QEMU.exe.0.drBinary or memory string: qemu: warning: error while loading state for instance 0x%x of device '%s'
Source: k3yYC4F6nT.exe, 00000000.00000003.377306715.00000000056A1000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.377763701.00000000056E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: YXMa3eyUHhrEKWhwH7LWzTJ8II1lDoG/lmwpxmLptBopBK7gQfZlZQemUWPDMXgUI9iBIm78gYbjPzuA91zn4s6VK1Eigh5a/iiOp4Q6blER/7CgHfc+cAw/n4NULaFPKeLHN3Tjydsb+Ml1wFc/reMdU2agM9bxr6e8BT+5Po1f3QF895YufO7qPkxj0gSNbWRoGkImnBNQ3pDNdTH5LZWgthbx9Io6nlq1Guu2diPO0WDHBvVynj/Tg1B9sZ6lYojhVEK0Z/L8LSU45VGSkIGslueeaYh9MZ9ADa/mEFJn/ymtPJFGccIBzZbB2u0S1m5l47Kqk7egixVo5Dq2FK7+wDwcmsnik2ceTrgHMKhPaH9QpH6T03R7ewkl9JgEdPkqmSdoo+5uJ7AzZHbirdFCc5jf49ZG8ahrKbJYCrbB+3UFGqt1nUn3pR8ejA8sHMR3lq9EmRrz9meW4+wF/4ni6Bos/JSKNtfBIZkQ4YYIrY1JyMUz4PlDCKMMVJOGLdWP2NjKx3Xk7WGkg36kGiayFjW0EaPCnJBC0UUUKDxUV6FUsahxrLHZUUtMZ1M65cUIDJsrFOdk8nnJCuBKlAP6Bn7IgN0ygFLFw/JlFp54woaS7UNdIgvzzSErkBMqaGi/p60IUR510ZkxUXcLJNccWvR2pNQ8qlUHHtlWZu56hLqojGIG8U8BeiJj3AEtDvaNmTrWAGP3mcPJGEdL9xTq0RYw4flYzIlF+PitwDnXbsYVVzyHID+CGslYDEcpoctXXbD4s9z9GcMcco4MFZBteZedILNER/zepM4bPgIl3ONWEdd7kFQmBKVHEFMapVFPrgORIrB7ULAsKLZJ7mIlKExB2F3DlldkHEiJctI5T8Ox0lg3bMCVh1Gyt0CTO5DzWwnDFG9jGmJuQR5Fvx2N/DQMNsiAxKtXzjEBgN8OFnDOknU4+9qdWPHKCzTJWdx291KcfiON6LXr8erQJmTEdY/rJcQt1OXcs9lohUtwNxRmmUE9XZqObEzGNfIof)
Source: QEMU.exe.0.drBinary or memory string: ]QEMU 0.14.50Wacom PenPartner10l`=l`Nl`
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/efi64.bin88k
Source: QEMU.exe.0.drBinary or memory string: D%lldd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qstring.cobj != NULL
Source: QEMU.exe.0.drBinary or memory string: endnopnop1nop2nop3nopndiscardset_labelcalljmpbrmov_i32movi_i32setcond_i32ld8u_i32ld8s_i32ld16u_i32ld16s_i32ld_i32st8_i32st16_i32st_i32add_i32sub_i32mul_i32div2_i32divu2_i32and_i32or_i32xor_i32shl_i32shr_i32sar_i32rotl_i32rotr_i32brcond_i32add2_i32sub2_i32brcond2_i32mulu2_i32setcond2_i32ext8s_i32ext16s_i32ext8u_i32ext16u_i32bswap16_i32bswap32_i32not_i32neg_i32debug_insn_startexit_tbgoto_tbqemu_ld8uqemu_ld8sqemu_ld16uqemu_ld16sqemu_ld32qemu_ld64qemu_st8qemu_st16qemu_st32qemu_st64
Source: QEMU.exe.0.drBinary or memory string: 0x%08lx: snapshotondriverhinvalid optionrequires an argumentQEMU emulator version 0.14.50, Copyright (c) 2003-2008 Fabrice Bellard
Source: QEMU.exe.0.drBinary or memory string: monitor_read_bdrv_key_startmonitor_read_passwordname:s?[cmd]show the helpcommitdevice:Bdevice|allcommit changes to the disk images (if -snapshot is used) or backing filesq|quitquit the emulatorblock_resizedevice:B,size:odevice sizeresize a block imageejectforce:-f,device:B[-f] deviceeject a removable medium (use -f to force it)drive_delid:sremove host block devicechangedevice:B,target:F,arg:s?device filename [format]change a removable medium, optional formatscreendumpfilename:Fsave screen into PPM image 'filename'logfileoutput logs to 'filename'items:sitem1[,...]activate logging of the specified items to '/tmp/qemu.log'savevm[tag|id]save a VM snapshot. If no tag or id are provided, a new snapshot is createdloadvmname:stag|idrestore a VM snapshot from its tag or iddelvmdelete a VM snapshot from its tag or idoption:s?[on|off]run emulation in singlestep mode or switch to normal modestopstop emulationc|contresume emulationgdbserverdevice:s?[device]start gdbserver on given device (default 'tcp::1234'), stop with 'none'xfmt:/,addr:l/fmt addrvirtual memory dump starting at 'addr'xpphysical memory dump starting at 'addr'p|printfmt:/,val:l/fmt exprprint expression value (use $reg for CPU register access)ifmt:/,addr:i,index:i.I/O port readofmt:/,addr:i,val:i/fmt addr valueI/O port writestring:s,hold_time:i?keys [hold_ms]send keys to the VM (e.g. 'sendkey ctrl-alt-f1', default hold time=100 ms)system_resetreset the systemsystem_powerdownsend system power down eventsumstart:i,size:iaddr sizecompute the checksum of a memory regionusb_adddevname:sadd USB device (e.g. 'host:bus.addr' or 'host:vendor_id:product_id')usb_delremove USB device 'bus.addr'device_adddevice:Odriver[,prop=value][,...]add device, like -device on the command linedevice_delremove devicecpuindex:iset the default CPUmouse_movedx_str:s,dy_str:s,dz_str:s?dx dy [dz]send mouse move eventsmouse_buttonbutton_state:istatechange mouse button state (1=L, 2=M, 4=R)mouse_setset which mouse device receives eventswavcapturepath:F,freq:i?,bits:i?,nchannels:i?path [frequency [bits [channels]]]capture audio to a wave file (default frequency=44100 bits=16 channels=2)stopcapturen:icapture indexstop capturememsaveval:l,size:i,filename:saddr size filesave to disk virtual memory dump starting at 'addr' of size 'size'pmemsavesave to disk physical memory dump starting at 'addr' of size 'size'boot_setbootdevice:sdefine new values for the boot device listnmicpu_index:iinject an NMI on the given CPUmigratedetach:-d,blk:-b,inc:-i,uri:s[-d] [-b] [-i] urimigrate to URI (using -d to not wait for completion)
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pc.c
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net RNDIS
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-serial-bus.cportvirtio_queue_ready(vq)maximum ports supported: %uvirtio-serialvirtio-consolevirtio-serial-bus@<A
Source: QEMU.exe.0.drBinary or memory string: opt->desc && opt->desc->type == QEMU_OPT_NUMBER
Source: QEMU.exe.0.drBinary or memory string: typetokend:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLexpected separator in dictexpecting valueexpected separator in list%p%i%d%ld%lld%I64d%s%ftruefalseinvalid keyword `%s'"'\/
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/cutils.c
Source: QEMU.exe.0.drBinary or memory string: QEMU PenPartner Tablet
Source: QEMU.exe.0.drBinary or memory string: <<< QEMU VM Virtual Disk Image >>>
Source: QEMU.exe.0.drBinary or memory string: qemu.log
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/vl.c
Source: QEMU.exe.0.drBinary or memory string: c:/Program Files/Qemu
Source: QEMU.exe.0.drBinary or memory string: rbqemu: could not load kernel '%s': %s
Source: QEMU.exe.0.drBinary or memory string: ran out of space in vm_config_groups%63[^.].%63[^.].%63[^=]%ncan't parse: "%s"there is no %s "%s" defined%63[^.].%63[^=]%ndriverpropertyvalue# qemu config file
Source: QEMU.exe.0.drBinary or memory string: qemu: could not open parallel device '%s': %s
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/smbus.cinfo->i2c.qdev.size >= sizeof(SMBusDevice)smbus-eepromdatauint16_from_uint8 is used only for backwards compatibility.
Source: QEMU.exe.0.drBinary or memory string: qemu64
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net/dump.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL{ 'client': %p, 'server': %p }
Source: QEMU.exe.0.drBinary or memory string: qemu_ld16s
Source: QEMU.exe.0.drBinary or memory string: qemu: error: getsockopt(SO_TYPE) for fd=%d failed
Source: QEMU.exe.0.drBinary or memory string: qemu_ld16u
Source: k3yYC4F6nT.exeBinary or memory string: pm/9KvE6yrBN4V/tnHdYU98Zx1VEVJQ4qmxSpU4kERkCQhCwokXEisyEoRGZkWWYCaCUH5WpIoQlgSoiM7KHEESEiAECkgQIsiGBsEcCSUjojV1Pxx/9o336PG3z5733OSfnnve857zf9/Peuvs+vzMDPSvcs1oJ7+I76CyeqDmOttZuc1AyywFV/aYJe03vZc9ztHtCk96bOadbzi/lY9DL56bxLzWWbEc2ekgakROLjyGyDlozIy2FZG+C0ZXDG0kQyxYhibh+6HS3HX2qKTJHat0Aaxj1DtmgFFFF6JWqleHbDlnhGFS8FufKwLp514z+44laG6GHFasqyTehSnRsOsf8XiS3+42dh+YWTXPw46JweHHII5mb38apew9IljGETLKBIn1/5y7XFvYEtGduwvW56c2Db95tRuMUszRsxikNxDqI5J6f3YZJ3MoplTSi222F9BrseHSTLTSZlY7RETxj+ECVrHM+N/cLvPynJDzD2g4cy09Tw5t9yqtdI0sJ8AaCZOyviv2hH2y3G3UsObYmN5YkovJvbMVSXRO3b9jug34uPgaq2Tm7hEc8znj0kL/yUCMpPD0paOfiEZJrfMrJ1uyw/JbmdpAF6JfjDhOvIbYoa9w9ipyzNI75onGOd+VrOEdKbvk2YSCm0UtZ1pGi842vmswNdXpSaMGXWCklaRTqcKxsaUnoDyJqOrCgZi2FqTqvyBolEfv0pw/lNFoZnQT7P6BzVe8CltPPQHjfuKh1RjE19CKku0+kJxNely5Pari1Af/Fz2PnzFQifpPNiT3VzP8Z4lNclatQHseZhN68DZ1OXU3nfu6R/FX8bUxKDSN71JYJAiKWTqyvFmDkXK0wPHYv9cTy1HH3jgDnAA/OrROdLRbq9rs8v/mv7JYb1OcVyiLZAfuPa6cr3LhFaJpdpaRTc3DDKSdnQ/GxMlJuIpDl5KnBmkdwUEcjMgwlXjgzsPv4sOsWKN8xV2iylKcumb9jHVNdZMG6AetJIlaHlNrHQBWSza3o
Source: QEMU.exe.0.drBinary or memory string: {'name': %s }{}{ 'running': %i, 'singlestep': %i }{ 'enabled': false, 'present': false }%02hhx%02hhx%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx{ 'UUID': %s }{ 'CPU': %d, 'current': %i, 'halted': %i }pcd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/monitor.cqobject_type(data) == QTYPE_QLISTnindexa CPU number{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }0.14.50{ 'qemu': { 'major': %d, 'minor': %d, 'micro': %d }, 'package': %s }{ 'name': %s }quitversionquery-%sprotocoltimenowneverspice{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }vnc{ 'class': 'SetPasswdFailed', 'data': {} }{ 'class': 'InvalidParameter', 'data': { 'name': %s } }passwordconnectedfaildisconnectkeepfdname{ 'class': 'FdNotFound', 'data': { 'name': %s } }{ 'class': 'FdNotSupplied', 'data': {} }a name not starting with a digitcpu_indexbankstatusmcg_statusaddrmiscbroadcasthostnamecert-subjectporttls-portbutton_statedx_strdy_strdz_strsizeval{ 'class': 'MigrationExpected', 'data': {} }namefilename.../(qemu) unsupported escape code: '\%c'
Source: QEMU.exe.0.drBinary or memory string: qemu_opts_validate
Source: QEMU.exe.0.drBinary or memory string: qemu_ld64
Source: QEMU.exe.0.drBinary or memory string: 5E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E76Ed:/src/qemu/repo.or.cz/qemu/ar7/console.cd < ds->surface->data + ds->surface->linesize * ds->surface->heighteLEtMEHME
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qjson.c
Source: QEMU.exe.0.drBinary or memory string: Vd:/src/qemu/repo.or.cz/qemu/ar7/hw/msi.cvector < PCI_MSI_VECTORS_MAX!(nr_vectors & (nr_vectors - 1))nr_vectors > 0nr_vectors <= PCI_MSI_VECTORS_MAXvector < nr_vectorsflags & PCI_MSI_FLAGS_MASKBITd:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_host.clen == 1 || len == 2 || len == 4d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_host.clen == 1 || len == 2 || len == 4!(size & (size - 1))size >= PCIE_MMCFG_SIZE_MINsize <= PCIE_MMCFG_SIZE_MAX|
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/intel-hda.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-timer.calarm_has_dynticks(t)Failed to rearm win32 alarm timer: %ld
Source: QEMU.exe.0.drBinary or memory string: qemu_st32
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/i2c.cinfo->qdev.size >= sizeof(i2c_slave)addressi2c_slave9:`
Source: QEMU.exe.0.drBinary or memory string: qemu: error: init_dgram: fd=%d failed getsockname(): %s
Source: QEMU.exe.0.drBinary or memory string: qemu.logcpu_common
Source: QEMU.exe.0.drBinary or memory string: !(flags & QEMU_NET_PACKET_FLAG_RAW)
Source: QEMU.exe.0.drBinary or memory string: qemu_popen: Argument validity check failed
Source: QEMU.exe.0.drBinary or memory string: qemu: could not add USB device '%s'
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/i386/tcg-target.cloc%dtmp%d@XRlXR
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net.c!(flags & QEMU_NET_PACKET_FLAG_RAW)model=%s,macaddr=%02x:%02x:%02x:%02x:%02x:%02xinfo->size >= sizeof(VLANClientState)%s.%d!peer!peer->peerinfo->type == NET_CLIENT_TYPE_NICinfo->size >= sizeof(NICState)unknown VLAN %d
Source: QEMU.exe.0.drBinary or memory string: parallel%dqemu: could not open parallel device '%s': %s
Source: QEMU.exe.0.drBinary or memory string: ]brailleusb-braillechardevvendorid=bogus vendor ID %sproductid=bogus product ID %sunrecognized serial USB option %scharacter device specification neededusb-serialvendoridproductidusbserial%dProperty chardev is requiredQEMU USB SerialserialQEMU USB Braille
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Hub
Source: QEMU.exe.0.drBinary or memory string: vmware_vga_internal
Source: QEMU.exe.0.drBinary or memory string: qemu: unsupported bluetooth device `%s'
Source: QEMU.exe.0.drBinary or memory string: cpuawallqemu: fatal:
Source: QEMU.exe.0.drBinary or memory string: keyboardqemu: unsupported bluetooth device `%s'
Source: QEMU.exe.0.drBinary or memory string: cxsparsevpcVirtual disk sized:/src/qemu/repo.or.cz/qemu/ar7/block/vvfat.c(offset % array->item_size) == 0offset/array->item_size < array->nextindex < array->nextmapping->begin < mapping->endindex2!=index3 || index2==0index1<=index2index >=0index + count <= array->nextmapping->begin<=cluster_num && mapping->end>cluster_nummappingmapping->begin == first_clustermapping == array_get(&(s->mapping), s->mapping.next - 1) || mapping[1].begin >= ccount > 0!s->current_mapping || s->current_fd || (s->current_mapping->mode & MODE_DIRECTORY)((s->cluster-(unsigned char*)s->directory.pointer)%s->cluster_size)==0(char*)s->cluster+s->cluster_size <= s->directory.pointer+s->directory.next*s->directory.item_sizes->current_fddirentrymapping->info.dir.first_dir_index < s->directory.nextmapping->mode & MODE_DIRECTORYQEMU!strncmp(s->directory.pointer, "QEMU", 4)dir_index == 0 || is_directory(direntry)offset < size(offset % s->cluster_size) == 0Could not open %s... (%s, %d)
Source: QEMU.exe.0.drBinary or memory string: set QEMU_WAV_PATH=c:\tune.wav
Source: QEMU.exe.0.drBinary or memory string: qemu: bad HCI packet type %02x
Source: QEMU.exe.0.drBinary or memory string: `K^devreboot_enabledclock_scaleint_typefree_runlockedenabledtimertimer1_preloadtimer2_preloadstageunlock_stateprevious_reboot_flagd:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie.cPCI_FUNC(pci_dev->devfn) == 0next >= PCI_CONFIG_SPACE_SIZEnext <= PCIE_CONFIG_SPACE_SIZE - 8pci_is_express(dev)pos > 0vector < 32offset >= PCI_CONFIG_SPACE_SIZEoffset < offset + sizeoffset + size < PCIE_CONFIG_SPACE_SIZEsize >= 8prev >= PCI_CONFIG_SPACE_SIZEnext == 0!(next & (PCI_EXT_CAP_ALIGN - 1))d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_aer.cerr->statuserr->status & (err->status - 1)!(err->flags & PCIE_AER_ERR_TLP_PREFIX_PRESENT)vector < PCI_ERR_ROOT_IRQ_MAX!retaer_log->log_numd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLqobject_type(data) == QTYPE_QDICTdevfnbusdomainidOK id: %s domain: %x, bus: %x devfn: %x.%x
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_host.c
Source: QEMU.exe.0.drBinary or memory string: qemu: bad bluetooth parameter '%s'
Source: QEMU.exe.0.drBinary or memory string: qemu: invalid ram size: %s
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/blkdebug.c
Source: QEMU.exe.0.drBinary or memory string: virtio-serialvirtconsolevirtcon%dqemu: could not open virtio console '%s': %s
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ide/pci.h
Source: QEMU.exe.0.drBinary or memory string: Virtual disk sizereadwriteignoreenospcstopreport'%s' invalid %s error action %s{ 'class': 'DeviceNotRemovable', 'data': { 'device': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/blockdev.c{ 'class': 'DeviceLocked', 'data': { 'device': %s } }driveif%dindexfiledinfo->refcount-hd-cdscsiidebusunitcylsheadssecssnapshotreadonlyserialunsupported bus type '%s'invalid physical cyls numberinvalid physical heads numberinvalid physical secs numbertrans'%s' trans must be used with cyls,heads and secsnonelbaauto'%s' invalid translation typemediadiskcdrom'%s' invalid physical CHS format'%s' invalid mediacacheoffwritebackunsafewritethroughinvalid cache optionformat?Supported formats:
Source: QEMU.exe.0.drBinary or memory string: dp8381xd:/src/qemu/repo.or.cz/qemu/ar7/hw/dp8381x.caddr < 0x80 && !(addr & 3)addr >= 0x80 && addr < 0x100 && !(addr & 3)DP8381X %-24slen=%u
Source: QEMU.exe.0.drBinary or memory string: csrhci_in_packetcsrhci_in_packet_vendorqemu file buffer expansion failed
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-bus.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/savevm.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/smbus.c
Source: QEMU.exe.0.drBinary or memory string: qemu_cond_init
Source: QEMU.exe.0.drBinary or memory string: S_onoff'on' or 'off'{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/qemu-option.ca sizeYou may use k, M, G or T suffixes for kilobytes, megabytes, gigabytes and terabytes.
Source: QEMU.exe.0.drBinary or memory string: qemu-icon.bmp
Source: QEMU.exe.0.drBinary or memory string: %s,cyls=%d,heads=%d,secs=%d%slbaautoqemu: invalid physical CHS format
Source: QEMU.exe.0.drBinary or memory string: qemu: Can't open `%s': %s (%i)
Source: QEMU.exe.0.drBinary or memory string: spicespice is not supported by this qemu build.
Source: QEMU.exe.0.drBinary or memory string: qemu: fatal:
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ls/QEMU/
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ioh3420.c
Source: QEMU.exe.0.drBinary or memory string: qemu_thread_init
Source: QEMU.exe.0.drBinary or memory string: qemu_fopen: Argument validity check failed
Source: QEMU.exe.0.drBinary or memory string: qemu: Too many bluetooth HCIs (max %i).
Source: QEMU.exe.0.drBinary or memory string: isa-debugconnoneqemu: too many virtio consoles
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\libssp-0.dll
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-bus.cport != NULLUSB support not enabled
Source: QEMU.exe.0.drBinary or memory string: -d item1,... output log to /tmp/qemu.log (use -d ? for a list of log items)
Source: QEMU.exe.0.drBinary or memory string: !strncmp(s->directory.pointer, "QEMU", 4)
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\libz-1.dll
Source: QEMU.exe.0.drBinary or memory string: qemu.wav
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-refcount.cmeta_offset >= (s->free_cluster_index * s->cluster_size)size > 0 && size <= s->cluster_sizel1_size == s->l1_sizeERROR refcount block %d is not cluster aligned; refcount table entry corrupted
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qint.c
Source: QEMU.exe.0.drBinary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qbool.cobj != NULL
Source: QEMU.exe.0.drBinary or memory string: qemuusage: %s [options] [disk_image]
Source: QEMU.exe.0.drBinary or memory string: cloop.dmg1.2.3dmgBochs Virtual HD ImageRedologGrowingbochssizeconectixblock-vpc: The header checksum of '%s' is incorrect.
Source: QEMU.exe.0.drBinary or memory string: qemu: bad scatternet '%s'
Source: QEMU.exe.0.drBinary or memory string: qemu: unrecognised bluetooth vlan Id
Source: QEMU.exe.0.drBinary or memory string: hosthostnamedhcpstartdnstftpbootfilesmbsmbserverip/24netrestrictnet=%s, restricted=%cchannel,d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qint.cobj != NULL
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net CDC
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eepro100.c
Source: QEMU.exe.0.drBinary or memory string: QEMU_AUDIO_DRVCould not initialize audio subsystem
Source: QEMU.exe.0.drBinary or memory string: qemu: too many virtio consoles
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-pci.c
Source: QEMU.exe.0.drBinary or memory string: QEMUQEMU DVD-ROMQEMU HARDDISKQEMU MICRODRIVE
Source: QEMU.exe.0.drBinary or memory string: xend will use this when starting qemu
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev.c
Source: QEMU.exe.0.drBinary or memory string: qemu-icon.bmprbspaceexclamquotedblnumbersigndollarpercentampersandapostropheparenleftparenrightasteriskpluscommaminusperiodslash023456789colonsemicolonlessequalgreaterquestionatABCDEFGHIJKLMNOPQRSTUVWXYZbracketleftbackslashbracketrightasciicircumunderscoregraveabcdefghijklmnopqrstuvwxyzbraceleftbarbracerightasciitildenobreakspaceexclamdowncentsterlingcurrencyyenbrokenbarsectiondiaeresiscopyrightordfeminineguillemotleftnotsignhyphenregisteredmacrondegreeplusminustwosuperiorthreesuperioracutemuparagraphperiodcenteredcedillaonesuperiormasculineguillemotrightonequarteronehalfthreequartersquestiondownAgraveAacuteAcircumflexAtildeAdiaeresisAringAECcedillaEgraveEacuteEcircumflexEdiaeresisIgraveIacuteIcircumflexIdiaeresisETHEthNtildeOgraveOacuteOcircumflexOtildeOdiaeresismultiplyOobliqueOslashUgraveUacuteUcircumflexUdiaeresisYacuteTHORNThornssharpagraveaacuteacircumflexatildeadiaeresisaringaeccedillaegraveeacuteecircumflexediaeresisigraveiacuteicircumflexidiaeresisethntildeograveoacuteocircumflexotildeodiaeresisdivisionoslashoobliqueugraveuacuteucircumflexudiaeresisyacutethornydiaeresisEuroSignControl_LControl_RAlt_LAlt_RCaps_LockMeta_LMeta_RShift_LShift_RSuper_LSuper_RBackSpaceTabReturnRightLeftUpDownPage_DownPage_UpInsertDeleteHomeEndScroll_LockF1F2F3F4F5F6F7F8F9F10F11F12F13F14F15Sys_ReqKP_0KP_1KP_2KP_3KP_4KP_5KP_6KP_7KP_8KP_9KP_AddKP_DecimalKP_DivideKP_EnterKP_EqualKP_MultiplyKP_SubtracthelpMenuPowerPrintMode_switchMulti_KeyNum_LockPauseEscapeE
Source: QEMU.exe.0.drBinary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qlist.cobj != NULLobj->type->destroy != NULL
Source: QEMU.exe.0.drBinary or memory string: serial%dqemu: could not open serial device '%s': %s
Source: QEMU.exe.0.drBinary or memory string: # qemu config file
Source: QEMU.exe.0.drBinary or memory string: qemu_st64
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\vgabios-stdvga.bint[
Source: QEMU.exe.0.drBinary or memory string: qemu: Unknown bluetooth HCI `%s'.
Source: QEMU.exe.0.drBinary or memory string: vhciqemu: bad scatternet '%s'
Source: QEMU.exe.0.drBinary or memory string: QEMU Bluetooth HID
Source: QEMU.exe.0.drBinary or memory string: QEMUf
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/isa-bus.c
Source: k3yYC4F6nT.exe, 00000000.00000003.377763701.0000000005722000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ABIGGOz28v5R7p7GiQgRVMJE4j6O758vv9zd9TqZMQ0TWEEYAjQASVQgCrbV1k9au3o0NiQkJJ1BBExolh8/115WbyQ0ORUAzK2iAqanielpbckf7tz97JPfPvwwvoe/TmUxza6lpqpDg5ib/fpBv+5+cut3v4nXLoYmAaOQKVoBGRlmnsrvHjz8fvfWy3eOLdff4XnYpvpFJD2uSuZQss2jUccvr/7caufn/TdonnIakChIGrld6rnx79falYbHOXSE285+XM69ndskIRdTjHUgrx01850Hf4N/UyIJqMJKSYfJtke47Paq0xpfyGsUrNNy/ujxJwf7l+3ufFz3TfEy41WyYUfBAAGmEkCZhSaSNMt6aE9cV9C4Gc5LuT7G7I+n904/+Pj2rb1vvfrK/mLXIlarVUCcnmGrFKFMwmBWqa1Nk4We6tea+oyxy+7pOP7r/Gzvxs0HSzu7bIbaRtcvpmrTpoy1oVFpIGhCGmiWMEoW58OztT6Dfk/9IbrFbLp2cutzzTg7+fTBp/bgddnHUKOrMYg9LGFMKASSloQslWS6mMOkscZUu6G7nGP9wtGixfL5A/O8yHppsc6oY2UKLqQoWAFSKp7ILSyUc9NPy02Mja6ath3G/xSWr7/y4vVFYlpLY8QkMWKYgiE5NJFNKmklASORsNC8XCTWY/bktOkvONthaW8cHNXVeuoHAETpwUGLXgiawCKMTk8UoyJT7g6z2WK54c3jQ+UanEuWLMvVZpZz+A5JwJKL1VXAFhGZcGjybEQUJc3cFAE/nX37OH//hz+9X0pPIECxEE2TT0gGKGDKxXz/+PGrP9KZMUErSgjg/q8SUWlNZRbwa7vLYz09wpmk8DJG8cThbGlZg17hg5rkzpvdF9a1ABCRxAzg3hv6f8rBoJyMDSGByiBcDigFGGwb0IAkGiBUcBsBaQZACsEAALQmgWoMydxhyJTJ/mdaEYnkltM0UCEkkmZCAiCRgJTbV+ORZsiEkCS17TXBQMJiy7hNdDqJicR/AQ/91Q/tRww0AAAAAElFTkSuQmCCUEsDBAoAAAAAAK+JRFLLfplNhyoAAIcqAAASAAAAcmVzLzFfMV9CdXQxXzEucG5niVBORw0KGgoAAAANSUhEUgAAANIAAABBCAIAAAArCW34AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAC4jAAAuIwF4pT92AAAgAElEQVR4nO29e7yeVXUu+jxjzPdbKyEJIQEhCZBg5ZoEiygmoNZLDSiip0ot7G29VMWj2+uhdHfveqnK7jlV8VLP3lXU9rS7Pzcg4K7We1VEARVQIYncrBAgBJsbuQBZ3zvHeM4f81sRWxJcNOd42ev55Y+s9X1rvrfxzjnGM54xJjdv3oyHRwL2r39LJNildhkHEqUwM0mASUFy8q8qSYl7GHwav2KQBCMFIhOlqAZt9Hu6oUImGpAJGfSwxrMbe/ns4T+SeWY1zJREhlEVzbYqKSClkAIwoOz92NP4FYKZAUAqUaCoLBVCkiSYgsEEJFIup8reR3uEjx8GKZJQL5qQBC1lppw8EpntP1JMefBp/NJCPVGcShKikE4ljZCpCpag0dN24ZGmOjyK2YgykjARaQkAJFMCUmz/IAlIAJqe7X5dIBhgQcusIpBydeSu9illSEkBFaBocurZE35+s2gOHMSUApKIkZExqUIkUpABIEc+HfEIh5/Grw5M6imkUawwz6y0Ag4Fm5xfjJQUJR/Brn7ORbYZEw2sSEMBhaxULeu/wftu9B232oNb9cB637WVsjQP9g54MqaDil8TmFBxwHLZjNz/CMw9YWLBCthCgoIZKsFU
Source: QEMU.exe.0.drBinary or memory string: Kd:/src/qemu/repo.or.cz/qemu/ar7/tcg/tcg.c%s:%d: tcg fatal error
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Serial
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/SDL.dll?Q>
Source: QEMU.exe.0.drBinary or memory string: qemu: invalid resolution or depth
Source: QEMU.exe.0.drBinary or memory string: cpudefqemu64phenomcore2duokvm64qemu32kvm32coreduo486pentiumpentium2pentium3athlonn270fpuvmedepsetscmsrpaemcecx8apicsepmtrrpgemcacmovpatpse36pnclflushdsacpimmxfxsrssesse2sshttmia64pbepni|sse3pclmuldqdtes64monitords_cplvmxsmxesttm2ssse3cidfmacx16xtprpdcmdcasse4.1|sse4_1sse4.2|sse4_2x2apicmovbepopcntaesxsaveosxsaveavxsyscallnxmmxextfxsr_optpdpe1gbrdtscplm3dnowext3dnowlahf_lmcmp_legacysvmextapiccr8legacyabmsse4amisalignsse3dnowprefetchosvwibsxopskinitwdtfma4cvt16nodeid_msrkvmclockkvm_nopiodelaykvm_mmukvm_asyncpfnptlbrvsvm_locknrip_savetsc_scalevmcb_cleanflushbyasiddecodeassistspause_filterpfthresholdUnknown error %d
Source: QEMU.exe.0.drBinary or memory string: OKT02E14E22qemu.sstepbitsENABLE=%x,NOIRQ=%x,NOTIMER=%xqemu.sstep0x%xCQC1fThreadInfosThreadInfom%xlThreadExtraInfo,CPU#%d [%s]Rcmd,E01SupportedPacketSize=%x
Source: QEMU.exe.0.drBinary or memory string: qemu: Unsupported NIC model: %s
Source: QEMU.exe.0.drBinary or memory string: QEMU %s monitor - type 'help' for more information
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/e100.c
Source: QEMU.exe.0.drBinary or memory string: ddtypetokenxyd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLparse error:
Source: QEMU.exe.0.drBinary or memory string: c:/Program Files/QemuNumber of SMP cpus requested (%d), exceeds max cpus supported by machine `%s' (%d)
Source: QEMU.exe.0.drBinary or memory string: Please report this to qemu-devel@nongnu.org
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/tnetw1130.c
Source: QEMU.exe.0.drBinary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qfloat.cobj != NULL
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/QEMU.exe
Source: QEMU.exe.0.drBinary or memory string: qemu: error: init_dgram: fd=%d unbound, cannot setup multicast dst addr
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-disk.cr->req.aiocb == NULLscsi-disk: Bad write tag 0x%x
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie.c
Source: QEMU.exe.0.drBinary or memory string: bt_l2cap_sdp_sdu_inhttp://bellard.org/qemu/user-doc.htmlQEMU 0.14.50QEMU Bluetooth HIDQEMU Keyboard/Mouse%s: ACL packet too short (%iB)
Source: QEMU.exe.0.drBinary or memory string: E, obj->type->destroy != NULL: d:/src/qemu/repo.or.cz/qemu/ar7/qjson.cobj != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL
Source: QEMU.exe.0.drBinary or memory string: { 'class': 'BadBusForDevice', 'data': { 'device': %s, 'bad_bus_type': %s } }QDict not specifiedinvalid format '%s'd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLerror format is not a QDict '%s'classmissing 'class' key in '%s''class' key value should be a QStringdatamissing 'data' key in '%s''data' key value should be a QDICTerror format '%s' not foundd:/src/qemu/repo.or.cz/qemu/ar7/qerror.cqerror->entry != NULLexpected '%c' in '%s'key '%s' not found in QDictinvalid type '%c'obj->type->destroy != NULL%sobj != NULLDevice '%(device)' can't go on a %(bad_bus_type) busBus '%(bus)' not found{ 'class': 'BusNotFound', 'data': { 'bus': %s } }Bus '%(bus)' does not support hotplugging{ 'class': 'BusNoHotplug', 'data': { 'bus': %s } }The command %(name) has not been found{ 'class': 'CommandNotFound', 'data': { 'name': %s } }Device '%(device)' is encrypted{ 'class': 'DeviceEncrypted', 'data': { 'device': %s } }Device '%(device)' could not be initialized{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }Device '%(device)' is in use{ 'class': 'DeviceInUse', 'data': { 'device': %s } }Device '%(device)' is locked{ 'class': 'DeviceLocked', 'data': { 'device': %s } }Device '%(device)' has multiple child busses{ 'class': 'DeviceMultipleBusses', 'data': { 'device': %s } }Device '%(device)' has not been activated{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }Device '%(device)' is not encrypted{ 'class': 'DeviceNotEncrypted', 'data': { 'device': %s } }Device '%(device)' not found{ 'class': 'DeviceNotFound', 'data': { 'device': %s } }Device '%(device)' is not removable{ 'class': 'DeviceNotRemovable', 'data': { 'device': %s } }Device '%(device)' has no child bus{ 'class': 'DeviceNoBus', 'data': { 'device': %s } }Device '%(device)' does not support hotplugging{ 'class': 'DeviceNoHotplug', 'data': { 'device': %s } }Duplicate ID '%(id)' for %(object){ 'class': 'DuplicateId', 'data': { 'id': %s, 'object': %s } }File descriptor named '%(name)' not found{ 'class': 'FdNotFound', 'data': { 'name': %s } }No file descriptor supplied via SCM_RIGHTS{ 'class': 'FdNotSupplied', 'data': {} }Invalid block format '%(name)'{ 'class': 'InvalidBlockFormat', 'data': { 'name': %s } }Invalid parameter '%(name)'{ 'class': 'InvalidParameter', 'data': { 'name': %s } }Invalid parameter type, expected: %(expected){ 'class': 'InvalidParameterType', 'data': { 'name': %s,'expected': %s } }Parameter '%(name)' expects %(expected){ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }Password incorrect{ 'class': 'InvalidPassword', 'data': {} }Invalid JSON syntax{ 'class': 'JSONParsing', 'data': {} }Using KVM without %(capability), %(feature) unavailable{ 'class': 'KVMMissingCap', 'data': { 'capability': %s, 'feature': %s } }An incoming migration is expected before this command can be executed{ 'class': 'MigrationExpected', 'data': {} }Parameter '%(name)' is missing{ 'class': 'MissingParameter', 'data': { 'name': %s } }No '%(bus)' bus found for device '%(devi
Source: QEMU.exe.0.drBinary or memory string: ^QEMU 0.14.5010
Source: QEMU.exe.0.drBinary or memory string: qemu: warning: adding a slave device to an empty scatternet %i
Source: QEMU.exe.0.drBinary or memory string: hpetisa-pitisa-serialindexchardevisa-paralleli8042vmportvmmouseps2_mouseport92isa-fdcdriveAdriveBlsi53c895apc_vga_initShutdown
Source: QEMU.exe.0.drBinary or memory string: \\.\//./qemd:/src/qemu/repo.or.cz/qemu/ar7/block.cp != NULL!bs->peerbs != bs_snapshotsdrv != NULLbs->peer == qdevqcow2sizebacking_fmtraw%sbs->drvreportignorestopreadwrite{ 'device': %s, 'action': %s, 'operation': %s }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLunknown{ 'device': %s, 'type': %s, 'removable': %i, 'locked': %i }{ 'file': %s, 'ro': %i, 'drv': %s, 'encrypted': %i }%lld%0.1f%c%lld%cKMGTVM CLOCKDATEVM SIZETAGID%-10s%-20s%7s%20s%15s%Y-%m-%d %H:%M:%S%02d:%02d:%02d.%03dbs->in_use != in_useUnknown file format '%s'Unknown protocol '%s'Invalid options for file format '%s'.Backing file not supported for file format '%s'Backing file format not supported for file format '%s'Error: Trying to create an image with the same filename as the backing fileUnknown backing file format '%s'Could not open '%s'Image creation needs a size parameterFormatting '%s', fmt=%s Formatting or formatting option not supported for file format '%s'The image size is too large for file format '%s'%s: error while creating %s: %sKMGT
Source: QEMU.exe.0.drBinary or memory string: qemu_cond_destroy
Source: QEMU.exe.0.drBinary or memory string: qemu: tried to set invalid watchpoint at %016llx, len=%llu
Source: QEMU.exe.0.drBinary or memory string: qemu: could not load PC BIOS '%s'
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qed.c
Source: QEMU.exe.0.drBinary or memory string: stdcirrusvmwarexenfbqxlUnknown vga type: %s
Source: QEMU.exe.0.drBinary or memory string: %^port.br.devport.br.dev.exp.aer_logd:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_upstream.c!tmpx3130-upstreamportTI X3130 Upstream Port of PCI Express Switchaer_log_maxxio3130-express-upstream-portIKc
Source: QEMU.exe.0.drBinary or memory string: '%(device)' uses a %(format) feature which is not supported by this qemu version: %(feature)
Source: QEMU.exe.0.drBinary or memory string: FnetworkQEMU USB Network Interface
Source: QEMU.exe.0.drBinary or memory string: QEMU PenPartner tablet
Source: QEMU.exe.0.drBinary or memory string: QEMU VVFAT
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/balloon.c
Source: QEMU.exe.0.drBinary or memory string: ]QEMU PenPartner tabletusb-wacom-tabletQEMU PenPartner Tabletwacom-tabletj
Source: QEMU.exe.0.drBinary or memory string: qemu_opt_set
Source: QEMU.exe.0.drBinary or memory string: QEMU USB BRAILLE
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/i386/tcg-target.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_upstream.c
Source: QEMU.exe.0.drBinary or memory string: qemu: invalid physical CHS format
Source: QEMU.exe.0.drBinary or memory string: id+id1id6idDidHid6id6id6id6id6id6id6id6id6idQidvmsvga_value_writevmsvga_value_readvmware_vga
Source: k3yYC4F6nT.exeBinary or memory string: YXMa3eyUHhrEKWhwH7LWzTJ8II1lDoG/lmwpxmLptBopBK7gQfZlZQemUWPDMXgUI9iBIm78gYbjPzuA91zn4s6VK1Eigh5a/iiOp4Q6blER/7CgHfc+cAw/n4NULaFPKeLHN3Tjydsb+Ml1wFc/reMdU2agM9bxr6e8BT+5Po1f3QF895YufO7qPkxj0gSNbWRoGkImnBNQ3pDNdTH5LZWgthbx9Io6nlq1Guu2diPO0WDHBvVynj/Tg1B9sZ6lYojhVEK0Z/L8LSU45VGSkIGslueeaYh9MZ9ADa/mEFJn/ymtPJFGccIBzZbB2u0S1m5l47Kqk7egixVo5Dq2FK7+wDwcmsnik2ceTrgHMKhPaH9QpH6T03R7ewkl9JgEdPkqmSdoo+5uJ7AzZHbirdFCc5jf49ZG8ahrKbJYCrbB+3UFGqt1nUn3pR8ejA8sHMR3lq9EmRrz9meW4+wF/4ni6Bos/JSKNtfBIZkQ4YYIrY1JyMUz4PlDCKMMVJOGLdWP2NjKx3Xk7WGkg36kGiayFjW0EaPCnJBC0UUUKDxUV6FUsahxrLHZUUtMZ1M65cUIDJsrFOdk8nnJCuBKlAP6Bn7IgN0ygFLFw/JlFp54woaS7UNdIgvzzSErkBMqaGi/p60IUR510ZkxUXcLJNccWvR2pNQ8qlUHHtlWZu56hLqojGIG8U8BeiJj3AEtDvaNmTrWAGP3mcPJGEdL9xTq0RYw4flYzIlF+PitwDnXbsYVVzyHID+CGslYDEcpoctXXbD4s9z9GcMcco4MFZBteZedILNER/zepM4bPgIl3ONWEdd7kFQmBKVHEFMapVFPrgORIrB7ULAsKLZJ7mIlKExB2F3DlldkHEiJctI5T8Ox0lg3bMCVh1Gyt0CTO5DzWwnDFG9jGmJuQR5Fvx2N/DQMNsiAxKtXzjEBgN8OFnDOknU4+9qdWPHKCzTJWdx291KcfiON6LXr8erQJmTEdY/rJcQt1OXcs9lohUtwNxRmmUE9XZqObEzGNfIo
Source: QEMU.exe.0.drBinary or memory string: cpu-indexcommand-lineQEMU %s monitor - type 'help' for more information
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qerror.c
Source: QEMU.exe.0.drBinary or memory string: vmmouse
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/sysbus.cn >= 0 && n < dev->num_irqn >= 0 && n < dev->num_mmiodev->num_irq < QDEV_MAX_IRQdev->num_irq == 0dev->num_mmio < QDEV_MAX_MMIOdev->num_pio < QDEV_MAX_PIOinfo->qdev.size >= sizeof(SysBusDevice)System%s@%04x%*sisa irqs %d,%d
Source: QEMU.exe.0.drBinary or memory string: vmware
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qstring.c
Source: QEMU.exe.0.drBinary or memory string: qemu: Supported NIC models:
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vdi.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/monitor.c
Source: QEMU.exe.0.drBinary or memory string: set QEMU_AUDIO_DRV=wav
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/lsi53c895a.c
Source: QEMU.exe.0.drBinary or memory string: translation (t=none or lba) (usually qemu can guess them)
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/hda-audio.c
Source: QEMU.exe.0.drBinary or memory string: /dev/vhci/dev/hci_vhciqemu: Can't open `%s': %s (%i)
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/libpdcurses.dll@#
Source: QEMU.exe.0.drBinary or memory string: QEMU USB RNDIS Netusbnet: unknown OID 0x%08x
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/tcg.c
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net Subset
Source: QEMU.exe.0.drBinary or memory string: clonedsocket: fd=%d (%s mcast=%s:%d)qemu: error: init_dgram: fd=%d failed getsockname(): %s
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\SDL.dlll
Source: QEMU.exe.0.drBinary or memory string: qemu.sstepbits
Source: QEMU.exe.0.drBinary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULL%lld"\u%04X\"\\\b\f\n\r\t{
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/i2c.c
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 64.bintools/QEMU/hd.vmdktools/QEMU/vgabios-stdvga.bintools/uikey.initools/ventoy.dattools/waldrtools/wgl4_boot.ttfdownload/atl71.dlldownload/dl_peer_id.dlldownload/download_engine.dlldownload/MiniThunderPlatform.exedownload/MiniTPFw.exedownload/minizip.dlldownload/msvcp71.dlldownload/msvcr71.dlldownload/ThunderFW.exedownload/XLBugHandler.dlldownload/XLBugReport.exedownload/zlib1.dllISOCmd/ISOCmd.exeISOCmd/ISODrive.sysISOCmd/ISODrv64.systools/aria2c.exetools/aria2cxp.exetools/bcdedit.exetools/bootice.exetools/bootsect.exetools/devcon.exetools/fbinst.exetools/fbinsttweak.exetools/GDisk.exetools/libwim-15.dlltools/oscdimg.exetools/PECMD.exetools/QEMU/libpdcurses.dlltools/QEMU/libssp-0.dlltools/QEMU/libz-1.dlltools/QEMU/QEMU.exetools/QEMU/SDL.dlltools/UltraISO.exetools/wimlib-imagex.exexldl.dll
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/cutils.cqiov->nalloc != -1dst->nalloc != -1
Source: QEMU.exe.0.drBinary or memory string: ]QEMU 0.14.50314159
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qbool.c
Source: QEMU.exe.0.drBinary or memory string: N^statussource_idflagsheaderprefixd:/src/qemu/repo.or.cz/qemu/ar7/hw/e100.clen < sizeof(s->pkt_buf)
Source: QEMU.exe.0.drBinary or memory string: [Stopped] - Press Ctrl-Alt-Shift to exit mouse grab - Press Right-Ctrl to exit mouse grab - Press Ctrl-Alt to exit mouse grabQEMU (%s)%sQEMU (%s)QEMU%sQEMUCould not open SDL display (%dx%dx%d): %s
Source: QEMU.exe.0.drBinary or memory string: dump file path (default is qemu-vlan0.pcap)
Source: QEMU.exe.0.drBinary or memory string: qemu: only one watchdog option may be given
Source: QEMU.exe.0.drBinary or memory string: usb-msd: drive property not set/disk@0,0storageQEMU USB MSDdisklogical_block_sizephysical_block_sizemin_io_sizeopt_io_sizebootindexdiscard_granularityremovable
Source: QEMU.exe.0.drBinary or memory string: qemu: error %i reading the PDU
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev-properties.c
Source: QEMU.exe.0.drBinary or memory string: `qemu_fopen: Argument validity check failed
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc-enc-zrle-template.c
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/bios.binD]
Source: QEMU.exe.0.drBinary or memory string: <A(<A%s: unable to init event notifier: %d%s: unable to map ioeventfd: %d%s: unable to unmap ioeventfd: %dd:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-pci.cr >= 0%s: failed. Fallback to a userspace (slower).%s: unexpected address 0x%x value 0x%xtCA
Source: QEMU.exe.0.drBinary or memory string: socket(PF_INET, SOCK_DGRAM)setsockopt(SOL_SOCKET, SO_REUSEADDR)bindsetsockopt(IP_ADD_MEMBERSHIP)setsockopt(SOL_IP, IP_MULTICAST_LOOP)setsockopt(IP_MULTICAST_IF)qemu: error: getsockopt(SO_TYPE) for fd=%d failed
Source: QEMU.exe.0.drBinary or memory string: qemu_opts_create
Source: QEMU.exe.0.drBinary or memory string: QEMU: Terminated
Source: QEMU.exe.0.drBinary or memory string: QEMU%s
Source: QEMU.exe.0.drBinary or memory string: qemu: too many NUMA nodes
Source: QEMU.exe.0.drBinary or memory string: QEMU USB HARDDRIVE
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Braille
Source: QEMU.exe.0.drBinary or memory string: qemu: too many parallel ports
Source: QEMU.exe.0.drBinary or memory string: c:/Program Files/Qemu/qemu.conf
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dllldv
Source: QEMU.exe.0.drBinary or memory string: qemu: already have a debugcon device
Source: QEMU.exe.0.drBinary or memory string: m_d:/src/qemu/repo.or.cz/qemu/ar7/aes.cin && out && keyin && out && key && ivecP
Source: QEMU.exe.0.drBinary or memory string: QEMU waiting for connection on: %s
Source: QEMU.exe.0.drBinary or memory string: ]QEMU 0.14.50QEMU USB HARDDRIVE1Full speed config (usb 1.1)High speed config (usb 2.0),g`9g`Lg`Ng`jg`
Source: QEMU.exe.0.drBinary or memory string: /d:/src/qemu/repo.or.cz/qemu/ar7/savevm.c!se->compat || se->instance_id == 0alias_id == -1 || required_for_version >= vmsd->minimum_version_id!sub_vmsd->subsections!vmsd->subsectionsstate blocked by non-migratable device '%s'
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: QEMU.exe.0.drBinary or memory string: device:qemu: unrecognised bluetooth vlan Id
Source: QEMU.exe.0.drBinary or memory string: qemu: could not open virtio console '%s': %s
Source: QEMU.exe.0.drBinary or memory string: QEMU Keyboard/Mouse
Source: QEMU.exe.0.drBinary or memory string: qemu_thread_create
Source: QEMU.exe.0.drBinary or memory string: WAV renderer http://wikipedia.org/wiki/WAVqemu.wavwav_init_outRIFFWAVEfmt
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net Data Interface
Source: QEMU.exe.0.drBinary or memory string: %llxQED{ 'class': 'UnknownBlockFormatFeature', 'data': { 'device': %s, 'format': %s, 'feature': %s } }qedbdrv_qed_openVirtual disk size (in bytes)File name of a base imageImage format of the base imageCluster size (in bytes)L1/L2 table size (in clusters)d:/src/qemu/repo.or.cz/qemu/ar7/block/qed-table.crequest->l2_table != NULLWithoutFreeSpaceparallels:exportname=nbd:unix:nbdd:/src/qemu/repo.or.cz/qemu/ar7/block/blkdebug.c(int)event >= 0 && event < BLKDBG_EVENT_MAXblkdebug:reventstateerrnoonceimmediatelynew_stateblkdebuginject-errorset-statel1_updatel1_grow.alloc_tablel1_grow.write_tablel1_grow.activate_tablel2_loadl2_updatel2_update_compressedl2_alloc.cow_readl2_alloc.writereadread_aioread_backingread_backing_aioread_compressedwrite_aiowrite_compressedvmstate_loadvmstate_savecow_readcow_writereftable_loadreftable_growrefblock_loadrefblock_updaterefblock_update_partrefblock_allocrefblock_alloc.hookuprefblock_alloc.writerefblock_alloc.write_blocksrefblock_alloc.write_tablerefblock_alloc.switch_tablecluster_alloccluster_alloc_bytescluster_freey
Source: QEMU.exe.0.drBinary or memory string: QEMU USB MSD
Source: QEMU.exe.0.drBinary or memory string: -vga [std|cirrus|vmware|qxl|xenfb|none]
Source: QEMU.exe.0.drBinary or memory string: qemu: at most 2047 MB RAM can be simulated
Source: QEMU.exe.0.drBinary or memory string: opt->desc && opt->desc->type == QEMU_OPT_SIZE
Source: QEMU.exe.0.drBinary or memory string: no!permit_abbrev || list->implied_opt_nameid=,id=opts->list->desc[0].name == NULLqemu_opts_validateparse_option_boolparse_option_numberparse_option_sizeqemu_opts_createqemu_opt_set
Source: QEMU.exe.0.drBinary or memory string: qemu: invalid option value '%s'
Source: QEMU.exe.0.drBinary or memory string: %127[^/]%n!path[0]{ 'class': 'BusNotFound', 'data': { 'bus': %s } }path[pos] == '/' || !path[pos]0{ 'class': 'DeviceNotFound', 'data': { 'device': %s } }devices at "%s":/"%s"{ 'class': 'DeviceNoBus', 'data': { 'device': %s } }{ 'class': 'DeviceMultipleBusses', 'data': { 'device': %s } }{ 'class': 'BadBusForDevice', 'data': { 'device': %s, 'bad_bus_type': %s } }{ 'class': 'NoBusForDevice', 'data': { 'device': %s, 'bus': %s } }{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }deviceiddo_device_delqdev_unplugqdev_device_addqbus_find<unset>%02x.%x%02x:%02x:%02x:%02x:%02x:%02x%d<null>%s"%s"0x%llx%llu0x%x%u%x.%x%n%x%nonoffd:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev-properties.cprop->info->type == PROP_TYPE_BITdriverpropertyvalue{ 'class': 'PropertyNotFound', 'data': { 'device': %s, 'property': %s } }{ 'class': 'PropertyValueInUse', 'data': { 'device': %s, 'property': %s, 'value': %s } }{ 'class': 'PropertyValueBad', 'data': { 'device': %s, 'property': %s, 'value': %s } }{ 'class': 'PropertyValueNotFound', 'data': { 'device': %s, 'property': %s, 'value': %s } }%s: property "%s.%s" not found
Source: QEMU.exe.0.drBinary or memory string: @show the version of QEMUnetworkshow the network statechardevshow the character devicesblockshow the block devicesblockstatsshow block device statisticsregistersshow the cpu registerscpusshow infos for each CPUhistoryshow the command line historyirqshow the interrupts statistics (if available)picshow i8259 (PIC) statepcishow PCI infotlbshow virtual to physical memory mappingsmemshow the active virtual memory mappingsjitshow dynamic compiler infokvmshow KVM informationnumashow NUMA informationusbshow guest USB devicesusbhostshow host USB devicesprofileshow profiling informationcaptureshow capture informationsnapshotsshow the currently saved VM snapshotsshow the current VM status (running|paused)pcmciashow guest PCMCIA statusmiceshow which guest mouse is receiving eventsshow the vnc server statusshow the current VM nameuuidshow the current VM UUIDusernetshow user network stack connection statesshow migration statusshow balloon informationqtreeshow device treeqdmshow qdev device model listromsshow roms
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/dp8381x.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-net.c
Source: QEMU.exe.0.drBinary or memory string: QEMU (%s)QEMUaudio already running
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/multiboot.cs->mb_mods_count < s->mb_mods_avail%s %smultiboot.binioapicne2k_isae1000qemu: too many IDE bus
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net RNDIS Control Interface
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-desc.c
Source: QEMU.exe.0.drBinary or memory string: opt->desc && opt->desc->type == QEMU_OPT_BOOLopt->desc && opt->desc->type == QEMU_OPT_NUMBERopt->desc && opt->desc->type == QEMU_OPT_SIZE{ 'class': 'InvalidParameter', 'data': { 'name': %s } }idd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULL%lldn < sizeof(buf)%.17g-._an identifierIdentifiers consist of letters, digits, '-', '.', '_', starting with a letter.
Source: QEMU.exe.0.drBinary or memory string: QEMU_AUDIO_DRV
Source: QEMU.exe.0.drBinary or memory string: qemu_st16
Source: k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU^
Source: QEMU.exe.0.drBinary or memory string: qemu: bad parameter '%s'
Source: QEMU.exe.0.drBinary or memory string: { 'qemu': { 'major': %d, 'minor': %d, 'micro': %d }, 'package': %s }
Source: QEMU.exe.0.drBinary or memory string: Standard PC, qemu 0.10
Source: QEMU.exe.0.drBinary or memory string: Standard PC, qemu 0.11
Source: QEMU.exe.0.drBinary or memory string: QEMU CD-ROM QEMU HARDDISK |
Source: QEMU.exe.0.drBinary or memory string: W@(^port.br.devport.br.dev.exp.aer_log{ 'action': %s }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL?%s%s
Source: QEMU.exe.0.drBinary or memory string: http://bellard.org/qemu/user-doc.html
Source: QEMU.exe.0.drBinary or memory string: Too Many NICsnetdevnetdev '%s' not foundvlanmodeladdrmacaddrinvalid syntax for ethernet addressvectorsinvalid # of vectors: %d?qemu: Supported NIC models: %s%cqemu: Unsupported NIC model: %sNo file descriptor named %s foundnonetype{ 'class': 'MissingParameter', 'data': { 'name': %s } }tapusersocketa netdev backend type{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }{ 'class': 'InvalidParameter', 'data': { 'name': %s } }nameidnic{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }a network client typedeviceoptsinvalid host network device %s
Source: QEMU.exe.0.drBinary or memory string: Vd:/src/qemu/repo.or.cz/qemu/ar7/hw/ioh3420.c!tmpioh3420portchassisslotIntel IOH device id 3420 PCIE Root Portaer_log_maxioh-3240-express-root-port@Jc
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-option.c
Source: QEMU.exe.0.drBinary or memory string: H^tncmpfsbperiodwrap_flagqemu_timerREV x01x13x0fx00x00x03OSK0OSK1NATJMSSPMSSDx3WARNING: Using AppleSMC with invalid key
Source: QEMU.exe.0.drBinary or memory string: usb-bt-dongleQEMU BT dongleusb_bt_handle_controlusb_bt_fifo_enqueue
Source: QEMU.exe.0.drBinary or memory string: %s: vmware_vga: no PCI bus
Source: k3yYC4F6nT.exe, 00000000.00000003.377306715.00000000056A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pm/9KvE6yrBN4V/tnHdYU98Zx1VEVJQ4qmxSpU4kERkCQhCwokXEisyEoRGZkWWYCaCUH5WpIoQlgSoiM7KHEESEiAECkgQIsiGBsEcCSUjojV1Pxx/9o336PG3z5733OSfnnve857zf9/Peuvs+vzMDPSvcs1oJ7+I76CyeqDmOttZuc1AyywFV/aYJe03vZc9ztHtCk96bOadbzi/lY9DL56bxLzWWbEc2ekgakROLjyGyDlozIy2FZG+C0ZXDG0kQyxYhibh+6HS3HX2qKTJHat0Aaxj1DtmgFFFF6JWqleHbDlnhGFS8FufKwLp514z+44laG6GHFasqyTehSnRsOsf8XiS3+42dh+YWTXPw46JweHHII5mb38apew9IljGETLKBIn1/5y7XFvYEtGduwvW56c2Db95tRuMUszRsxikNxDqI5J6f3YZJ3MoplTSi222F9BrseHSTLTSZlY7RETxj+ECVrHM+N/cLvPynJDzD2g4cy09Tw5t9yqtdI0sJ8AaCZOyviv2hH2y3G3UsObYmN5YkovJvbMVSXRO3b9jug34uPgaq2Tm7hEc8znj0kL/yUCMpPD0paOfiEZJrfMrJ1uyw/JbmdpAF6JfjDhOvIbYoa9w9ipyzNI75onGOd+VrOEdKbvk2YSCm0UtZ1pGi842vmswNdXpSaMGXWCklaRTqcKxsaUnoDyJqOrCgZi2FqTqvyBolEfv0pw/lNFoZnQT7P6BzVe8CltPPQHjfuKh1RjE19CKku0+kJxNely5Pari1Af/Fz2PnzFQifpPNiT3VzP8Z4lNclatQHseZhN68DZ1OXU3nfu6R/FX8bUxKDSN71JYJAiKWTqyvFmDkXK0wPHYv9cTy1HH3jgDnAA/OrROdLRbq9rs8v/mv7JYb1OcVyiLZAfuPa6cr3LhFaJpdpaRTc3DDKSdnQ/GxMlJuIpDl5KnBmkdwUEcjMgwlXjgzsPv4sOsWKN8xV2iylKcumb9jHVNdZMG6AetJIlaHlNrHQBWSza3oY`
Source: QEMU.exe.0.drBinary or memory string: c:/Program Files/Qemu/target-x86_64.conf
Source: QEMU.exe.0.drBinary or memory string: _qemu: hardware error:
Source: QEMU.exe.0.drBinary or memory string: ]QEMURNDIS/QEMU USB Network Device400102030405QEMU USB Net Data InterfaceQEMU USB Net Control InterfaceQEMU USB Net RNDIS Control InterfaceQEMU USB Net CDCQEMU USB Net SubsetQEMU USB Net RNDIS1px`ux`
Source: QEMU.exe.0.drBinary or memory string: vmware_vga
Source: QEMU.exe.0.drBinary or memory string: &^br.devbr.dev.exp.aer_logd:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_downstream.c!tmpxio3130-downstreamportchassisslotTI X3130 Downstream Port of PCI Express Switchaer_log_maxxio3130-express-downstream-port
Source: QEMU.exe.0.drBinary or memory string: R_#R_(R_-R_2R_7R_=R_DR_IR_NR_UR_[R_dp8381x_mmio_writewdp8381x_writewdp8381x_mmio_writebdp8381x_writebdp8381x_mmio_readldp8381x_readlbmcr_readdp8381x_readwanar_readanlpar_readphytst_readdp8381x_mmio_readwdp8381x_mmio_readbdp8381x_readbdp8381x_reseteeprom_initdp8381x_loaddp8381x_savedp8381x_nic_resetdp8381x_mem_mapdp8381x_io_mapdp8381x_ioport_writeldp8381x_ioport_writewdp8381x_ioport_writebdp8381x_ioport_readldp8381x_ioport_readwdp8381x_ioport_readbmacvlannetdevbootindexgpxe-eepro100-80861209.romd:/src/qemu/repo.or.cz/qemu/ar7/hw/eepro100.cmcast_idx < 64addr + sizeof(val) <= sizeof(s->mem)g
Source: QEMU.exe.0.drBinary or memory string: _could not qemu_fopen socket
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_host.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/intel-hda.creg->offset != 0unknown register, addr 0x%x
Source: QEMU.exe.0.drBinary or memory string: Yvmware-svgavgabios-vmware.binvmsvga_fifo_runvmsvga_cursor_definevmsvga_update_rectvmsvga_bios_writevmsvga_bios_readDosWindows 3.1Windows 95Windows 98Windows MEWindows NTWindows 2000LinuxOS/2an unknown OSBSDWhistlerWindows 2003
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Net Control Interface
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/sysbus.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci.c
Source: QEMU.exe.0.drBinary or memory string: qemu: could not load kernel '%s': %s
Source: QEMU.exe.0.drBinary or memory string: qemu file buffer expansion failed
Source: QEMU.exe.0.drBinary or memory string: qemu_cond_signal
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qdict.c
Source: QEMU.exe.0.drBinary or memory string: fsdevfsdev is not supported by this qemu build.
Source: QEMU.exe.0.drBinary or memory string: qemu: ram size too large
Source: QEMU.exe.0.drBinary or memory string: vgabios-vmware.bin
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-timer.c
Source: QEMU.exe.0.drBinary or memory string: =Yprocess_ncq_commandich9-ahciahcid:/src/qemu/repo.or.cz/qemu/ar7/hw/lsi53c895a.cs->current->dma_buf == NULLs->current->dma_len == 0QTAILQ_EMPTY(&s->queue)lsi_scsi: error: MSG IN data too long
Source: QEMU.exe.0.drBinary or memory string: qemu_init_main_loop failed
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s/QEMU/vgabios-stdvga.bin
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/hd.vmdk9]G
Source: QEMU.exe.0.drBinary or memory string: QEMU Virtual CPU version 0.14.50,
Source: QEMU.exe.0.drBinary or memory string: GQEMU PS/2 Mouseps2mouse0
Source: QEMU.exe.0.drBinary or memory string: qobject_type(obj) == QTYPE_QDICTcurrentCPU%c CPU #%d: pc=0x%016llxhalted (halted)qemupackagemicrominormajor%lld.%lld.%lld%s
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qed-table.c
Source: QEMU.exe.0.drBinary or memory string: qemu: warning: adding a VHCI to an empty scatternet %i
Source: QEMU.exe.0.drBinary or memory string: qemu: unknown boot parameter '%s' in '%s'
Source: QEMU.exe.0.drBinary or memory string: _net_client_initsocket: fd=%dqemu: error: specified mcastaddr "%s" (0x%08x) does not contain a multicast address
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net.c
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Mouse
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-thread-win32.c
Source: QEMU.exe.0.drBinary or memory string: qemu: could not open gdbserver on device '%s'
Source: QEMU.exe.0.drBinary or memory string: show the version of QEMU
Source: QEMU.exe.0.drBinary or memory string: QEMU HARDDISK
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eeprom93xx.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/msi.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qfloat.c
Source: QEMU.exe.0.drBinary or memory string: Leakedd:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cluster.ci <= nb_clusters1.2.3%dd:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cache.cc->entries[i].ref == 0c->entries[i].ref >= 0rawd:/src/qemu/repo.or.cz/qemu/ar7/block/qed.cacb->request.l2_table != NULLsizebacking_filebacking_fmtcluster_sizetable_sizeQED cluster size must be within range [%u, %u] and power of 2
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cluster.c
Source: QEMU.exe.0.drBinary or memory string: QEMU USB RNDIS Net
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qobject.h
Source: QEMU.exe.0.drBinary or memory string: bt_device_donebt_dummy_lmp_acl_respbt_dummy_lmp_disconnect_masterbt_dummy_lmp_connection_completeqemu: bluetooth passthrough not supported (yet)
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/libz-1.dll
Source: QEMU.exe.0.drBinary or memory string: qemu_ld8s
Source: QEMU.exe.0.drBinary or memory string: fsdev is not supported by this qemu build.
Source: QEMU.exe.0.drBinary or memory string: X/disk@1/disk@0%s@%dNo drive specifiedIDE unit %d is in useInvalid IDE unit %dide-driveunitdriveIDElogical_block_sizephysical_block_sizemin_io_sizeopt_io_sizebootindexdiscard_granularityverseriald:/src/qemu/repo.or.cz/qemu/ar7/hw/ide/pci.hbmdma->unit != (uint8_t)-1,Y\,Yide
Source: QEMU.exe.0.drBinary or memory string: qemu: bluetooth passthrough not supported (yet)
Source: QEMU.exe.0.drBinary or memory string: #^romfilerombarcommand_serr_enableversion_idconfigirq_statenirqirq_countpci configpci irq stated:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_bridge.cQLIST_EMPTY(&s->sec_bus.child)MSI-X: only dword write is allowed!
Source: QEMU.exe.0.drBinary or memory string: QEMU VVFAT path_len < PATH_MAXmapping->mode & MODE_DELETEDcluster %d used more than once
Source: QEMU.exe.0.drBinary or memory string: qemu_ld8u
Source: QEMU.exe.0.drBinary or memory string: oncemenuoffqemu: invalid option value '%s'
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396855850.0000000004D3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools\QEMU\libpdcurses.dlll
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ps2.c
Source: QEMU.exe.0.drBinary or memory string: ]QEMU 0.14.5042HID MouseHID TabletHID Keyboard0``
Source: QEMU.exe.0.drBinary or memory string: keymaps/%s/%s%stcp::1234 (default),trans=lba,trans=nonec:/Program Files/Qemu/qemu.confmedia=diskOption %s not supported for this target
Source: QEMU.exe.0.drBinary or memory string: isa-serialisa-parallelisa-fdcide-drivevirtio-serial-pcivirtio-serial-s390VGAcirrus-vgavmware-svga
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vvfat.c
Source: QEMU.exe.0.drBinary or memory string: return value mismatch %d != %dd:/src/qemu/repo.or.cz/qemu/ar7/block/blkverify.ca->niov == b->niova->iov[i].iov_len == b->iov[i].iov_lencontents mismatch in sector %lldblkverify:blkverify/dev/cdrom\\.\%c:\\.\//./PhysicalDrive%c:\sizefilehost_device
Source: QEMU.exe.0.drBinary or memory string: devbusd:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev.cbus->info == info->bus_infobus->allow_hotplugdriver%s/info->size >= sizeof(DeviceState)!info->next?%s.%s=%s
Source: k3yYC4F6nT.exeBinary or memory string: HgR1JbMJijpPiJJWj4FIRC3DVIfuDwCFS/JXNCegKIY5G8Z3xfEbms6FCVaIqZXHZ1rB0QWcGBFBMECWFaEOt+PSvy5mgvkKsLqZ9qYB9yegn1bZmkZcNHAJK3FJCkRyohVD94b0QAYoZl3MJTOmPxNJwAy/4Y2O9jmIiEEmWilzz0biHVFByBN2zoMzCoSkzZaptCcUnODwSQOIDYP4Rgd0JZ1Dfwe5d9DMOxegXTRUksMiYiAR04iPhtMwfC+AEwE1tPcyE0wU0GVmcIIhONPyeq8JxRBEQV15TUkdUFIHSExlAs6kr1SHRzzAUaJnZMJeW70vznqKWsu/n47OBVwRIUoav1jqg6gg4slNUS1OVXKnDsAh0WMoYh4kxyy5D4UIYoqax2E4AmYRvMMXQvSGx9AoSBAoDHEOMYdah8KFPsBDhonY8rH6gRHZ0L1pQKQJL6/F/jVfMshPD/JK6jNc36LgFFvbzFAryPMc8rzvPsNpABZTTGJqyZJMiSp0bIQgXcZDB7EuCzZOV4yGdTA1kEBQRRG8QKGKc0Yk4lGCBAot+q9duZJ7QK+8kFaTKzkGHIYBZkm09Z/HEgO/gqGOBOwAqqssLSlNtWTuxVUcjVMaLUWA+LQKLWNSlvjY1P188C1zXNx5luLwAR4+voY/tA/xYH0nIg5zHVwMmFMiDsESj5tDMXIUJ56zuQaDY0idd8uYi6FoOlcObHi0r7K+WIUrrGc3F5FYFBTFsiWxOgeLoR5CFKJElqzKZ+t38snND8OGK7HnjiDdZxhf2sd5Rx/g1k2f4ofnXwudBh1fEBAQpYgB1RpV30U0pk7gcaKnNZF6snVIxzIoSxTDl+cHHIS+UHz5NOhw91fVKv0c6qMmO1jzfGhs7pQny9NmhpKTi2PEtXh/dgBGN6EtRRbnWWpHjnUcxzsZi1MNrtlwK5dtuIOxkTkExSFsWHucd1z2TdaOPELUCpjgLSJqfWXoTNJx2WvBpVXfExUDo0g6zS0PnGWvC7FXTPSKW/7D
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/blkverify.c
Source: QEMU.exe.0.drBinary or memory string: vga=normalextaskqemu: linux kernel too old to load a ram disk
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMUn^/
Source: QEMU.exe.0.drBinary or memory string: qemu: could not open serial device '%s': %s
Source: QEMU.exe.0.drBinary or memory string: _net client type (nic, tap etc.)vlan numberidentifier for monitor commandsid of -netdev to connect toMAC addressdevice model (e1000, rtl8139, virtio etc.)PCI device addressnumber of MSI-x vectors, 0 to disable MSI-Xhostnameclient hostname reported by the builtin DHCP serverrestrictisolate the guest from the host (y|yes|n|no)iplegacy parameter, use net= insteadIP address and optional netmaskhostguest-visible address of the hosttftproot directory of the built-in TFTP serverbootfileBOOTP filename, for use with tftp=dhcpstartthe first of the 16 IPs the built-in DHCP server can assigndnsguest-visible address of the virtual nameserversmbroot directory of the built-in SMB serversmbserverIP address of the built-in SMB serverhostfwdguest port number to forward incoming TCP or UDP connectionsguestfwdIP address and port to forward guest TCP connectionsifnameinterface namefdfile descriptor of an already opened socketlistenport number, and optional hostname, to listen onconnectport number, and optional hostname, to connect tomcastUDP multicast address and port numberlocaladdrsource address for multicast packetslenper-packet size limit (64k default)filedump file path (default is qemu-vlan0.pcap)
Source: QEMU.exe.0.drBinary or memory string: QEMU USB MouseQEMU USB Tabletusb-tablettabletusb-mousemouseusb-kbdQEMU USB Keyboardkeyboard)
Source: k3yYC4F6nT.exe, 00000000.00000003.396799302.0000000004D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tools/QEMU/libssp-0.dll
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Network Interface
Source: QEMU.exe.0.drBinary or memory string: ,serverserverwaittelnetdelayunix:%s%sporthosttelnet:%s:%s%stcp:%s:%s%sQEMU waiting for connection on: %s
Source: QEMU.exe.0.drBinary or memory string: ]QEMU 0.14.50QEMU USB SERIALQEMU USB BRAILLE1
Source: QEMU.exe.0.drBinary or memory string: ,retrace=dumbpreciseqemu: invalid resolution or depth
Source: k3yYC4F6nT.exeBinary or memory string: 0pUrV7pPQjx9qMYufJm2+H6nDdKcasw8z4RJ6GDUckjoQRePPJRZcd9Jmv3rZWtH6R+Jjbm0aTnhIhMuwYKeKVac9x5QN9COHQqK0Mq3TaCaZAiyBizxYwPF6nXD0OByut83hiLm61ESxfgZl0L2zRkzzoFdSLisk2EcNjSDknYNHxkkZmO1+0a9t4KTYIhqwbkZ1iuPNi82yKmZzfRpsOoTmupaQlIdg2Hyf4v8bVTrNNs5jjYUueOaCEWBC6Oxf7huCMRcoKbCTCciB15HVbFBQtWyPlxjAMUnGy1i/f5soIixgRIbg603UDufyfF8A5Q3iIG3FpeEmJmC23p6wmc3wRHKkuAAwGVkkH2cFbAIKzcsdqb+dehCndSLPvMzkN/pglRwq5K8UfRBb1Oz0RzWzs4D9tU2lZOxsbGsSqcD5vCZVv/ZtX2cLs3bgFH7m7VNdITld5eY+JiCS02btcePVgoywncvIPrN6pyvx3Uj/E4PU5xaviarR4aEhNxPvHXk06Ij9BzOwxNyNB8hsXx5dfcI+AK+znTLNOjr1vH+GhGUBU2elwDqt8CqCPA+23Opjx/xeRUrr5eh+Mw6/aVYMt3asAZYcrO+B/yAlWTSb9EIhlDsgX5v0k1AyMrW+J/7gSS8e0RPTw9Pu4YaWl62hbJ3W0n6tZ6DD341h4MibRAhsIfBYDKXqtvn5HyP915k+HJBQm/EMoDKRa8vHkSmxoKCLrIrVYBpWZmi9HTP1Icf90blHR0cIhfk0pcqTpcy/B1fvmx/89bNtNWPcnDS+s/xGgirP+zDsicGBgIQAvLY7+ZwZ74X0rwkRw/ZFBARoOjbt29nCfdkqYUynLg38kttrGC9LC3nV4YLgACijg8Q9PWXa73zojTqvoPL9QemUOhzzogODQ0NZ794nxcQQEhICDD39JQTiMm4+5q+4wPUztPT09b2vWOGBQ+aw2mmTgWiAJOQqISJMVDXIO7e/f0vvBACKmwgio5NTh5Ramf/2WpnBZyPdsjgVkvc
Source: QEMU.exe.0.drBinary or memory string: usb-ohci: %s: qemu_new_timer failed
Source: QEMU.exe.0.drBinary or memory string: QEMU: Terminated via GDBstub
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block-migration.c
Source: QEMU.exe.0.drBinary or memory string: qemu_event_increment: SetEvent failed: %ld
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Keyboard
Source: QEMU.exe.0.drBinary or memory string: 32 32 3 1X c #000000. c #ffffff c NoneX XX X.X X..X X...X X....X X.....X X......X X.......X X........X X.....XXXXX X..X..X X.X X..X XX X..X X X..X X..X X..X XX cursor_parse_xpm32 32 1 1d:/src/qemu/repo.or.cz/qemu/ar7/qemu-error.c!loc->prevcur_loc == loc && loc->prevfname || cur_loc->kind == LOC_FILE %s:%s%s: %d:%s
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/exec.c
Source: QEMU.exe.0.drBinary or memory string: qemu: error %i writing bluetooth packet.
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cache.c
Source: QEMU.exe.0.drBinary or memory string: apicidcpu_envbios.binpc.rampc.biosqemu: could not load PC BIOS '%s'
Source: QEMU.exe.0.drBinary or memory string: debugcondeviceqemu: already have a debugcon device
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-error.c
Source: QEMU.exe.0.drBinary or memory string: linuxboot.bind:/src/qemu/repo.or.cz/qemu/ar7/hw/pc.csmm_set == NULLsmm_arg == NULLne2k_isaiobaseirqqemu64Unable to find x86 CPU definition
Source: QEMU.exe.0.drBinary or memory string: virtfsvirtfs is not supported by this qemu build.
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net/dump.cvlanfileqemu-vlan%d.pcaplen-net dump: can't open %s-net dump write error: %sdumpdump to %s (len=%d)%sSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}%s\%s\ConnectionSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}%s\%serror creating output queue semaphore!
Source: QEMU.exe.0.drBinary or memory string: qemu: linux kernel too old to load a ram disk
Source: QEMU.exe.0.drBinary or memory string: QEMU (%s)
Source: QEMU.exe.0.drBinary or memory string: activate logging of the specified items to '/tmp/qemu.log'
Source: QEMU.exe.0.drBinary or memory string: QEMU USB Tablet
Source: QEMU.exe.0.drBinary or memory string: driveramqemu: could not open gdbserver on device '%s'
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eeprom93xx.c!"Unsupported EEPROM size, fallback to 64 words!"eeprom
Source: QEMU.exe.0.drBinary or memory string: QEMU 0.14.50
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block-migration.cblock_mig_state.submitted >= 0block_mig_state.read_done >= 0Error reading sector %lld
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qlist.c
Source: QEMU.exe.0.drBinary or memory string: qemu: error: specified mcastaddr "%s" (0x%08x) does not contain a multicast address
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/console.c
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-thread-win32.cmutex->owner == 0mutex->owner == GetCurrentThreadId()qemu_thread_initqemu_thread_createqemu_cond_broadcastqemu_cond_signalqemu_cond_destroyqemu_cond_initd:/src/qemu/repo.or.cz/qemu/ar7/hw/event_notifier.cs == sizeof(value)Failed to initialize win32 alarm timer: %ld
Source: QEMU.exe.0.drBinary or memory string: qemu_cond_broadcast
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_downstream.c
Source: QEMU.exe.0.drBinary or memory string: Bochs Virtual HD Image
Source: QEMU.exe.0.drBinary or memory string: pc.romvmware-svgaWarning: vmware_vga not available, using standard VGA instead
Source: QEMU.exe.0.drBinary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-refcount.c
Source: QEMU.exe.0.drBinary or memory string: qemu_fdopen: Argument validity check failed
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DBF27E IsDebuggerPresent,OutputDebugStringW,0_2_00DBF27E
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DDF5DB mov eax, dword ptr fs:[00000030h]0_2_00DDF5DB
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DBDBD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00DBDBD9
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: EnumSystemLocalesW,0_2_00DE6245
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00DE56C0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: GetLocaleInfoW,0_2_00DE670F
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: EnumSystemLocalesW,0_2_00DE5983
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: EnumSystemLocalesW,0_2_00DE5938
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: EnumSystemLocalesW,0_2_00DE5A1E
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DE6779 GetSystemTimeAsFileTime,0_2_00DE6779
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00DEA7A0 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00DEA7A0
Source: C:\Users\user\Desktop\k3yYC4F6nT.exeCode function: 0_2_00C8EAEF __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,0_2_00C8EAEF

Remote Access Functionality

barindex
Contains VNC / remote desktop functionality (version string found)
Source: QEMU.exe.0.drString found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts131
Windows Management Instrumentation		1
Windows Service		1
Windows Service		1
Masquerading		1
Input Capture		2
System Time Discovery		1
Remote Desktop Protocol		1
Input Capture		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		23
Virtualization/Sandbox Evasion		LSASS Memory341
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		Exfiltration Over Bluetooth1
Remote Access Software		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager23
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer1
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
Software Packing		LSA Secrets3
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Timestomp		Cached Domain Credentials45
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
k3yYC4F6nT.exe18%ReversingLabsWin32.Trojan.Generic
k3yYC4F6nT.exe28%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\7z.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISOCmd.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrv64.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniTPFw.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniThunderPlatform.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\ThunderFW.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugHandler.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugReport.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\atl71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\dl_peer_id.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\download_engine.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\minizip.dll2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcp71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\GDisk.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exe28%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\QEMU.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\SDL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libpdcurses.dll2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libz-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\UltraISO.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2c.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2cxp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bcdedit.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootice.exe3%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootm7r0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi.mui0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr.exe.mui0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmhr0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootsect.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\devcon.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinst.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\libwim-15.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\oscdimg.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\waldr0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\wimlib-imagex.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\xldl.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
jsy.newitboy.com1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://www.globalsign.net/repository/00%URL Reputationsafe
http://www.globalsign.net/repository090%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.huogeit.com/wllinfo/newoemjsyunion/oemjsy.data1b9747a70db5912249a530d5451e719047a1fbd10860%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
http://www.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat35e2c62b4b8eb143f46183cd0ce37e7adf53a2ca48d0%Avira URL Cloudsafe
http://www.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
http://dh.newitboy.comgD0%Avira URL Cloudsafe
http://www.globalsign.net/repository/030%URL Reputationsafe
http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=10%Avira URL Cloudsafe
http://www.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat0%VirustotalBrowse
http://www.huogeit.com/wllinfo/newoemjsyunion/oemsq.datx0%Avira URL Cloudsafe
http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat8aa3b4b96fc537f1f8cec9dd81c451e39c91dbb91650%Avira URL Cloudsafe
http://www.klmsdn.com/wllinfo/newoemjsyunion/oemsq.datv0%Avira URL Cloudsafe
http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemsq.dat0%Avira URL Cloudsafe
https://wimlib.net/forums/.0%Avira URL Cloudsafe
http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=10%VirustotalBrowse
http://tjonekeynew.klmsdn.com//or0%Avira URL Cloudsafe
http://tjonekeynew.klmsdn.com/0%Avira URL Cloudsafe
http://www.libsdl.orgsdl_callbackSAMPLESSize0%Avira URL Cloudsafe
https://tj.klmsdn.com/piwik.php0%Avira URL Cloudsafe
https://http://piwik.php://0%Avira URL Cloudsafe
http://www.gamers.org/~quinet/lilo/).0%Avira URL Cloudsafe
http://www.ezbsystems.comDVarFileInfo$0%Avira URL Cloudsafe
http://www.gamani.com).0%Avira URL Cloudsafe
http://www.klmsdn.com/wllinfo/newoemjsyunion/oemjsy.dat6233d2fd1ebc70bc7aa7c981176dec31974e5c46150880%Avira URL Cloudsafe
http://dh.newitboy.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
i2j7ovst.sched.sma.tdnsstic1.cn
175.43.23.67
truefalse
    		unknown
    jsy.newitboy.com
    		unknown
    		unknownfalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.huogeit.com/wllinfo/newoemjsyunion/oemjsy.data1b9747a70db5912249a530d5451e719047a1fbd1086k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://secure.globalsign.net/cacert/ObjectSign.crt09k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.xunlei.com/k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
      		high
      http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s&XLBugReport.exe.0.drfalse
        		high
        http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=1iwll.dat.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat35e2c62b4b8eb143f46183cd0ce37e7adf53a2ca48dk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.newitboy.com/wllinfo/newoemjsyunion/oemsq.datk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0fbinsttweak.exe.0.drfalse
        • URL Reputation: safe
        		unknown
        http://ocsp.sectigo.com0fbinsttweak.exe.0.drfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%sk3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
          		high
          http://schemas.xmlsoap.org/soap/envelope/k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://dh.newitboy.comgDk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#fbinsttweak.exe.0.drfalse
            • URL Reputation: safe
            		unknown
            http://www.globalsign.net/repository/0k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.huogeit.com/wllinfo/newoemjsyunion/oemsq.datxk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.haxx.se/docs/http-cookies.htmlk3yYC4F6nT.exefalse
              		high
              https://curl.haxx.se/docs/http-cookies.html#k3yYC4F6nT.exefalse
                		high
                http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemjsy.dat8aa3b4b96fc537f1f8cec9dd81c451e39c91dbb9165k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.openssl.org/support/faq.htmlk3yYC4F6nT.exefalse
                  		high
                  http://bellard.org/qemu/user-doc.htmlQEMUQEMU.exe.0.drfalse
                    		high
                    http://www.klmsdn.com/wllinfo/newoemjsyunion/oemsq.datvk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDll-k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://crl.thawte.com/ThawteTimestampingCA.crl0k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                        		high
                        http://jsy.newitboy.com/wllinfo/newoemjsyunion/oemsq.datk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002CDA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://grub4dos.chenall.net/e/%u)iwll.dat.0.drfalse
                          		high
                          http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sk3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                            		high
                            http://www.globalsign.net/repository09k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://wimlib.net/forums/.k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tjonekeynew.klmsdn.com//ork3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tjonekeynew.klmsdn.com/k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.winimage.com/zLibDll1.2.3k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.libsdl.orgsdl_callbackSAMPLESSizeQEMU.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		low
                              https://sectigo.com/CPS0fbinsttweak.exe.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.libsdl.orgQEMU.exe.0.drfalse
                                		high
                                https://tj.klmsdn.com/piwik.phpk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://http://piwik.php://k3yYC4F6nT.exefalse
                                • Avira URL Cloud: safe
                                		low
                                http://schemas.xmlsoap.org/soap/encoding/k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.xunlei.com/GETk3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.thawte.com0k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007708000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010492000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.396218067.000000000792C000.00000004.00001000.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.diskgenius.cniwll.dat.0.drfalse
                                      		high
                                      http://bellard.org/qemu/user-doc.htmlQEMU.exe.0.drfalse
                                        		high
                                        http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%srk3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#fbinsttweak.exe.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://upx.sf.netiwll.dat.0.drfalse
                                            		high
                                            http://store.paycenter.uc.cnmail-attachment.googleusercontent.comk3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://grub4dos.chenall.netiwll.dat.0.drfalse
                                                		high
                                                http://www.gamers.org/~quinet/lilo/).iwll.dat.0.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://shsucdx.adoxa.cjb.net/iwll.dat.0.drfalse
                                                  		high
                                                  http://secure.globalsign.net/cacert/PrimObject.crt0k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.ezbsystems.comDVarFileInfo$k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.gamani.com).k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.xunlei.com/no-cachek3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                                                    		high
                                                    http://www.klmsdn.com/wllinfo/newoemjsyunion/oemjsy.dat6233d2fd1ebc70bc7aa7c981176dec31974e5c4615088k3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yfbinsttweak.exe.0.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ipxe.org/wimbootiwll.dat.0.drfalse
                                                      		high
                                                      http://www.openssl.org/support/faq.html....................k3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010042000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://store.paycenter.uc.cnk3yYC4F6nT.exe, 00000000.00000003.393293776.0000000010387000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.ezbsystems.comk3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007620000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.winimage.com/zLibDllk3yYC4F6nT.exe, 00000000.00000003.393293776.00000000103BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://gnu.org/licenses/gpl.htmlk3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://dh.newitboy.comk3yYC4F6nT.exe, 00000000.00000002.908608418.0000000002D16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://freedos.sourceforge.net/freecomiwll.dat.0.drfalse
                                                                  		high
                                                                  http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sHTTP://http://k3yYC4F6nT.exe, 00000000.00000003.393293776.00000000104B4000.00000004.00000020.00020000.00000000.sdmp, XLBugReport.exe.0.drfalse
                                                                    		high
                                                                    http://www.globalsign.net/repository/03k3yYC4F6nT.exe, 00000000.00000003.396590876.0000000007670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    36.249.86.56
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    61.243.158.194
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    123.6.40.84
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    218.24.84.71
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    36.248.64.77
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    123.6.40.190
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    61.243.158.136
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    175.43.23.67
                                                                    		i2j7ovst.sched.sma.tdnsstic1.cnChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    116.153.56.77
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    61.243.158.244
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                    61.243.158.204
                                                                    		unknownChina
                                                                    		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse

                                                                    General Information

                                                                    Joe Sandbox Version:38.0.0 Beryl
                                                                    Analysis ID:1292564
                                                                    Start date and time:2023-08-17 06:14:14 +02:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 11m 7s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:22
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample file name:k3yYC4F6nT.exe
                                                                    Original Sample Name:f9d4a14f2de2540ca26fc868055c65b3.exe
                                                                    Detection:MAL
                                                                    Classification:mal76.troj.evad.winEXE@1/68@2/11
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HDC Information:Failed
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240s for rundll32

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, eudb.ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    61.243.158.136http://sojson.comGet hashmaliciousUnknownBrowse

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CHINA169-BACKBONECHINAUNICOMChina169BackboneCNx86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                      • 122.192.62.219
                                                                      mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                      • 116.137.25.166
                                                                      jew.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.89.26.93
                                                                      jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 42.86.242.31
                                                                      rmnfnqCLAk.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.116.113.176
                                                                      QD5ReJoXjU.elfGet hashmaliciousMiraiBrowse
                                                                      • 123.153.116.147
                                                                      5DHkvNfEsw.elfGet hashmaliciousMiraiBrowse
                                                                      • 220.197.197.78
                                                                      h1W1fJHb8r.elfGet hashmaliciousMiraiBrowse
                                                                      • 113.230.220.230
                                                                      CvyFbwCkfD.elfGet hashmaliciousMiraiBrowse
                                                                      • 27.197.31.77
                                                                      MhjTJjDjZE.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.66.115.254
                                                                      Ge6W4dxhRC.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.90.15.28
                                                                      6pZPnJdO23.elfGet hashmaliciousMiraiBrowse
                                                                      • 175.16.205.138
                                                                      sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 125.47.143.171
                                                                      5VO16k9XHC.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.167.80.230
                                                                      pxObBd1d8a.elfGet hashmaliciousMiraiBrowse
                                                                      • 58.243.179.221
                                                                      X2LGNpkkXC.elfGet hashmaliciousMiraiBrowse
                                                                      • 218.104.139.192
                                                                      hdq0BkW1Wj.elfGet hashmaliciousMiraiBrowse
                                                                      • 121.29.39.61
                                                                      sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.82.192.255
                                                                      sora.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 112.232.71.118
                                                                      RGVmM6SY6v.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.36.165.67
                                                                      CHINA169-BACKBONECHINAUNICOMChina169BackboneCNx86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                      • 122.192.62.219
                                                                      mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                      • 116.137.25.166
                                                                      jew.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.89.26.93
                                                                      jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 42.86.242.31
                                                                      rmnfnqCLAk.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.116.113.176
                                                                      QD5ReJoXjU.elfGet hashmaliciousMiraiBrowse
                                                                      • 123.153.116.147
                                                                      5DHkvNfEsw.elfGet hashmaliciousMiraiBrowse
                                                                      • 220.197.197.78
                                                                      h1W1fJHb8r.elfGet hashmaliciousMiraiBrowse
                                                                      • 113.230.220.230
                                                                      CvyFbwCkfD.elfGet hashmaliciousMiraiBrowse
                                                                      • 27.197.31.77
                                                                      MhjTJjDjZE.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.66.115.254
                                                                      Ge6W4dxhRC.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.90.15.28
                                                                      6pZPnJdO23.elfGet hashmaliciousMiraiBrowse
                                                                      • 175.16.205.138
                                                                      sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 125.47.143.171
                                                                      5VO16k9XHC.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.167.80.230
                                                                      pxObBd1d8a.elfGet hashmaliciousMiraiBrowse
                                                                      • 58.243.179.221
                                                                      X2LGNpkkXC.elfGet hashmaliciousMiraiBrowse
                                                                      • 218.104.139.192
                                                                      hdq0BkW1Wj.elfGet hashmaliciousMiraiBrowse
                                                                      • 121.29.39.61
                                                                      sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 39.82.192.255
                                                                      sora.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 112.232.71.118
                                                                      RGVmM6SY6v.elfGet hashmaliciousMiraiBrowse
                                                                      • 119.36.165.67

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\7z.dllojSIQVSgby.exeGet hashmaliciousUnknownBrowse
                                                                        FA3TCAsA9E.exeGet hashmaliciousUnknownBrowse
                                                                          fNbViAxRGL.exeGet hashmaliciousUnknownBrowse
                                                                            dXaqC8H6qX.exeGet hashmaliciousUnknownBrowse
                                                                              WinRAR4.01.exeGet hashmaliciousUnknownBrowse
                                                                                http://www.edi-texteditor.com/EdiSetup.exeGet hashmaliciousUnknownBrowse
                                                                                  WinThrusterSetup_1.16.7.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\7z.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):174080
                                                                                    Entropy (8bit):6.279217790646268
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:xyljBP/VZjAISqyTFjoZAO1h7BTF1rJa//diUTTBXJxO8hlIhb0:xeBnVZ8w4toZAcLrJa/liSVHU
                                                                                    MD5:31CAD6A3EDD1C32981AD6B565CBEAC94
                                                                                    SHA1:9338978C85A9423EE2A38CBA027F79192D684F1B
                                                                                    SHA-256:B8521ABDA09EC17DDAD36528C1BC50395DC8C5F7C11C026A5B3FF23110C54182
                                                                                    SHA-512:02E198B8EF192DE55DB35AE00A16A80B3309A9373A596C20D617B43DD7159A635BC303F371859E704375521A1242D02754807E2E9DFEF63FFD06993B24C17D3D
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: ojSIQVSgby.exe, Detection: malicious, Browse
                                                                                    • Filename: FA3TCAsA9E.exe, Detection: malicious, Browse
                                                                                    • Filename: fNbViAxRGL.exe, Detection: malicious, Browse
                                                                                    • Filename: dXaqC8H6qX.exe, Detection: malicious, Browse
                                                                                    • Filename: WinRAR4.01.exe, Detection: malicious, Browse
                                                                                    • Filename: , Detection: malicious, Browse
                                                                                    • Filename: WinThrusterSetup_1.16.7.exe, Detection: malicious, Browse
                                                                                    Reputation:moderate, very likely benign file
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..P....................6...>..............._...........6...P...o.^.....o.j....................Rich............................PE..L....S.L...........!........................................................@.......................................@.......9..P...............................@.......................................................,............................text............................... ..`.rdata...@.......B..................@..@.data.......P...4...4..............@....sxdata..............h..............@....rsrc................j..............@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISOCmd.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):20880
                                                                                    Entropy (8bit):6.594231390659182
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:X0E0zwSynXgOw/XTy4IJHEcDnH35E7l2GYYJLeLY6NE54XdUb+3:X70zwpcwHd7H27sGtLXi3
                                                                                    MD5:66F5341A29E602C25637E83EA31DDF32
                                                                                    SHA1:B2F39376B2F7EA153875BF9548EA0DEC3208A76F
                                                                                    SHA-256:AACCE3D04CC8A8106DB45E2DB1CA1B218DCE207805E81D694FF0FE5DF2AD1663
                                                                                    SHA-512:6AD026F67377B00B5DCA776558082943C55757224DF80C8EBA048898BF94706C3CE00E1AED875809F6DC04CBC802FE560AA272407942102DCFD342238C33A12C
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o?.K+^q.+^q.+^q..Q~.*^q.+^p..^q..Q,.,^q..Q..6^q..Q/.*^q..Q+.*^q.Rich+^q.................PE..L...;U.J.................*...,.......0.......@................................................... ...........................2..P....p..`............4..................................................@............................................text... (.......*.................. ..`.data....'...@......................@....rsrc...`....p.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrive.sys

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):82320
                                                                                    Entropy (8bit):6.562163957235567
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:XLiUaAQa/BBMy6hHxVLFt89Nhku7Nl3HJM3TKupr/wu0VXMCIDGLUDNMfECCPefU:XLsa/oHhHxVve9OS2hp7H
                                                                                    MD5:2F03CEB28307983F3B36216D35FFA5AA
                                                                                    SHA1:0C342A15C68ABFC039345CF5B17C4CEC10F4BEB4
                                                                                    SHA-256:EACAE0F03BD2A8F72458884CECFF3FD0CE093DDAC7C57B64FB9AF5E4BFBFFA21
                                                                                    SHA-512:3F5FB1D71DC9E20CDD54691FF43BDD87A3DEA07C137D3CA14CC2E5E39E2B857787CA3A56E1C70A05404EA7FA0B1F1A5F445CB7DE3230EDB23FAEBA9E30CD704E
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .d...d...d...d...T......g......e......g......v......e......e...Richd...........PE..L...DXbK.....................Z......?;.......................................p...............................................;..(....P...............$.......`...................................... ...@............................................text...0........................... ..h.rdata..............................@..H.data...L=.......>..................@...PAGE....n.... ...................... ..`INIT.........0...................... ....rsrc........P......................@..B.reloc..z....`......................@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\ISOCmd\ISODrv64.sys

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):115600
                                                                                    Entropy (8bit):6.394580079814466
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:/gK0Gd60LoUzfcEQG+VthPuqZHWwW+g7oPaR6IOAAV2fbbbb8MLdkLFGxriS:B6+dfcEQG6thpWwlgEPaRIAEhMLdzF
                                                                                    MD5:9C6F3F69163133FB8E56AC4A6E163452
                                                                                    SHA1:452F1A6C878C363580F7E8B6296E0707AE80AE08
                                                                                    SHA-256:BD6CAB093B5451B4CC85B4528DC0251C97A3D11CB3C1493D25F37B06F8CD2238
                                                                                    SHA-512:9730205D7294DAA76D689CD0A1F9EE0AB96799082847C5A1E35060E7B53F1A347B00F8796A15404640C6041EB7219CE18488B8CCA5C060DC7025CED4D2EBE2D3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:B..T...T...T...U...T..@/...T..@)...T..@9...T..@:...T.F.....T..@,...T.Rich..T.........PE..d...VXbK.........."......4...n......................................................v..........................................................(............p......................`...................................................`............................text...F........................... ..h.rdata..(........ ..................@..H.data....>...0...@..."..............@....pdata.......p.......b..............@..HPAGE.................l.............. ..`INIT..... .......".................. ....rsrc...............................@..B................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniTPFw.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):59848
                                                                                    Entropy (8bit):6.4580836109066695
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:BSODywYihzSrVPdQsNruuGYOLO3NNkFlBi1jSZIfjeGdJARt03juFGu:BSKywYDdQsQuG5L27Ui1SPRt0qf
                                                                                    MD5:58BB62E88687791AD2EA5D8D6E3FE18B
                                                                                    SHA1:0FFB029064741D10C9CF3F629202AA97167883DE
                                                                                    SHA-256:F02FA7DDAB2593492B9B68E3F485E59EB755380A9235F6269705F6D219DFF100
                                                                                    SHA-512:CD36B28F87BE9CF718F0C44BF7C500D53186EDC08889BCFA5222041FF31C5CBEE509B186004480EFBD99C36B2233182AE0969447F4051510E1771A73ED209DA5
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........."..q..q..q.#q..q.5q..q..q..q...q..q.2q..q."q..q.'q..qRich..q................PE..L.....R.....................@.......,............@.................................?*..........................................P...................................0...............................h...@............................................text.............................. ..`.rdata...*.......,..................@..@.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\MiniThunderPlatform.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):268744
                                                                                    Entropy (8bit):5.398038838886799
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:IPH9aqri3YL1Avg3NloWPxFL8gL2MaVtvT0e9d:IP4qri3YL1Avg3NloWPTHL2fkQ
                                                                                    MD5:0C8F2B0EE5BF990C6541025E94985C9F
                                                                                    SHA1:BE942F5FEF752B0070BA97998BFE763B96529AA2
                                                                                    SHA-256:12D6CC86FDC69E1AA8D94D38715BBE271994C0F86F85283FA2190DA7C322F4C8
                                                                                    SHA-512:7B0E81149FAFA88050A125155732057190D8F93E8D62CB05A68DA9CF24E30228F14D0FFD888C0362BFFD5872E970200098E75572B2819ABEEA10022AB1A264F6
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L......S..........................................@..........................`.......................................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\ThunderFW.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):73160
                                                                                    Entropy (8bit):6.49500452335621
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
                                                                                    MD5:F0372FF8A6148498B19E04203DBB9E69
                                                                                    SHA1:27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
                                                                                    SHA-256:298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
                                                                                    SHA-512:65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugHandler.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):100808
                                                                                    Entropy (8bit):4.766413363865024
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ptC/WRVyC4jjurmOgxhQgVQfWDwI8JefPffPbrwehZ/kUZ7lzajun:ptC/WG2Kq8wIwef3Z/7Z7Bvn
                                                                                    MD5:92154E720998ACB6FA0F7BAD63309470
                                                                                    SHA1:385817793B9F894CA3DD3BAC20B269652DF6CBC6
                                                                                    SHA-256:1845DF41DA539BCA264F59365BF7453B686B9098CC94CD0E2B9A20C74A561096
                                                                                    SHA-512:37BA81F338AF7DE7EF2AC6BCF67B3AEC96F9B748830EE3C0B152029871F7701E917B94A6B51ACD7BE6F8F02AEA2B25F3B14CED1A218BF4868AF04F5207BB5FFF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...*...*...*...C...*...u...*...%...*...w...*...J...*...Q...*...+...*...J...*...v...*.{.t...*...p...*.Rich..*.................PE..L....+.Q...........!................8........................................@......y...................................V............................p....... ..........................................@...........`................................text............................... ..`.rdata...8.......@..................@..@.data...............................@....idata...".......0..................@....rsrc................@..............@..@.reloc..b.... ... ...P..............@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\XLBugReport.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):248264
                                                                                    Entropy (8bit):6.6466971830965855
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:XMdUQGp4lA6Ce3PVd0zA+NzWfhYxMyIxZ2D6YmxX7hNKQ+Gr3:Xl4lrHdcFzWJYxMVZ2D6YmxXdL+63
                                                                                    MD5:67C767470D0893C4A2E46BE84C9AFCBB
                                                                                    SHA1:00291089B13A93F82EE49A11156521F13EA605CD
                                                                                    SHA-256:64F8D68CC1CFC5B9CC182DF3BECF704AF93D0F1CC93EE59DBF682C75B6D4FFC0
                                                                                    SHA-512:D5D3A96DEC616B0AB0CD0586FA0CC5A10BA662E0D5E4DE4D849AC62CA5D60EC133F54D109D1D130B5F99AE73E7ABFB284EC7D5BA55DCA1A4F354C6AF73C00E35
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.U.U...U...U...]...U...Y...U...Y...U...Y...U...Y...U..<B...U.......U...U..2T..<B...U..^^...U..<B...U..Rich.U..........PE..L....+.Q.....................0.......t............@.............................................................................,....P.. c..........................@...............................8...@...............8............................text...pv.......................... ..`.rdata..............................@..@.data........0.......0..............@....rsrc... c...P...p...@..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\atl71.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):89600
                                                                                    Entropy (8bit):6.46929682960805
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
                                                                                    MD5:79CB6457C81ADA9EB7F2087CE799AAA7
                                                                                    SHA1:322DDDE439D9254182F5945BE8D97E9D897561AE
                                                                                    SHA-256:A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
                                                                                    SHA-512:ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\dl_peer_id.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):92080
                                                                                    Entropy (8bit):5.923150781730819
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
                                                                                    MD5:DBA9A19752B52943A0850A7E19AC600A
                                                                                    SHA1:3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
                                                                                    SHA-256:69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
                                                                                    SHA-512:A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.|...|...|...t...|...p...|...p...|...p...|...p...|..~t...|..._...|...t...|..~t...|...|..6|..sk...|..sk...|...w...|..sk...|..Rich.|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\download_engine.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3512776
                                                                                    Entropy (8bit):6.514740710935125
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
                                                                                    MD5:1A87FF238DF9EA26E76B56F34E18402C
                                                                                    SHA1:2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
                                                                                    SHA-256:ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
                                                                                    SHA-512:B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\id.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):40
                                                                                    Entropy (8bit):4.237326145256008
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:q13EMVYqayn:q1bVSy
                                                                                    MD5:0BE78C38021ED1585770F4709C75958B
                                                                                    SHA1:E9E3096E7CECDEADD5E69D714F0BB8FF2191521E
                                                                                    SHA-256:D8C1F72B74BF08838080118C897B8FD50046EDF036A045813BB9CC082DBF4A5D
                                                                                    SHA-512:38DA85702B15CB2020129C2DD88DB8FFD6EC46D7C5D8C3A35717A9F186A83DE71E90827E5C943972F211B0CD2A4B6366260D3C525591150F1237D979578C4D19
                                                                                    Malicious:false
                                                                                    Preview:[partner]..id=80000211..ver = 3.2.1.40..

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\minizip.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):19968
                                                                                    Entropy (8bit):5.994668230170749
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:mR8uMPJWrR/CZoG4T/ibcIBLLz0IINleTW4l1J0G:duMhWD1GbcIBLLXINyN0
                                                                                    MD5:7FD4F79ACA0B09FD3A60841A47CA96E7
                                                                                    SHA1:6A84B131399D207BF00605D33F938617B1A7C391
                                                                                    SHA-256:FC10C877E2BCFAB35758446A72A8DB704D8E8455470D65A6DE5492C10C8D6786
                                                                                    SHA-512:D3933D77C61B6D38546AC9D38C7975F9575EB25AC8673DA18D6707669676612EA0BE0A673633AD703EC4FE9B30A37D63DD21F33EE782FA3CF984046E483069F7
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..,............................................................?..............................Rich...........PE..L...1..M...........!.....4...........@.......P.......................................................................W.......R..P....p...............................P..............................(R..@............P...............................text....3.......4.................. ..`.rdata.......P.......8..............@..@.data...H....`.......D..............@....rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcp71.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):503808
                                                                                    Entropy (8bit):6.4043708480235715
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
                                                                                    MD5:A94DC60A90EFD7A35C36D971E3EE7470
                                                                                    SHA1:F936F612BC779E4BA067F77514B68C329180A380
                                                                                    SHA-256:6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
                                                                                    SHA-512:FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\msvcr71.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):348160
                                                                                    Entropy (8bit):6.56488891304105
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
                                                                                    MD5:CA2F560921B7B8BE1CF555A5A18D54C3
                                                                                    SHA1:432DBCF54B6F1142058B413A9D52668A2BDE011D
                                                                                    SHA-256:C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
                                                                                    SHA-512:23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\download\zlib1.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):59904
                                                                                    Entropy (8bit):6.753320551944624
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
                                                                                    MD5:89F6488524EAA3E5A66C5F34F3B92405
                                                                                    SHA1:330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
                                                                                    SHA-256:BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
                                                                                    SHA-512:CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\init.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:ASCII text, with very long lines (339), with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):2437
                                                                                    Entropy (8bit):5.349119198174494
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:eR6TgKrKhP8+Jo8fj3DjxPfKr2WPiKrFwKrqsCnayKrnfbL0LiKrrU24:e6gKrKhEILxPfKrnPiKrFwKrQBKrX0mJ
                                                                                    MD5:16AF36ECF7F2A59975915512061DA016
                                                                                    SHA1:6B6694D21E05F9551094FAAB0074F871D08BDD1A
                                                                                    SHA-256:2C092798B8B6D0228FB3CA6F7E5B06C3C68005D342F2D2F89CDD0007DA34AE13
                                                                                    SHA-512:C46397F2AE3FC4A9D0106706C744796143F63FB9246F427B68AD249CA6269D7BE4F49552E55A3CE1C05B0C900FAFED33C1B0CDE57FE7EC608D46FC0825DA339F
                                                                                    Malicious:false
                                                                                    Preview:Thu Aug 17 07:34:02 2023..start GetLogicalDriveStrings...C:,0,4,0:4,\\?\Volume{4b110390-e32a-400c-bf41-7fe93773464a}\,0,644874240,53041168384,,,90503820,1943631482,6,WIN10,NTFS,,81919.003906,50584.000000,,0...OtherType: D:..start GetDevicePath...\\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}..start GetVolume..Thu Aug 17 07:34:03 2023..\\?\Volume{b8455d9b-4916-480e-8b44-905b33ca001e}\,\Device\HarddiskVolume1,,,,4294967295,0,1,0.000000..\\?\Volume{4b110390-e32a-400c-bf41-7fe93773464a}\,\Device\HarddiskVolume4,C:,,NTFS,3,0,4,81919.003906..\\?\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\,\Device\HarddiskVolume2,,,,4294967295,0,2,0.000000..\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\,\Device\CdRom0,D:,,,5,0,4294967295,0.000000..Thu Aug 17 07:34:04 2023..gpt:0: FDAD6117-EF38-47B2-A7CD-E3B22F763886..all disk info...0,\\?\scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},ouapwn pjeiieh

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\10BCD

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.1224557470920553
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MfgUWZnyLAvAeJodTmBzQu0rM5b6zerOYV+8imaFwejGjTf4Bt6Bw0JgSwj2:MfjqSAvHOdu0uB9prj96Of4Bt2wsBwj
                                                                                    MD5:184C03F85CE04B9D0D459DD03D42694C
                                                                                    SHA1:A3B80C07A779BD07CCA391E7D93F56A936A6F202
                                                                                    SHA-256:C43628AD3EEE29C3033BF55836D0433CE61E49FF94234603243D55B638675ECF
                                                                                    SHA-512:A326D28E8D90BC1F7F4E44AA3E734A44A7E4817C9272237805C0C7493FBF79F95E11E57F0C2B76527A1981BCE2BDF375A63A534104FAB43F01C050821910546C
                                                                                    Malicious:false
                                                                                    Preview:regf........Z.ZU.................... .... ......)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.1.0.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................=..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\10efibcd

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.1889288002048817
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:VgFWZALfleJodTmgzNBj0Zl7ibzbevXe3r8WIgeVlqtu8tx4tEMuSsp4Bori6oLM:VqPfwOdjPjA8evoInSdx4iZ6Ynou+
                                                                                    MD5:0B44F104B49A008D6854CF214AE4DCFC
                                                                                    SHA1:07D3304B2E7B957A43DB6E34784EC551688E16F7
                                                                                    SHA-256:81F7BB6729E162DEEC9AEC1F8819EEE2FFE07CD123D08AA0E248A18BBE8358B9
                                                                                    SHA-512:4487011F7566F5673CEFAF2E0C74DCE0FF2952078912658D359009A338F66ACD04C23351ADA59A00F77295C18CB98E5144F8DE603D44A6DF41ED6545DC406A32
                                                                                    Malicious:false
                                                                                    Preview:regf)...)....Mt.................... .... ......\.?.?.\.C.:.\.1.0.e.f.i.b.c.d...................................)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................j^.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\7bcd

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.1193517831554605
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:b/6gpXWZ5LieJodTmPzQ5Lyrob4zernRYt18imlRejGtZTzbGdaGgGc2:b/6kXm1OdY05LzjrnC4eOzbCaG6
                                                                                    MD5:37415249649BD95C605868942CAA153C
                                                                                    SHA1:26662DFE3760D8749064894850380DFC8DA146EE
                                                                                    SHA-256:13BFDEAA701A7B091AAABE01953E2FAE4532BC05AECC847FED62A1F65EAB36B8
                                                                                    SHA-512:E15C940BE35C757082E3D1DEAA715F1CC31819DF6423F05910E671EF5B59A1B11DCE0E56B7214ED2430BF080381F69459BAEC11F77049B5CB9C12923A0A0EEF7
                                                                                    Malicious:false
                                                                                    Preview:regf,...,...I..`.................... .... ......\.)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.7.b.c.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm....................................................................................................................................................................................................................................................................................................................................................<...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\832BCD

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.118192368682145
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:L0gWg3+WZnyLOeJodTmBzQnA0rM5b6zerOYV+8imazXejGjTvbSaPw0JgSwj2:gvNqSJOdu0AB9prj9FOvGowsBwj
                                                                                    MD5:C25FF42C7D7342FEA698EBD442585966
                                                                                    SHA1:0F8BEFB6F2AAFB56C91F47B7F5436452526A5165
                                                                                    SHA-256:C57EFD6352BB7AE2EC2325D1CF13B0B6A74AAFBA22D0257353CBC7F8F9553C3B
                                                                                    SHA-512:278D7CAB219D7248A49FC7E52C6904B88C83F2018B923D6B6C275F854A5AD22BB6FAD86BE4B5B66DE78AC560F6FF5A6F092628DE1500E90CEA03BF6D45911DD4
                                                                                    Malicious:false
                                                                                    Preview:regf........}.-s.................... .... .......U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.8.3.2.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm....................................................................................................................................................................................................................................................................................................................................................g...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\8BCD

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.1168213664815543
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:0TYgXWZnyL1eJodTmBzQ10rM5b6zerOYV+8imaWejGjT9aJG8Vw0JgSwj2:0TYcqSgOdu01B9prj9SO9aJDVwsBwj
                                                                                    MD5:9CCD1B8ACD478D288E000E9FC16B5607
                                                                                    SHA1:65FE1D6622063A0F400AC2E64E303DEEAC747AB5
                                                                                    SHA-256:357BC98D426EDA49CECFBB4155E69B18DF6DA8BF40D3DD5AD941FBC4FAA903C6
                                                                                    SHA-512:A985591C4A2764F23603848E0C78BC493C36D435714AC781E06A3C0ABFAB529E31F7BA33A28C46B7EF57FDD86550D5E128BA72EAB2D3D6262426E3D9A3A8E7AA
                                                                                    Malicious:false
                                                                                    Preview:regf1...1....Y&d.................... .... ......\.)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.8.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\8efibcd

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.186025146063088
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:2ZgsWZALHeJodTmgzNBW0Zl7ibzbevAB3r8WI77eVlqGpu8tqqwEM08wp4Bori6/:0HP+OdjPWA8evCIOtdqq0+6Ynou+
                                                                                    MD5:C00E75EB9D16BFF242DE63269CDF0894
                                                                                    SHA1:2E4258F71CA404E3E5B34976AE6259B73FDB9A2A
                                                                                    SHA-256:F01CE8C0D0882E7113117D49620350A41E7F5F3EDA897DF9A5C5CF6D167847CE
                                                                                    SHA-512:0F85D89853561B9FD851BE22312820940DC8EBDA447B92DB635E6805352F170068A4CE611C43B1A0F2CE5F8874FF1A24000F68149D9A16C78C075607B2B6A58D
                                                                                    Malicious:false
                                                                                    Preview:regf,...,...0~.................... .... ......\.?.?.\.C.:.\.8.e.f.i.b.c.d.....................................)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\Etfsboot.com

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):4096
                                                                                    Entropy (8bit):4.049931330854999
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:LW9r0eIvMCkR4EgY7T2RZ6HxVouNjn3pigTBQt:6gFv2X7H2RZUxtNzpvBQt
                                                                                    MD5:D4BEFEBF3CEF129AC087422B9E912788
                                                                                    SHA1:62313EC73F381C052F2513CA6279CFB5107E98C0
                                                                                    SHA-256:F425E135AAC26B55E2BAC655E62E2CE0B16255226C583D9AB43B2E93E8A6D932
                                                                                    SHA-512:3814E4682CAD2EF40061D3D5E8142C964CC73A6C6DFC72BA59CBAB0922DD0C7E279703450E3A1F4FCFDE3498565BF6EF28A30E7DE53A0EDA75B3FEA76D03929B
                                                                                    Malicious:false
                                                                                    Preview:.3....|....R....$.<.t..........^..!.t....|..}...=.......E.....=..u........4....ry....5......=U.uiZ.....F.h..j.h. ...r.`.......... ..ah..j.h. ...s.h..j.h. ...r2....3.h. P.V......1.....V......2.....j......j.......^.....t..............$...3.... .&......&.G.....&.7&..t.&.O........u...3.... .....&......&.G....... .....3........T.. ....................s........|..........t..................CDBOOT: Cannot boot from CD - Code: 3...CDBOOT: Couldn't find BOOTMGR...CDBOOT: Memory overflow error..............3.3.6..&.....t5...!...Q3.....Yth;.s4+.>...t......Q....Y..........A...............&.>...u.........SQ....Y.....[...+.t.J...+...y....Q3.&.O .>...t.&.G..u.*.t....u.....t.Y.l.&.G..t.:.u.Y..U..SVRP.......G...G...G....G....G....F.....F.....F.....F.....F.....>....u..>.. ........................... .....G.....G.....G.....G.....B.......>...u(.... ...........s.j.....b..... ........XZ^[..].U..QSP....................t.......PS.v..6...6........X[Y..].P&.G....&.G....&.G....&.G....X.

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\GDisk.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3003784
                                                                                    Entropy (8bit):6.59347578617477
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:uHGL3aOOFvhi7F216g4/t+MakIr0Od3PvGOo41/tOE8B/L:uYK/sF2163+kdE/vG/
                                                                                    MD5:85C7CC9760EB03C9657CFD3880603A7C
                                                                                    SHA1:335392BD7308303C3129B9DAF32A3264F5167355
                                                                                    SHA-256:9EDF492513105F44D5E5EC53F2A300E5875733FCECE887FC414653AE72FA1583
                                                                                    SHA-512:A4B2BDF78F2448AC39640AD0997A38EF1ABF10321065E0A5C4AA46EA493DEAC0B9DA5107F7365FBB320542DA81E47798BF7F839D3E2318F0FCA0028082693215
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.J...$...$...$..Z...$.3.V.D.$.3.Y.>.$.3.I...$.3._...$...%...$.3.J..$.3.X...$.3.\...$.Rich..$.................PE..L.....|L..................".........y........."...@...................................-......................................>*.........X.............-..............."..............................................."......>*.@....................text....."......."................. ..`.rdata.......".......".............@..@.data....8...`*..@...`*.............@....mixcrt...............-.............@....rsrc...X.............-.............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\MENU.LST

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1187
                                                                                    Entropy (8bit):6.141847914712622
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:YLldnoSDWDsDmLSNSWFvpkSx1w8XS8fXXe2N6OjtYcqTwryUOS+HjHOOJ:YAMKS3vyp8XRfXfNRNj+HjHOu
                                                                                    MD5:AD7F7B93DDC2E23432907078CA997D96
                                                                                    SHA1:CA8BA885687526C149A8B1CCBAB172599D9D62F4
                                                                                    SHA-256:AF1091A753FB34D37896774AF38FDD83BEBF80FC977430CC578F6A2B0F72FFD0
                                                                                    SHA-512:214FDB90474692C15194117F5D57A60714DA5972F3B6374FB9E174FD80EA3075730CE843947D12B32FBA564A04C6D65B6AC15E3DD88B3F3B7800EF2B2B2CC5C6
                                                                                    Malicious:false
                                                                                    Preview:.timeout 10..default 0..gfxmenu /BOOT/GRUB/MESSAGE..title .01. .......PE(....)..echo $[1106] Loading WINPE, Please Wait .....find --set-root /boot/bootmhr && chainloader /boot/bootmhr..title .02. ..win7...PE(....)..echo $[1106] Loading WIN7PE, Please Wait .....find --set-root /boot/bootm7r && chainloader /boot/bootm7r..title .03. ....Ghost........RUN --mem /BOOT/IMGS/GHOST.IMG..title .04. ..Disk Genius......RUN /BOOT/IMGS/DGDOS.IMG..title .05. ..Memtest5.0......RUN /BOOT/IMGS/MT501.IMG..title .06. ..Windows....(....)..RUN --mem /BOOT/IMGS/PASSWORD.IMG..title .07. ===.........===..set /a bn=%bn%+1..if "%bn%"=="1" && command /BOOT/GRUB/BOOTHARD..set sw=No..map --unmap=0xfe..checkrange 0x80 read 0x8280 && if exist (hd0)/fb.cfg && set sw=yes..checkrange 0x23 read 0x8280 && if not exist (fd0)/fb.cfg && set sw=yes..set /a hdn=*0x475&0xff..if

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\MENUUD3.LST

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1375
                                                                                    Entropy (8bit):6.209653149925306
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:YLldnxcwsn6bSDWJDmLvBnpDm7bNSWTkSH1w8lS8xXXe2N6OjtYcqTwryUOS+Hjl:YZcEbKvBnJsyf8lRxXfNRNj+HjHOu
                                                                                    MD5:E4EF3F0BACE0EB789FDAE537020BF53A
                                                                                    SHA1:60A12180A085B398E83DBA72BFA27770997FB510
                                                                                    SHA-256:52769837BA9C757B17AF16812E28E8469A88BDFDFBF454C762299A4256793D63
                                                                                    SHA-512:16D5A4DF1415ED64350DA33E2DAB4DEC1ECE3E6EB7F3D3866202E6447A604C20B80D39FE3C0CD0E677D2355884A60F04594F7B3FBDFD7BB13750668C911175A2
                                                                                    Malicious:false
                                                                                    Preview:.timeout 10..default 0..gfxmenu /BOOT/GRUB/MESSAGE..title .01. .......PE(....)..fallback +1..SISO RUN /BOOT/jsyhx64.ISO..title .02. .......PE(....)..echo $[1106] Loading WINPE, Please Wait .....find --set-root /boot/bootmhr && chainloader /boot/bootmhr..title .03. ..win7...PE(....)..fallback +1..SISO RUN /BOOT/jsy7x86.ISO..title .04. ..win7...PE(....)..echo $[1106] Loading WIN7PE, Please Wait .....find --set-root /boot/bootm7r && chainloader /boot/bootm7r..title .05. ....Ghost........RUN --mem /BOOT/IMGS/GHOST.IMG..title .06. ..Disk Genius......RUN /BOOT/IMGS/DGDOS.IMG..title .07. ..Memtest5.0......RUN /BOOT/IMGS/MT501.IMG..title .08. ..Windows....(....)..RUN --mem /BOOT/IMGS/PASSWORD.IMG..title .09. ===.........===..set /a bn=%bn%+1..if "%bn%"=="1" && command /BOOT/GRUB/BOOTHARD..set sw=N

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\PECMD.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):593408
                                                                                    Entropy (8bit):7.904336665472972
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:xQeXdsg8DQ0GMb6hrU3b8W7mtMW3oqcANTQqo7PCeZ:xNsbwgb57KcANcqCqk
                                                                                    MD5:C7B6EF1EC6D397433962F1D1A5586F0F
                                                                                    SHA1:37662513075EAAC1A02E4471CC6574553959FE2A
                                                                                    SHA-256:E0A4111A340E437091A5F12425B907954E4ECCBA9BEC26839F29E732DA9239D1
                                                                                    SHA-512:DC62D0A8C928B50FD48E03C63F49E7C8F0BA8FCBE9C151666C69366ECD16587831BE444747A089F1CD7E54D3704D2EE69DB2E621CB8E6C545FA67BE14C72AC4A
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L.....6U.................(...........r.......@....@..............................................p...................p.......p..........Dr...........................................................................q..@............................MPRESS1.`...............................MPRESS2E....p...........................rsrc...Dr.......t..................@..............................................................................v2.19..O... ..*....N.......o...U...I.\......RG?..L.....Z.....F...<.....4OQH.o..c......;.....H)@T ......e...q.. ..E!..Hr..;;}lJh..j..n.Z....,...U1..5e.."7y.P.\....i....ZB.5.61......h.........R... .......z....XO.B0..8.`.o..Y..!).G..6]y.....w3.,.\)..1.? ...Q...{.p..G....K..!vZx.]...J.....fY.j... .......H.p..go#../..AU.+.....|.o...nL;..Y....Y.).(.jC..G]-S.........]X.....5hI....e.UyI.q.....}.....#S}.[...P....f.u..c.\.-.....v.x!.S...@.#.!..Uwt..I..hK.......

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\QEMU.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2919438
                                                                                    Entropy (8bit):5.756132556740688
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:K3EBHvdtoMWKcEdmcMK6C1f7th36PKy/mxNpY2GUs+6mcjM:K3EBXoMhcEdmcMK6CBth3emx7Y2GUf6M
                                                                                    MD5:0BC0128ADC469C94F9830F52776DE861
                                                                                    SHA1:DF71DE8D4152B894C9D2B3FDF6A1DEFED31B6DAA
                                                                                    SHA-256:AE5A298E6EE113B97425BC3E2C23C0CAF90F367E8A1F25EC0272DEEB7DD9A485
                                                                                    SHA-512:99D8C44F62FE1B8F06FD5E5B319DBD660A898D16B00A8AD7AEC6697E11EF63A729161C9114A70084DEAB1A41E44B130B0290665CBE7D95DA4341C7792909CCBC
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}M..,...................,...a.`.............@.................................nN-...@... .............................. ...#...p..p....................................................`......................H&..X............................text...............................`.P`.data...|9.......:..................@.`..rdata..$...........................@.`@/4......p....p,......P,.............@.0..bss....T.a...,.......................`..idata...#... ...$...R,.............@.0..CRT.........P.......v,.............@.0..tls.... ....`.......x,.............@.0..rsrc...p....p.......z,.............@.0.........................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\SDL.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):324096
                                                                                    Entropy (8bit):6.678894765303499
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:bZznUL/y6igDAqMCJDrAEsVuu0mhoP3Y14oWADKmzAB4wdi6:bZznUTy6igDAqMCJDrAEsVuu0mqPIs7
                                                                                    MD5:67ACD10F873A6F1997B17E629E1DBDFE
                                                                                    SHA1:DD95D21BC294072F6928EF9143CD2A71AA89B906
                                                                                    SHA-256:0F0EC611E038BE2DD9F08FAA809051615911FD3EA734980359280362181608A6
                                                                                    SHA-512:25740490D16CECF91980D861DB0D3486A11EF818CBF824729DC48BD3EE0B3A5C8EA1AC779026185D99939DF59E1EFAE94694394D61DC74222EF7CE1534E89594
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......J...........#...8............`..............h.......................................... ......................P..e....p..d................................ ...................................................................................text...............................`..`.data... ...........................@....rdata.......0......................@..@.bss.....................................edata..e....P......................@..@.idata..d....p......................@....rsrc...............................@....reloc... ......."..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\bios.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):131072
                                                                                    Entropy (8bit):6.449731940765529
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:5xa/3XA5Mezf9vG59vBoUSLQ8JqydQbcSbzRwgC:5xa/3XcFvGTvBoUJ8JqjbcS/RwgC
                                                                                    MD5:178FDA3118109882380F2897493F6DD4
                                                                                    SHA1:8D0120F50624B216B8C3A54149CED70829FAD814
                                                                                    SHA-256:18731DF5AFC45EEDE91BA3868239508D129C5CF0ED812FB85C5765CF0A8B23D8
                                                                                    SHA-512:E110FF014B291B9A5ED5AD5797A18D0F4957CE54F21210ACF76A0936D61C8A4E08B0270BB914279D235DA6C16CDF236358AE9C352590D584EA03A97162A69BB7
                                                                                    Malicious:false
                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\efi32.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:Matlab v4 mat-file (little endian) \226v\213L\251\205'G\007[OP, numeric, rows 0, columns 0
                                                                                    Category:dropped
                                                                                    Size (bytes):1048576
                                                                                    Entropy (8bit):6.272710774108453
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:HZKfpc3ERvzEhlk9YEXQJt3+kX3oFYH5cTXVHnTk8i4vHducOfdpTQ4UB63+:HZKfpc3jk9tQJtNoFw+TVzck0144UBR
                                                                                    MD5:07F88BE907C1D658F80C058645F7A135
                                                                                    SHA1:627F39C7F77006354759BC90382562D6B183A84F
                                                                                    SHA-256:D9808FB1F750250EFDA17FAD79D0621B727C3EFE7384A89B415ECA92222D25C7
                                                                                    SHA-512:CB8E7CA3D7453BA50BD5552F5D3C3D59E81C03A05187E2B12188410E72AD23E512B70D49A505B061C593906704264C658B881DF7BC1FB39B917573B430C8293C
                                                                                    Malicious:false
                                                                                    Preview:.................+...v.L..'G.[OP........_FVH....H....... ................6..u2dA....p..}....Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\efi64.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:Matlab v4 mat-file (little endian) \226v\213L\251\205'G\007[OP, numeric, rows 0, columns 0
                                                                                    Category:dropped
                                                                                    Size (bytes):1048576
                                                                                    Entropy (8bit):6.587125801788772
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:gJc/JmMJjzNKhaQHeP45e6BtH8kV0+/VaZXi9vp/iygCJw81mVHOR5Vjk5F:Kc/JRZNKhrHd5lBF88pPgCJw88NYCz
                                                                                    MD5:443C99C734736D6323F68B3F6C0DF06F
                                                                                    SHA1:CB4ED9935205FF61C078D008D658D61930B85983
                                                                                    SHA-256:32E745D03247FBCBCF5BC0238AA3E05EE1D0FCC1FDB6E11362E681E3582C6CFF
                                                                                    SHA-512:41E0246B8D17223424493969715FDADD024E90E074796E2D13E64823A0E50778C1A0A6905F9FD09AD1D1D6AFB5785AC9FFA97704E6F01456A5FB62FC992462DF
                                                                                    Malicious:false
                                                                                    Preview:.................+...v.L..'G.[OP........_FVH....H....... ................6..u2dA....p..}....Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\hd.vmdk

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:VMware4 disk image
                                                                                    Category:dropped
                                                                                    Size (bytes):196608
                                                                                    Entropy (8bit):0.032941509357403385
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:nLiGGs/oNCXRnj8caDl5ExsFRtutitmtat+tyt2tqt6f/X/:NGMoiR4fExsFRtJt5tJtZt6v/
                                                                                    MD5:CA1D5385263311784B2624CB8F9F3945
                                                                                    SHA1:EB0E34AE034B44BE3155FDDA326022AA39BA0140
                                                                                    SHA-256:C1968A05A22B7124B8E6851DC757B396CF7C5888F75A649694BF769026D895D4
                                                                                    SHA-512:EF42DB558CA1C1F254D85DFC00815B3800C7174C4A5886E54A42CC0E3865A7BB2C69F0E8493ED073D9EBCE8B2B13A70FF74948742B8BA4CCC25DD82985131874
                                                                                    Malicious:false
                                                                                    Preview:KDMV.......... ........................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................# Disk DescriptorFile.version=1.CID=53e9f6f7.parentCID=ffffffff.createType="monolithicSparse"..# Extent description.RW 2097152 SPARSE "hd.vmdk"..# The Disk Data Base.#DDB..ddb.virtualHWVersion = "4".ddb.geometry.cylinders = "2080".ddb.geometry.heads = "16".ddb.geometry.sectors = "63".ddb.adapterType = "ide"....................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libpdcurses.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):87054
                                                                                    Entropy (8bit):6.537987994517806
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:z/MJ/+nRoxPaSYYIfPfMKMTH1XaEaPHY5Ulq5RQ55A5B7wx0E32CMpG9H:z0p+nYIfPBMD1XXaPHY5UEEe7pE32t85
                                                                                    MD5:0320638E15E1415F0B4F4D8E115957DC
                                                                                    SHA1:44E04FC2E0A6C29CB20D26E41DFE0767362BE5B6
                                                                                    SHA-256:05204B05A476845D77A72684751AC337A285603222BBD6D8BC4672CE8E248EAC
                                                                                    SHA-512:24D43451EF4664431374A81DF733ECDF5C1D508FFA6A8C1FAE93C9682A7019CFF92E6E0D65ED6D90BEA2B19316CCCE9E52EB68A80324B03D56B9B882A008F338
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H6y6.T.........#.........P... ................ b.......................................... .................................x....................................................................................................................text...............................`.P`.data...H...........................@.`..rdata... ... ..."..................@.`@/4......t....P......................@.0@.bss.........`........................`..edata..............................@.0@.idata..x............<..............@.0..reloc...............H..............@.0B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libssp-0.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32270
                                                                                    Entropy (8bit):6.028153828077623
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:cCejrkvCE0Q4dYjxcXT1/OhILLSQ5YrPSpAWVmsANKyU4LhpImcOhw9qho5lvhrw:cCejQvCXwxcRKQ5YrqssP0hpixwuhCb
                                                                                    MD5:E91DBFEEEFEE5FA1C6F5E017B66FA685
                                                                                    SHA1:87017821E1639E4240DE4E4EF1BE0810F2D73DCA
                                                                                    SHA-256:817BF7ECC95F4CF87B7875D88F5C1B265F8B2E1FC42867A1EAF18F1FCC97EF8A
                                                                                    SHA-512:F3AEA479062B85B9BCBB6D51123DCC63DB1E351D73A9E648B5D905B28A2093FD37E7CE4FC31C8C0F0B17B5CD78AFA4BA649F00770F3D63EE7B30F10F17C47A52
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.h.~.........#.....`...z...............p.....h.......................................... ......................................................................................................................................................text...D^.......`..................`.P`.data... ....p.......d..............@.0..rdata..@............f..............@.`@/4...................l..............@.0..bss..................................@..edata...............n..............@.0@.idata...............p..............@.0..CRT.................v..............@.0..tls.... ............x..............@.0..reloc...............z..............@.0B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\libz-1.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):72704
                                                                                    Entropy (8bit):6.62924047816937
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:7oXtn5ioQ5ngCqvP+H4GyXQ2Z3Kc6UGrfrryJrE1HcNDEOIOkIOknToIfWhQFk:7oXBooQ5n9quH47XQsKKbEFcNLKITBfh
                                                                                    MD5:3D1F65624EBAEA131C0DC61C5EDE4C88
                                                                                    SHA1:54B3986A17E4DCE7149136A58F4713F5B67C5EC6
                                                                                    SHA-256:A62C67128B10FBC32471B63D807B90A6F88FFCE44F7495480CABAA57B8881F7D
                                                                                    SHA-512:3C5FA60130948F0F63E131F56EBB270E3C9CE643C4D64310DD43D61F6EF6730C2DEBD83C35AABA2C2F4FE46D4A5915F9C5DC2CBF91BB7174306FCE531B184050
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................`.............Pe................................$......... ......................P..^....`...............................p.......................................................................................text...............................`.P`.data...X...........................@.0..rdata...C.......D..................@.`@.bss.........@........................@..edata..^....P......................@.0@.idata.......`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\QEMU\vgabios-stdvga.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:BIOS (ia32) ROM Ext. IBM comp. Video (73*512)
                                                                                    Category:dropped
                                                                                    Size (bytes):37376
                                                                                    Entropy (8bit):5.937455846413555
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:UugncgrVCYWgrnECV9b4xIifVLvghWzCSiuFYd/S87qa2jhOnjiwjmFcrHo:vWc8VIg4c9b4rLvghWFY//7+9OnjBfH
                                                                                    MD5:5B506BE8B749688BB0CEA80F48F5D170
                                                                                    SHA1:699FC369C9E6FBC75331C3390E689F1A073BB6AD
                                                                                    SHA-256:4D7BBF850577E9E1B95C24C117EB031418071A439B03F96804F0492DE5D368C0
                                                                                    SHA-512:745A4787C2F60D39FA80441BADA2386CECFA4A09485132F760F3A7F62401A8FDE7B13BC4932A2EE452606C205D724200C85B1AF7E86D0ED7A3F59D865F22EF04
                                                                                    Malicious:false
                                                                                    Preview:U.I.O..................h.....IBM.fUf..fS..t.f..@....t'f...f..f.............f.....gf..........f..f[f]...fUf..fVfSgf.].f..g.].f...f..f1...&f....f..<.t.r.<....fHf...gf.X+....f.@.....fK&......&....f[f^f]...fUf..fWfVfSfSf..gf.M.f..f9.s.gf.E.fHgf..E.f..gf.E.gf.].gf.}..t-..gf.M.gf.u.f......gf.M.gf.].gf.E.gf.E...fXf[f^f_f]...fWgf.|$.f...gf.w.fUf..fWfVfSf..4f..f......f......f..f1.f....f...f..f..f......gf.U.f......gf.].f..f......f%....f1.f....f...f..f.....gf.E.f......gf.u.f....f.....gf.u......f.fZf..4f[f^f_f]gf.g.f_...fUf..fWfVfSf...f...t.f......f...gf.t6.f...gf.\[...f.....f.....f..f...f...f..f..f...gf...gf.M.gf.e....f...gf.E........t.f...f...gf.M.f.......f..gf.J.f..gf.M.f...f@f.....f.f..gf.E.gf...gf.e.f.....f..f..gf.@.gf.U.f..f...f@f.....f.f....f..gf.].gf...gf.E.f..gf..E.f@f.....f.f..f..f...f[f^f_f]....f..<cf......fUf..fWfVfSf..Pf..gf...g.@.f...gf.E.f...gf.E.gf.}..gf.G.f..gf.E.gf..G.gf..E.gf.w.gf..W.f...f..f..gf...gf.].g.W....t^............m.gf.u.f1.gf..T..gf.E.P.7.gf..fCgf.u.f...u..gf.

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\UltraISO.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):5348728
                                                                                    Entropy (8bit):7.130881877078101
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:fNBSYWddgow1p7Vr1p7VP01p7VXvxdByux:i3dspBRpBapB/xdYux
                                                                                    MD5:1186162D9A1EBCB9DB7729124BBB80E2
                                                                                    SHA1:718087D5CD60205AA1D369A008373F88B3981B34
                                                                                    SHA-256:9BF980A7A320DAF862AE8B44CF2AE5292B4C6C06440B09EB8696811ECC48C59D
                                                                                    SHA-512:861AC8D08C3C7D84F905494ED2F0CC96528AFDCFE7BF900AE6D9C1711B4EC6687A2649B327405058650990C082AA9D9165A4BE44F29CFFC3CFCC52AF54A948BF
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....}.`..................'...g.....D.........'...@..................................JR.......... ......................[.......T7...................VQ.xG.......k...................................................................................text.....'.......'................. ..`.data.....g...'.."....'.............@....tls..................@.............@....rdata................@.............@..P.idata...@.......8....@.............@..@.edata...............@@.............@..@

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2c.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):5949966
                                                                                    Entropy (8bit):6.443448262854648
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:YkGkHBfhGbdvHp+PTwHbQApPCNmQ5U7dI/v4GW/F/P9w9Teai3qAiaOdH3qXYFE9:YvkhfO/7QyOU7XGW/F/P9w9xiXGqXCd8
                                                                                    MD5:B95DBDE252CC8EA490E1D9D04EC5FE0D
                                                                                    SHA1:EDD746C496EA8564367B3108736490DCFC14C360
                                                                                    SHA-256:0AE98794B3523634B0AF362D6F8C04A9BBD32AEDA959B72CA0E7FC24E84D2A66
                                                                                    SHA-512:D2DF384B979F01FBF77067B2D68879221684FFCBFC270000A50BE972C8C6BC8F3CC3C1F03EA79216B7B0B296EA27581D38B311472281571BC20D47E61D7CCA47
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........Z............#.tD...Z..0............D...@..........................P[......W[...@... ...............................X.."...........................@Y.............................<.I.......................X..............................text...HsD......tD.................`.p`.data....>....D..@...xD.............@.`..rdata........D.......D.............@.p@/4.......$....K..&...lK.............@.0@.bss..........X.......................`..idata..."....X..$....X.............@.0..CRT....4.... Y.......X.............@.0..tls.........0Y.......X.............@.0..reloc.......@Y.......X.............@.0B........................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\aria2cxp.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4286976
                                                                                    Entropy (8bit):6.349744679640152
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:/F68blcCHrtP3GEtWl5RISDrvkUojFOqjFwzHup/QI3wIS2ig:/F68pcCHrBnctINUKpwDusr2i
                                                                                    MD5:4F613F7487CFCCB7FFC6C0F28215E71F
                                                                                    SHA1:74E62481E808D625E57978F48E6F3E44FA10888F
                                                                                    SHA-256:ACF2F13448527C75F33A7DBED120D492B327D6B022C39C3838266B5ADCD86910
                                                                                    SHA-512:E5CD9E2537639F89BF3868777DB3E76A96F3E861B57FBA887711793C443D456CD5EA60508A5A6BFD0B315ACEF13FFFE064D2B68FD374E99AAB925408BB5BB1F4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.A...................;..fA.."........... ;...@...........................A.....;.B...@... ...............................A.."............................................................A......................A..............................text.....;.......;.................`.p`.data...D}... ;..~....;.............@.p..rdata..$.....;.......;.............@.p@.bss.....!...`A.......................p..idata..."....A..$...BA.............@.0..CRT....8.....A......fA.............@.0..tls.... .....A......hA.............@.0.........................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\b7d

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):12288
                                                                                    Entropy (8bit):2.1124872685156197
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:6gOWZ5L1eJodTmPzQ6yrob4zernRYt18imlPejGtZTzbGdaGgGc2:61mgOdY06zjrnC4UOzbCaG6
                                                                                    MD5:1CFAAECDE2F296C8F479031585D80184
                                                                                    SHA1:96041703AA7DBA1AFA058E7DA88A388D12C5F5CC
                                                                                    SHA-256:FBD7000FF3C7C0643F37ECE932515C2B15B287C4BB2373FCCB65486910D3CC0F
                                                                                    SHA-512:DEA7788BC436A1B77BEEA06047CA9ABE51E458AC08FF4B0908520F3D16131F9C0C41920FF8749AE29803DC5FA5975AEBD1B4908C1456857CBD5A9177D0767EAF
                                                                                    Malicious:false
                                                                                    Preview:regf*...*......2................... .... ......o.p.\.MQ9..[6R1.9.0.5.1.2.\..\&..:g\..N....\.r.e.s.\.b.7.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................i..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bcd

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                    Category:dropped
                                                                                    Size (bytes):8192
                                                                                    Entropy (8bit):1.2006680992695278
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:811js/cY1ccw315KObGUw12Y5ynLIOcwf+Gp/WJodTmo8kHtOnwWHx85G6:8w/VSp15FbGbqLIi+WeJodTmnlB
                                                                                    MD5:77726959DE14DC5479C5C09A76374076
                                                                                    SHA1:21335832D4FAEAB27B743700A664E17FFE3E2066
                                                                                    SHA-256:F0CFF01420A3B049AC54B247390B7049251146BA54E81D32F4AA6B3D1E16CEB5
                                                                                    SHA-512:46C97E037FCC6E80EA2DDA24E4EDB1F618EF79B08072B5F6F403B8DC2A3D928B374F3078B2DB396893524970459F3C9F15BD2F5709A539AAB97CB1BADBF07FE5
                                                                                    Malicious:false
                                                                                    Preview:regf.........=..)................... ...........\.?.?.\.E.:.\.s.h.a.r.e.\.w.i.n.8.\.b.c.d.......................)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................#.x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bcdedit.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):327680
                                                                                    Entropy (8bit):5.28383084948076
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:WQM6G0689nx9n3rYwhRNvpbE3Vr6JjoyiPhyEN2VDtt6taDMEVunrbaH0ByofkTl:WQp9x5YwiVWAx864Pumz5K/s
                                                                                    MD5:54DA4A3EBAE0F043465B781D45EB7E50
                                                                                    SHA1:8ED915230B8AB3F24B76B064AB484BEC43320095
                                                                                    SHA-256:A6F3CBE17B2FA1622F6156B53490C1266C9BB6BCA201DE7BE106ECEAE883A1E0
                                                                                    SHA-512:A9D695806EB28B5987D9935A621A5AE81ED940327E00515DE69F9034969C596D347A66B298DB2CAC7B1D0632C0304CB512510F8BE55610BC31E58002E35CAB02
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.vG..%G..%G..%.sS%O..%.sU%I..%.sT%...%.sQ%N..%G..%...%.s(%f..%`.%F..%.s_%F..%.sR%F..%RichG..%........................PE..L......P.................z..........;.............@..........................@......V]....@...... ..............................d....... I.......................... ...................................@...........4................................text....x.......z.................. ..`.data...H............~..............@....idata..............................@..@.rsrc... I.......J..................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\boot.sdi

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:System Deployment Image, PageAlignment 2, checksum 0x39, type PART at 0x2000 971264 bytes DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", Media descriptor 0xf8, sectors/track 1, heads 1, hidden sectors 1, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 1, sectors 1896, $MFT start cluster 52, $MFTMirror start cluster 100, clusters/RecordSegment 2, clusters/index block 8, serial number 01cb207c86375d80; contains bootstrap NTLDR, type WIM at 0xf0000
                                                                                    Category:dropped
                                                                                    Size (bytes):983040
                                                                                    Entropy (8bit):2.543080944376282
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:C/pcj53vs/InbrTIHvPnHmC5irUuMo/+ncoZZihnhv/pc:qcRn7y/EouH/cpif
                                                                                    MD5:9106857D1B8712BA3FEE8A4BACE8B9E9
                                                                                    SHA1:F65BA483679CC58A67E29501382F33586A9E1B69
                                                                                    SHA-256:FD9C0F38DD4A75632A4F5B94DD1977660F4A6FD53AE501FCE976F430C5885724
                                                                                    SHA-512:3A452F740103D7430A7725C039B24092F1D326CA0BB50E527FBFC4D6BD0EB63BC9E40D9794EC5FDE71C839A64495F1F001424E2ECAFC8D48288AD23019FE2BC6
                                                                                    Malicious:false
                                                                                    Preview:$SDI0001................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................9...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootice.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                    Category:dropped
                                                                                    Size (bytes):425984
                                                                                    Entropy (8bit):7.85474407296816
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:3sdbaZx/8B+q2cWNIUHwHU/N2KBJXB8RPozWuhjkl24TOwx0/+pyjzI/oSbY:8V+++cWNRLv7kP2S2IuzI/oS0
                                                                                    MD5:0E72509B2D5C55093E2C9AD141067644
                                                                                    SHA1:4470A289016E2815777D3EEC2BF7F985730249CD
                                                                                    SHA-256:A65ECB7BCB0FBC02ECC72300E10A36171C55FF322DE5F6390669973BF49A2587
                                                                                    SHA-512:3CEEBFC64649C7A325FBFDFEFAEB437A742E005AB270CA614A2C3907B02CF61A55F42F0B1D9B0F66E2A4BFFA22B29D6F64625EF03FD179958429303995BE1B24
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..[p...p...p...kCj.T...kC_.g...kCk.....y.B.q...y.R.g...p...7...n.B.w...kCn.=...kC[.q...kC\.q...Richp...........PE..L....J.T.............................z............@..........................0............@.................................P ..........P....................#..........................................H...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................by Pauly!....

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootm7r

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:DOS executable (COM)
                                                                                    Category:dropped
                                                                                    Size (bytes):398157
                                                                                    Entropy (8bit):7.880451328895632
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:e90w+ZKArM1eu8fh5TZUV4SJ8ez8Fq1WsH/XU0z+:u8m1e1XZUVD8e4a/E0z+
                                                                                    MD5:A8A314427AE1574AF6835877F657FF69
                                                                                    SHA1:8B862AA74AD59367E5D7EC76473E96CFE5BA9641
                                                                                    SHA-256:D2605BE6A6A2E217876A20376035D4C2A55F56F451FE7B8797A35792116475F8
                                                                                    SHA-512:C1C287BABC14258C6031BA346FD2428750B0693C9E60D2D3C2ACE4F91B065E6B68E2408C85E14A85E3B5349CFC88DB79F067ABC09E98549B2CC446465150F57D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1354480
                                                                                    Entropy (8bit):6.449263012275028
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:awzWtzcdsvASZspKYCjdgiQh9rgc6SPEl3ODzkYbgyM8oPw+65Cm:xzDuvyprCjdgiLLsQYbgyM1rm
                                                                                    MD5:87B6D22295A16073D8D456FC574441A8
                                                                                    SHA1:0C26596B3297D5E5A06F8D3788579EDC7895A622
                                                                                    SHA-256:783D088CE72996A064C0DA796579475E0AEF23C5E6E0E5905C98571BF8620E20
                                                                                    SHA-512:17E8AB17CB0E872E92843274FE2E7F0F77341ED252883A97CE104CAD31F144F73876322A58FF6DF05F0CF98353DBD5D9F83863E8B4F1E6F8645791A5829C70BD
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..a..a...-.3...,.q...*.v...Q.....).`...&.`...+.`..Richa..................PE..d...[..P.........." ....................................................................................................................4................................ ......@....................................J..p............................................text.............................. ..`PAGER32CH=.......>.................. ..`PAGE................................ ..`.rdata..D...........................@..@.data....<.......F..................@....pdata..............................@..@PAGER32R.............l..............@..@.rsrc................p..............@..@.reloc...............n..............@..B........................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgfw.efi.mui

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):63728
                                                                                    Entropy (8bit):4.707057839761821
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:M1hydczPhI9r1WtR8WvrzBpAv8TXAuOuNNzv6qEGLil/tKs28DBRJxplG9cW:MHydc7SitRDAuOuNNzv6tKsT1Pxi9D
                                                                                    MD5:33A1F3CDC35DD4FC4B514B18D0F5AF2F
                                                                                    SHA1:E916C6BDC8CE33A3270573EB997C3F9E7C541D23
                                                                                    SHA-256:F916150DC0CE6EF93BF032BD4941836EEF8D0BDFAC7C68574A73869CA2EDE602
                                                                                    SHA-512:7A5044A16539ADEB4D9BF3B9D06864B9549634D21E77D84F29D517CC8ECF81133EF770D1859617ED27F5A00913EE2A75CE80F1E26A696C7735FF2248960E5D1F
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........|...|...|.......|.......|..Rich.|..........................PE..L...R..H.........."!.................................................................k....@.............................................................. ...........................................................................................rsrc...............................@..@................................................0...0.......H.......`.......x...........................................................................................8................................................................................................... ...P................................%..x...........h)................M.U.I...B.O.O.T.M.G.R...X.S.L.................................8e...}..."..a....Uy.x.....h.............................................................................M.U.I...........

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:DOS executable (COM)
                                                                                    Category:dropped
                                                                                    Size (bytes):398156
                                                                                    Entropy (8bit):7.885858823335205
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:egXZ0dArM1eu8fh5TZUV4SJ8ez8Fq1WsH/3UzM:bXI1e1XZUVD8e4a/kzM
                                                                                    MD5:21BF183C15AFE62A8D1137BB9007B2A3
                                                                                    SHA1:D656DD1E85D7E8ACFFDEFA9CED5D74BF0B978E39
                                                                                    SHA-256:2FC3D311969B63A258446488EC75C275D736DED13D74624E1C541F43A72AB483
                                                                                    SHA-512:8A67833D502EDABA077C783DAB69A7D8C9155971C409F78CB87948BD4415B7A58410517ACED73D6ED7D13A6B975AF769AA0623B9DFFD9537F5A1CE0248308291
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmgr.exe.mui

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):63728
                                                                                    Entropy (8bit):4.7074106741898385
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:KhydczPhI9r1WtR8WvrzBpAv8TXAuOuNNzv6qEGLil/tKspH8DBRJTlRMk:Kydc7SitRDAuOuNNzv6tKspc1PDf
                                                                                    MD5:94AE44D9AD4512BEEC5A07B29F8F6A3A
                                                                                    SHA1:2DD0E0A9C92EBDF633ED2C52A06015BBA63E4D3C
                                                                                    SHA-256:DD30295CDB38381B0D4A527BB06C46745D5DD4B1F369B1452E837CE1D73A76F7
                                                                                    SHA-512:1A843177C8264ECF273BA75CD735E31E66DA1F78262124046D0421051DA31979846DF1A0ABDC88D83A720EEF7EB2ABC790DA5C7579E5FA326DD36164CD072273
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........|...|...|.......|.......|..Rich.|..........................PE..L...R..H.........."!................................................................0.....@.............................................................. ...........................................................................................rsrc...............................@..@................................................0...0.......H.......`.......x...........................................................................................8................................................................................................... ...P................................%..x...........h)................M.U.I...B.O.O.T.M.G.R...X.S.L.................................8e...}...".....3nz....eb9.............................................................................M.U.I...........

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootmhr

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:DOS executable (COM)
                                                                                    Category:dropped
                                                                                    Size (bytes):398157
                                                                                    Entropy (8bit):7.880588577296823
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:ehBQF/ArM1eu8fh5TZUV4SJ8ez8Fq1WsH/sU8qQ:iQF71e1XZUVD8e4a/TdQ
                                                                                    MD5:9D48760C0F911CE98C046329378117E9
                                                                                    SHA1:0E3FBB49E35C7FE19CC045E23AF0044F265595CA
                                                                                    SHA-256:1F6B804B50A74CF0C511C7B90F4392BA038B1B4D521935D3BBDEDBD6581276BB
                                                                                    SHA-512:40E614B3DE1F20AFF8F2FBDDE20B93A5D7F0931123BA678A7E3478D36E18B1F3939DA8444296C43F26BCC606A8142A7CFD32D2627A78A50A8A102FEB6594F2FD
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\bootsect.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):97280
                                                                                    Entropy (8bit):5.5755301838041
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:YYbtrIOZ5XZX+SQleQKdsN+jiRBlY/k6ftJDR:ZI85x5ueQKdsN+jiRI/k6V7
                                                                                    MD5:9594BC046765DF20F4AC8DED4D1DD5D8
                                                                                    SHA1:95DE0064B529D0EE2A0BC786D3511A9376352847
                                                                                    SHA-256:4C457232DD4B8E3589F2F38F705089BAF568B1E9EC1554A0A3022B39F4286E76
                                                                                    SHA-512:5C1110603239D314AD8216E3503ECB78F40D2C286810E4AF7944AB4FDB0591E96A64268D545CD950696651E2A4E85529F1220A188CF7013DB827D8FA23A5A6B1
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..5...5...5.......5.......5.......5...4...5.......5...K...5.......5.......5.Rich..5.........PE..L.....[J.............................h..............................................vi....@...... ..........................D...d....`...:...........................................................E..@...x...X....................................text............................... ..`.data....k.......X..................@....rsrc....:...`...<...0..............@..@.reloc.."............l..............@..B..[J(...o.[J5.....[J@...~.[JJ...........KERNEL32.dll.msvcrt.dll.ntdll.dll.ADVAPI32.dll..........................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\chs_boot.ttf

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \375 2006 Microsoft Corporation. All rights reserved.chs_bootRegularVersion 1.01
                                                                                    Category:dropped
                                                                                    Size (bytes):3694080
                                                                                    Entropy (8bit):6.624448833616754
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:JRLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYuU1B3zCOGHrSGjwe18wGHLuRapXtb:5z1GHrHwe1auRa1V
                                                                                    MD5:CEC569AA88293C3711AB8CE68523227E
                                                                                    SHA1:03AD7AADA17A724FA9B7B2926D99026F7B673008
                                                                                    SHA-256:13E470AB455716E87E0C7A89A8605A33D8DADC245F445141B3D9869DA87FEB20
                                                                                    SHA-512:01C83C69169CCC560154851219891A4EC9E2A877251FF7AC8373D3627C74AE3FDABA0D15894352D3A81E29926BAAE1C084D7E4F8EB5246F97F44BE49AD1B97D9
                                                                                    Malicious:false
                                                                                    Preview:...........PDSIG.....8B....dEBDT.K4Q.....-..EBLCa.u.... ...xOS/2p......X...`cmapk......(...Vglyf.g.........Dhead.../.......6hhea..x........$hmtx.G.Q.......ploca.7.&......:maxpp......8... name..YS........post..#.......a1......../.#._.<...........<...............................................................p.....p......................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\devcon.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):81408
                                                                                    Entropy (8bit):4.896188701676874
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:SrNzEAAwF11A/YuQu2QVoh1Ad5pWQlqTORopXJAiFaptH7S82BSOe9oKSJ2SLD0G:qEAlA/YuQNNeUTORopXebptH7SF4O7W
                                                                                    MD5:530DEDEFF00322BE5F5A0FBF341DB2CA
                                                                                    SHA1:B147EE2488FEA4E14F3AA16423BFF46F5C57D50C
                                                                                    SHA-256:97CFF42F8C0FE4FBDF991273159516BF78090625A933C3983EBD6F62284E329A
                                                                                    SHA-512:7083A56F298C933AD83F982866CC80317579A74802B6E182E18FA254F70604FCD353B71B35C42208737B116F0C1045A71ECE7FD99EEF9E75D46816A380C093AC
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j^...?...?...?....q.,?....r.o?....s.>?....w.!?...?...?....o.-?...../?....u./?....p./?..Rich.?..................PE..d...P..S.........."......l...........n.........@..........................................`.......... .................................................x.......l............p......@................................................................................text....j.......l.................. ..`.data................p..............@....pdata..l............t..............@..@.idata...............x..............@..@.rsrc...x...........................@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\efisys.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "ULTRAISO", sectors/cluster 2, root entries 240, sectors 5760 (volumes <=32 MB), sectors/FAT 9, sectors/track 36, serial number 0x5d307603, label: "EFI ", FAT (12 bit), followed by FAT
                                                                                    Category:dropped
                                                                                    Size (bytes):2949120
                                                                                    Entropy (8bit):6.163785261588251
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:Xqv6WBVxDDmOaJUatzDuvyprCjdgiLLsQYbgyMlJ2:Xw6WdDDmaLqYsgyyc
                                                                                    MD5:C3834E1FE3FC05FF074C15C308BE4087
                                                                                    SHA1:967D908A8C027754CD17444644471E938F24DC80
                                                                                    SHA-256:3C8F8045483FCEFDCEAA2A77EBF114CE5136E392C337ACB80D0F0E8D6589C49F
                                                                                    SHA-512:2C67CCBA197ACEFB0A85F52E2E40C57B3D023E8AEB098810DA88B98C69B7FD899429E70E9F9B17B261C251B8A8796FA7E5DC844B2495187227F581FE4DEF0CE2
                                                                                    Malicious:false
                                                                                    Preview:.<.ULTRAISO.............$.............).v0]EFI FAT12 3...{...x..v..V.U."..~..N.........|.E..8N$} ....~...:f..|f;..W.u.....V....s.3....}.F...f..F..V..F...v.`.F..V.. ...^...H...F..N.a....(.r>8-t.`....}.at=Nt... ;.r......}{...}....@t.Ht..........}..}....^.f......}.}..E..N....F..V......r....p.RP.Sj.j...F..&...3......B...v............~..u..B..V$..aar.@u.B.^.Iuw....'..Invalid system disk...Disk I/O error...Replace the disk, and then press any key....IO SYSMSDOS SYS...A...`fj..;...U........`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q .S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../..1!.3A.5a.7..9..;..=..?..A!.CA.Ea

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinst.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):128529
                                                                                    Entropy (8bit):5.706230011219611
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:w25YBtZbwW3PRAXYw6BCeJvzWSEZhmlJvPiQV0Lp8LVxRtnCr7GevORAgDwTf:kfZzPrBCWSl7IJik0Lp8LVNnwaeJ
                                                                                    MD5:0AAB19E84783FD33BC306BC2059D5B9A
                                                                                    SHA1:1212751E792BAEAC5930AD6A977B0182AF8979AA
                                                                                    SHA-256:FE58B427CE661E976FBFDE72D7D7BAA9BE802C803D335B530288F98B0E922F25
                                                                                    SHA-512:810EF76AFFA64E548A695490C819730C5389C2562E3CE2B93D3AE81E08E145788B8D85340985121F3F41089508B9FC96B0A45B0BAA1FAAD0A2BD1205ACB40B3E
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..O.X.............8.....T......0.............@.......................... ......_)........ .................................\....................................................................................................................text...,...........................`.P`.data....'.......(..................@.`..rdata..D*...0...,..................@.@@.bss....T....`........................@..idata..\............B..............@.0..rsrc................P..............@.0.................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\fbinsttweak.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):181544
                                                                                    Entropy (8bit):6.746436430325004
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:7dcNIrw6+JB6muva870ofs2DvKKzjaqCardUbgyk0L68L++go10irnexE:7dcNd6Sgj0gs2DvaxfkJH9RirnP
                                                                                    MD5:AB429E6B5A863E7AE0D2B218446B2AB2
                                                                                    SHA1:49C160CB49243035B3812E97DAEAD402EEA2EE8E
                                                                                    SHA-256:6E084422D6B25BB3A3E6A76A757AD5E1FEBCFE32EBD794615AB01BECF938BCBA
                                                                                    SHA-512:3D607A238699C73FF753306671FA1C40F449333165CAADCA40CAD9BFE04DC66CFC0D83F546258C6BA2B4D862894D26306859DF7076F42B5CFE2B791DFB1E512A
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.l. ... ... ...O..*...O.....O..8...)...#... ...E......3......=......2......#......!......!...Rich ...................PE..L......d.....................R......I.............@..........................`.......`....@..................................Z..(....0..................(1...@...... Q..p............................Q..@...............<............................text............................... ..`.rdata..............................@..@.data... ....p... ...R..............@....gfids....... .......r..............@..@.rsrc........0.......t..............@..@.reloc.......@.......x..............@..B................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\iwll.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):10869248
                                                                                    Entropy (8bit):6.934852026897097
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:W9FCEwloCrO+GORSGYPgZCQjcrQQIAF5x45r3:W9rwloCP96AHVg5iF
                                                                                    MD5:62AE67155AF66FBEE68C50545D7E6702
                                                                                    SHA1:C6244163DC04526B7F1E1F87FA932867F0B6F5C0
                                                                                    SHA-256:B516DECB540779C2AA8BAEF8B50678926CB7AED8BF110AC24C85C74C89C87FFE
                                                                                    SHA-512:7581206B8996E822910C9D1DFE1BFC434ADD8E803FA2EC643DF7F4D50136CD21F50FFF55596BC0F5C634CA1A61CD1ECF09062F35665ACFDD501C5E22A252DCF3
                                                                                    Malicious:false
                                                                                    Preview:FBAR.......?...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P?ZBOOT/GRUB/BOOTHARD.......p....N?ZBOOT/GRUB/RUN.".X........P?ZBOOT/IMGS/BOOTFIX.ISO. .\....@..zN?ZBOOT/IMGS/DGDOS.IMG. .|.....-.yN?ZBOOT/IMGS/GHOST.IMG. ..,.......N?ZBOOT/IMGS/MT501.IMG.#.<8......N?ZBOOT/IMGS/PASSWORD.IMG....<.......0:Zfb.cfg....<..d.....;Zgrldr....>........_BOOT/GRUB/SISO....M........}]BOOT/GRUB/message.......................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\libwim-15.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):846350
                                                                                    Entropy (8bit):6.390798085209611
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:HI8K46HNlneO2z+NNQG+xrlD/iEzg6JsOU17RuZT:HI8K1eTzkNQG+xrlD9ERMT
                                                                                    MD5:26A222FEF448305A55A3726E374874FE
                                                                                    SHA1:0C508A3C78A07C76953275E8DC625B52DE475E54
                                                                                    SHA-256:10EFA0F563C909A575338157B7D621C8C748A4B4DF796249DF14531A0F0355F7
                                                                                    SHA-512:C1E0C5CE3494AD102A6C24AA1A535E8DB102655732230F40BD8DECFF8EA49BCB5C95E3E338684C850773F8170E68E1333FF5C8230B537D632E4573FB634C8040
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...#.....................0.....j.........................P................ ..................................................................?..........................0...........................t............................text...D...........................`.P`.data...@....0....... ..............@.`..rdata.......@.......$..............@.`@/4.......... ......................@.0@.bss....P.............................`..edata..............................@.0@.idata..............................@.0..CRT....0...........................@.0..tls................................@.0..reloc...?.......@..................@.0B................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\oscdimg.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):119296
                                                                                    Entropy (8bit):6.682989368728088
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:J914eR1Kj7y86TOFYpgV8R3LwDyNUzhL4tkAv2WiNc:J9BSrOpgV81LwDyNUzNAkm5i
                                                                                    MD5:EDC8E2E5B7213F85BF331F4BFB6D67EB
                                                                                    SHA1:317A26EA1E828579C97C4BF0BD1BB4B0FD94E7C3
                                                                                    SHA-256:016FCDBD9A0E5CEBEAE5F134BE8C62E807F8F59E23CE847B3A312B01F2D96897
                                                                                    SHA-512:EAF0C51FBDD56F5878615E06B4B0ABF2631FA6F88D77038BCDC80D9A205A746AD97F5B9F8602D767A818C4D6C22A65AF77ADB4C5243AB575AF4578C0F4B413B0
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.G............HkJ.....HkL.....HkM.....HkH.............Hk1............HkF.....HkK.....Rich....................PE..L...R..P.....................\.......r............@..........................0.......z....@...@.................................<.......(........................... ................................|..@...........x...<............................text............................... ..`.data...T%..........................@....idata..P...........................@..@.rsrc...(...........................@..@.reloc..n ......."..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\uikey.ini

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):54
                                                                                    Entropy (8bit):4.79610162233352
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:jA7/PRCy3nMWxBQYn5mIHuU1:8/pCMMWIYn5mIHuU1
                                                                                    MD5:3FA83BD695F5337FF4F88283F25613E9
                                                                                    SHA1:1B0809135F09C41D92F74AE9A8D5FEE5B7C59B8B
                                                                                    SHA-256:FB7118C9D537EBD7912D0005C1C4C0E68E47B9FF4C5C0F5D415974CC7D7745A3
                                                                                    SHA-512:FB88E0256671683E232EE8B7C1B7DD3A0D9DB64E8996E3EBA6D1373BC9CBFC9C75FE4A0FF5250F06D2AC94389D5B4FA828781E04A2B218825FA2DC6CB3E1FE50
                                                                                    Malicious:false
                                                                                    Preview:UserName='Guanjiu'..Registration='A06C-83A7-701D-6CFC'

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\ventoy.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):724
                                                                                    Entropy (8bit):4.333147991372871
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:6JFuRw8s2R06IVJTu6pqzK0lPUV6OOSDjFxJv7CaunvZ6K:4X8lbiJTTpvUPUNTDxxBCbd
                                                                                    MD5:3C79B94F7CD2CE0AB32A5F80BF113020
                                                                                    SHA1:95636CE058B686DAB1F438E4D7DCEF144130EBFD
                                                                                    SHA-256:5600979F013961A4F0B8DD5AB261122E9257535A33BCBE29FF94E4BDCD48F63F
                                                                                    SHA-512:D6A2936D7F88C6510C3DB34E81A0C1125726E5430F780D1DC5AE4BE360A68B26A14AD519E7149B6CF4A2FB9884025D7E1BE84E2D526F607BAF5D4EF582808290
                                                                                    Malicious:false
                                                                                    Preview:========================== About this file ==========================.This file is used to mark this image as "Ventoy Compatible"...========================== About Ventoy =============================.https://www.ventoy.net..Ventoy is an open source tool to create bootable USB from ISO files. .With ventoy, you just copy the iso file to the USB drive and boot it. .You can copy many iso files at a time and ventoy will give you a boot menu to select them..Both Legacy BIOS and UEFI are supported in the same way. .Most type of OS are supported, Windows/Linux/Unix/VMware/XenServer ... ..=============================== Contact =============================.Mail all comments and suggestions to longpanda admin@ventoy.net .

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\waldr

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:DOS executable (COM)
                                                                                    Category:dropped
                                                                                    Size (bytes):322331
                                                                                    Entropy (8bit):6.694157575125792
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:pcvZs1gkQ1e1tsP3/fCagTMEJyMc8z9nsqm9VNw:pcvZs1gngG3HgTOM/KP2
                                                                                    MD5:646EC0ED1035C1164855284AF888FC9B
                                                                                    SHA1:6D25C772A86A2AFAB08B7326314F80ED55DA1102
                                                                                    SHA-256:82B7A94282833BEE7A458FBA1FB75241581128718C3DF0FE26305FD43A04FF5C
                                                                                    SHA-512:7EDC5C4B33FF842E061D794D5562A5CAABC566442D12DC975CFB09E9EF16EC7F38724DD973C3E046B23C02DA8C4C50499F93AE368630298E801D6B18141BF9C1
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:.>..............................................................1.......[..J........Sh[...N..f.>...............v..0...h. .......t.......0.1....r)..1.1........f.GRU.f9.u...... ..f9.t...h.....0.1...r..........................d........r.w-...................u.h.....1.1..<.s....i..........x.......Y...RVWU...]_^Z...... ....fa..........`PSQ............Y[Xr...u.as.`1...aOu........<.u....Missing helper...?..X.@h....P....r/.>..U.u'.....Kj@.....g.f1.1..D..u.8T.u.f.D.E...........................................................................................................................................[...........1.1...f.tK..t.1.f.....f@u...........<.u...`....j@.f.......D....\.f.D.f.D......B.e..a.fP.[S...f@........[..N..fXf.>......u.......[...........S.......Q......... .r:.....1.1.......h7... ...1.1....................Ku..+....p.. x..............-.....-....Ku..f1.....f........................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\wgl4_boot.ttf

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 17 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.wgl4_boot is a trademark of Micro
                                                                                    Category:dropped
                                                                                    Size (bytes):47452
                                                                                    Entropy (8bit):6.653349676863251
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:/8KlPfaMmkeN4bKJX5zJN+D3eegCLmlor54NBHyh87kUJ3JnP/Ba/32UUU5wD2US:1CiuJXNuofSUBozIvS0YHaeYE
                                                                                    MD5:D5CED633BF8446A3315EC58CD60148C1
                                                                                    SHA1:8B4BCFC504A763FD47FB85D49BF23C1C68C5BCFC
                                                                                    SHA-256:9AB081731E46DB6CF1248669DB7D6B09E9178B61B552A6A2287CA4202C83DA2B
                                                                                    SHA-512:6224C2B8E24A3A8C4AD46D9324098C8CC776659F86E1CFA60B15C32199D741D2652489FF2F7AC996B0A899804F4BAF72AFB0B6338F0B15363AD1F8938072EE3A
                                                                                    Malicious:false
                                                                                    Preview:...........PDSIGu..u.......dEBDT.....4...^MEBLC.t:.........OS/2.B.....X...`cmappE5{...$...Lglyfk]L........Dhead...........6hhea...........$hmtxU..A.......lloca.Q.s...p...8maxp.......8... name.P.E........post.......l...%............_.<...........<......./............................................................................................3.......................f.f............................MSFT.@............................. ...3.A.........3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3..

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\tools\wimlib-imagex.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):142350
                                                                                    Entropy (8bit):5.888174741247078
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:iZPDRwshwN+dMqNWBYIkfUlkFKm796wO0BFXF9ehItIvPj:IDRwX+aq4nkfUl877YwTBFVoxPj
                                                                                    MD5:47D47C7110394287B19E67DC98C792DA
                                                                                    SHA1:C233C232C2758F1EF5599D69EB64579B397B7CCE
                                                                                    SHA-256:5D01B3E47B652B94EA4AF40D4B492838D1C464AC4E8BADDD6A407E5F366876DE
                                                                                    SHA-512:D609CC0599591D636D0353FCD1EF636225CF0F597DEAF239BBC170EB7D5E0CAF07CA60CD791E38F4183293F4D77088CAF9834D77829759932B0A7FA01AD2989C
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........,.............#.Z...(...............p....@................................../........ ..............................P..............................................................P........................R..(............................text...tY.......Z..................`.P`.data........p.......^..............@.0..rdata...............`..............@.`@/4......l-..........................@.0@.bss.........@........................`..idata.......P......................@.0..CRT....4....p.......(..............@.0..tls.................*..............@.0.................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\lo6AC8fNuD\xldl.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):293320
                                                                                    Entropy (8bit):6.319013319313731
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:8s+Zak7wIL5DxM/kMfcFegZjHzsjsyAr1IizjcCdY:87Nw41a/jEBZjHAjsyABIizk
                                                                                    MD5:40E8D381DA7C2BADC4B6F0CDB4B5378F
                                                                                    SHA1:3646338C6A20F17BF4383A8D053CE37681DF8EAD
                                                                                    SHA-256:CB0B0C42DAE0A1E946F97F6BDA522EB5AD943CB632BA3D19F597ECB3E1F5EB94
                                                                                    SHA-512:68DC5128D2E90885CA0E69DCED80254E87AB765FAEFAF152B3CF452B37FB730EC146D4930342CED3F227BD7622A93592526D73567155346DE14CD76E5180E7B3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L......S...........!.....P...........{.......`......................................D...................................C............ ..@............`.......0..T&.. b...............................................`...............................text...(A.......P.................. ..`.rdata...v...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.8794117803932
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:k3yYC4F6nT.exe
                                                                                    File size:30'775'808 bytes
                                                                                    MD5:f9d4a14f2de2540ca26fc868055c65b3
                                                                                    SHA1:0b2422f5f44e2fc58d969af28c90d224a6555486
                                                                                    SHA256:5b92db9823ea621b158edcff6963b63b22b00b58750d74de1f6dc7fb3e962cd3
                                                                                    SHA512:d6adeb3be77e3d27e49006890c11bcace35588eba9d2f332936e01269da0a51223f5d66fd5312e4ed0733b3d0931fb6aa040f2e1cf3b69d80438e3ee71fed632
                                                                                    SSDEEP:393216:/Po9JZlsnVimWLejGMfKg8db9YuWesOLYZHp+vdZ97gsM80okuWcL4nkD:49PqNRfkJqreslHwvdXu3oWB
                                                                                    TLSH:A9671221BD9E8536DC521D3197A9B73D1D3EAF30132540D3BED02AE968B13C25A3AE17
                                                                                    File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........s..............>.).....>.+.^...>.*..............j\......j[.....'L......'L......'L.......jK.....?L...... L......?L.............

                                                                                    File Icon

                                                                                    Icon Hash:08399971f0c4ce96

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x68db8d
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x64955873 [Fri Jun 23 08:31:47 2023 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:2d9342556b2988c6d938331346566943

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007F1BB4DA4C3Fh
                                                                                    jmp 00007F1BB4DA38B3h
                                                                                    cmp ecx, dword ptr [00A68084h]
                                                                                    jne 00007F1BB4DA3A25h
                                                                                    ret
                                                                                    jmp 00007F1BB4DA3A7Fh
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push dword ptr [ebp+08h]
                                                                                    call 00007F1BB4C5CDADh
                                                                                    pop ecx
                                                                                    pop ebp
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    mov dword ptr [esi], 007E72ACh
                                                                                    je 00007F1BB4DA3A2Ch
                                                                                    push 0000000Ch
                                                                                    push esi
                                                                                    call 00007F1BB4DA39FDh
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push 00000000h
                                                                                    call dword ptr [007AE2FCh]
                                                                                    push dword ptr [ebp+08h]
                                                                                    call dword ptr [007AE2F8h]
                                                                                    push C0000409h
                                                                                    call dword ptr [007AE55Ch]
                                                                                    push eax
                                                                                    call dword ptr [007AE554h]
                                                                                    pop ebp
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000324h
                                                                                    push 00000017h
                                                                                    call 00007F1BB4DA506Eh
                                                                                    test eax, eax
                                                                                    je 00007F1BB4DA3A27h
                                                                                    push 00000002h
                                                                                    pop ecx
                                                                                    int 29h
                                                                                    mov dword ptr [00A7E338h], eax
                                                                                    mov dword ptr [00A7E334h], ecx
                                                                                    mov dword ptr [00A7E330h], edx
                                                                                    mov dword ptr [00A7E32Ch], ebx
                                                                                    mov dword ptr [00A7E328h], esi
                                                                                    mov dword ptr [00A7E324h], edi
                                                                                    mov word ptr [00A7E350h], ss
                                                                                    mov word ptr [00A7E344h], cs
                                                                                    mov word ptr [00A7E320h], ds
                                                                                    mov word ptr [00000000h], es

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [C++] VS2008 SP1 build 30729
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6617300x1f4.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a60000x168840c.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d2f0000x3d610.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x6340600x70.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x6340d00x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x436ca80x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x3ae0000xd54.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x6615c40x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x3ac82c0x3aca00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x3ae0000x2b80ba0x2b8200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x6670000x1da980x11800False0.38539341517857145data5.408380764007375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .gfids0x6850000x1a9780x1aa00False0.3013039172535211data4.237608759561592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .giats0x6a00000x100x200False0.05078125data0.15517757530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .tls0x6a10000x90x200False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .detourc0x6a20000x22900x2400False0.06803385416666667data2.905675113418934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .detourd0x6a50000x180x200False0.04296875DOS executable (block device driver)0.11611507530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x6a60000x168840c0x1688600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x1d2f0000x3d6100x3d800False0.4748118330792683data6.569152016677012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    AFX_DIALOG_LAYOUT0x6baa080x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa0c0x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa100x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa140x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa180x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa1c0x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa200x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa240x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa280x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa2c0x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa300x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa340x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa380x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa3c0x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa400x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa440x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa480x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa4c0x2dataChineseChina5.0
                                                                                    AFX_DIALOG_LAYOUT0x6baa500x2dataChineseChina5.0
                                                                                    BINARY0x6baa540x14c8d7e7-zip archive data, version 0.4ChineseChina1.0003108978271484
                                                                                    BINARY0x1b837d40x2a800PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsChineseChina0.5029986213235295
                                                                                    PNG0x1badfd40x77PNG image data, 4 x 4, 8-bit/color RGB, non-interlacedEnglishUnited States0.9915966386554622
                                                                                    PNG0x1bae04c0x2f5PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0145310435931307
                                                                                    PNG0x1bae3440x301PNG image data, 70 x 31, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0143042912873863
                                                                                    PNG0x1bae6480x287PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.017001545595054
                                                                                    PNG0x1bae8d00x36ePNG image data, 22 x 40, 8-bit/color RGB, non-interlacedEnglishUnited States1.0125284738041003
                                                                                    PNG0x1baec400x15dPNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0315186246418337
                                                                                    PNG0x1baeda00x13ePNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0345911949685536
                                                                                    PNG0x1baeee00x115PNG image data, 30 x 24, 8-bit/color RGB, non-interlacedEnglishUnited States1.03971119133574
                                                                                    PNG0x1baeff80x12aPNG image data, 20 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0302013422818792
                                                                                    PNG0x1baf1240x20cPNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.0209923664122138
                                                                                    PNG0x1baf3300xfdPNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.0276679841897234
                                                                                    PNG0x1baf4300xa6PNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1baf4d80x7cPNG image data, 3 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9919354838709677
                                                                                    PNG0x1baf5540x96PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.0133333333333334
                                                                                    PNG0x1baf5ec0x91PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.006896551724138
                                                                                    PNG0x1baf6800x84PNG image data, 15 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States0.9848484848484849
                                                                                    PNG0x1baf7040xa3PNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0122699386503067
                                                                                    PNG0x1baf7a80x771PNG image data, 13 x 156, 8-bit/color RGB, non-interlacedEnglishUnited States1.005774278215223
                                                                                    PNG0x1baff1c0x697PNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.006520450503853
                                                                                    PNG0x1bb05b40x342PNG image data, 30 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.013189448441247
                                                                                    PNG0x1bb08f80x45fPNG image data, 24 x 72, 8-bit/color RGB, non-interlacedEnglishUnited States1.0098302055406614
                                                                                    PNG0x1bb0d580x1a3PNG image data, 20 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.026252983293556
                                                                                    PNG0x1bb0efc0xac8PNG image data, 24 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039855072463768
                                                                                    PNG0x1bb19c40x37cPNG image data, 8 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0123318385650224
                                                                                    PNG0x1bb1d400xa50PNG image data, 24 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0041666666666667
                                                                                    PNG0x1bb27900x48ePNG image data, 9 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009433962264151
                                                                                    PNG0x1bb2c200xa50PNG image data, 24 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0041666666666667
                                                                                    PNG0x1bb36700x380PNG image data, 8 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0122767857142858
                                                                                    PNG0x1bb39f00xab0PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0040204678362572
                                                                                    PNG0x1bb44a00xb1fPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038637161924833
                                                                                    PNG0x1bb4fc00xa8ePNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0040710584752035
                                                                                    PNG0x1bb5a500xb30PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003840782122905
                                                                                    PNG0x1bb65800x3a6PNG image data, 48 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011777301927195
                                                                                    PNG0x1bb69280x111bPNG image data, 38 x 114, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025119890385932
                                                                                    PNG0x1bb7a440x3d1PNG image data, 23 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0112589559877174
                                                                                    PNG0x1bb7e180x21bPNG image data, 11 x 88, 8-bit/color RGB, non-interlacedEnglishUnited States1.0204081632653061
                                                                                    PNG0x1bb80340xb12PNG image data, 50 x 273, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003881439661256
                                                                                    PNG0x1bb8b480x7acPNG image data, 50 x 162, 8-bit/color RGBA, non-interlacedEnglishUnited States1.005600814663951
                                                                                    PNG0x1bb92f40xd43PNG image data, 50 x 264, 8-bit/color RGB, non-interlacedEnglishUnited States1.003240058910162
                                                                                    PNG0x1bba0380x3a4PNG image data, 22 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011802575107296
                                                                                    PNG0x1bba3dc0x320PNG image data, 14 x 246, 8-bit/color RGBA, non-interlacedEnglishUnited States1.01375
                                                                                    PNG0x1bba6fc0x31fPNG image data, 14 x 246, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0137672090112642
                                                                                    PNG0x1bbaa1c0x2bdPNG image data, 15 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0156918687589158
                                                                                    PNG0x1bbacdc0x273PNG image data, 15 x 76, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0175438596491229
                                                                                    PNG0x1bbaf500x2c9PNG image data, 15 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0154277699859748
                                                                                    PNG0x1bbb21c0x163PNG image data, 70 x 66, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0112676056338028
                                                                                    PNG0x1bbb3800x152PNG image data, 41 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.032544378698225
                                                                                    PNG0x1bbb4d40x38aPNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0121412803532008
                                                                                    PNG0x1bbb8600x532PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082706766917293
                                                                                    PNG0x1bbbd940x19cPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8810679611650486
                                                                                    PNG0x1bbbf300x2296PNG image data, 72 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001242376327084
                                                                                    PNG0x1bbe1c80x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bbe8680x1c4PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8252212389380531
                                                                                    PNG0x1bbea2c0x522PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.008371385083714
                                                                                    PNG0x1bbef500x2475PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.000750026786671
                                                                                    PNG0x1bc13c80x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bc1a680x1c3PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8314855875831486
                                                                                    PNG0x1bc1c2c0x505PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0085603112840467
                                                                                    PNG0x1bc21340x24d3PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004243131430997
                                                                                    PNG0x1bc46080x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bc4ca80x1c7PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.832967032967033
                                                                                    PNG0x1bc4e700x536PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082458770614693
                                                                                    PNG0x1bc53a80x24f0PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011632825719121
                                                                                    PNG0x1bc78980x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bc7f380x1c5PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8388520971302428
                                                                                    PNG0x1bc81000x4d9PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.008863819500403
                                                                                    PNG0x1bc85dc0x23d3PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1bca9b00x189PNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0279898218829517
                                                                                    PNG0x1bcab3c0x1bcPNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States0.7027027027027027
                                                                                    PNG0x1bcacf80x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bcb3980x1c4PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.827433628318584
                                                                                    PNG0x1bcb55c0x4efPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0087094220110848
                                                                                    PNG0x1bcba4c0x23a2PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0007673755755317
                                                                                    PNG0x1bcddf00xc5PNG image data, 3 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0253807106598984
                                                                                    PNG0x1bcdeb80x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bce5580x1baPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8212669683257918
                                                                                    PNG0x1bce7140x4e4PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0087859424920127
                                                                                    PNG0x1bcebf80x250fPNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0005270369979973
                                                                                    PNG0x1bd11080x69ePNG image data, 52 x 268, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0064935064935066
                                                                                    PNG0x1bd17a80x1c2PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8288888888888889
                                                                                    PNG0x1bd196c0x4e9PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0087509944311854
                                                                                    PNG0x1bd1e580x23c6PNG image data, 76 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.000436776588775
                                                                                    PNG0x1bd42200xb5PNG image data, 15 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0165745856353592
                                                                                    PNG0x1bd42d80x186PNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.028205128205128
                                                                                    PNG0x1bd44600x1b5PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States0.6864988558352403
                                                                                    PNG0x1bd46180x66PNG image data, 1 x 46, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9803921568627451
                                                                                    PNG0x1bd46800xf9PNG image data, 90 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0321285140562249
                                                                                    PNG0x1bd477c0x17c3PNG image data, 86 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.992931119513398
                                                                                    PNG0x1bd5f400x283PNG image data, 86 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0171073094867806
                                                                                    PNG0x1bd61c40x71PNG image data, 5 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9823008849557522
                                                                                    PNG0x1bd62380x71dPNG image data, 16 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0060406370126305
                                                                                    PNG0x1bd69580x794PNG image data, 16 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0056701030927835
                                                                                    PNG0x1bd70ec0x284PNG image data, 7 x 39, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0170807453416149
                                                                                    PNG0x1bd73700x203PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.021359223300971
                                                                                    PNG0x1bd75740x1b5PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0251716247139588
                                                                                    PNG0x1bd772c0xb2PNG image data, 2 x 20, 8-bit/color RGB, non-interlacedEnglishUnited States1.0168539325842696
                                                                                    PNG0x1bd77e00xd1PNG image data, 11 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9760765550239234
                                                                                    PNG0x1bd78b40x21cPNG image data, 21 x 42, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0203703703703704
                                                                                    PNG0x1bd7ad00x21cPNG image data, 21 x 42, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0203703703703704
                                                                                    PNG0x1bd7cec0x1aePNG image data, 21 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0186046511627906
                                                                                    PNG0x1bd7e9c0x13aPNG image data, 16 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0222929936305734
                                                                                    PNG0x1bd7fd80x13fPNG image data, 21 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0344827586206897
                                                                                    PNG0x1bd81180x135PNG image data, 16 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9967637540453075
                                                                                    PNG0x1bd82500xdbPNG image data, 21 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0228310502283104
                                                                                    PNG0x1bd832c0xc6PNG image data, 16 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0252525252525253
                                                                                    PNG0x1bd83f40x1a9PNG image data, 21 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0141176470588236
                                                                                    PNG0x1bd85a00x19bPNG image data, 16 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0194647201946472
                                                                                    PNG0x1bd873c0x2296PNG image data, 72 x 125, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001242376327084
                                                                                    PNG0x1bda9d40x13ePNG image data, 72 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0345911949685536
                                                                                    PNG0x1bdab140x115PNG image data, 30 x 24, 8-bit/color RGB, non-interlacedEnglishUnited States1.03971119133574
                                                                                    PNG0x1bdac2c0x83PNG image data, 35 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.0076335877862594
                                                                                    PNG0x1bdacb00xcePNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0242718446601942
                                                                                    PNG0x1bdad800xb30PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003840782122905
                                                                                    PNG0x1bdb8b00x25fPNG image data, 72 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0181219110378912
                                                                                    PNG0x1bdbb100x79PNG image data, 4 x 4, 8-bit/color RGB, non-interlacedEnglishUnited States0.9752066115702479
                                                                                    PNG0x1bdbb8c0x170PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9755434782608695
                                                                                    PNG0x1bdbcfc0x26bPNG image data, 70 x 31, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0177705977382876
                                                                                    PNG0x1bdbf680x105PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9731800766283525
                                                                                    PNG0x1bdc0700xe6PNG image data, 22 x 38, 8-bit/color RGB, non-interlacedEnglishUnited States1.0260869565217392
                                                                                    PNG0x1bdc1580x38dPNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012101210121012
                                                                                    PNG0x1bdc4e80x265PNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0179445350734095
                                                                                    PNG0x1bdc7500x11aPNG image data, 30 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0319148936170213
                                                                                    PNG0x1bdc86c0xaaPNG image data, 2 x 19, 8-bit/color RGB, non-interlacedEnglishUnited States1.011764705882353
                                                                                    PNG0x1bdc9180x12aPNG image data, 20 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0268456375838926
                                                                                    PNG0x1bdca440x209PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.021113243761996
                                                                                    PNG0x1bdcc500xf5PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.0244897959183674
                                                                                    PNG0x1bdcd480xa6PNG image data, 54 x 31, 8-bit/color RGB, non-interlacedEnglishUnited States1.0180722891566265
                                                                                    PNG0x1bdcdf00x150PNG image data, 54 x 124, 8-bit/color RGB, non-interlacedEnglishUnited States1.0327380952380953
                                                                                    PNG0x1bdcf400xacPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0174418604651163
                                                                                    PNG0x1bdcfec0x89PNG image data, 3 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1bdd0780x98PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.006578947368421
                                                                                    PNG0x1bdd1100x91PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.006896551724138
                                                                                    PNG0x1bdd1a40x7dPNG image data, 15 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.008
                                                                                    PNG0x1bdd2240xa6PNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1bdd2cc0xbcPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0159574468085106
                                                                                    PNG0x1bdd3880xa07PNG image data, 13 x 156, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004285157771718
                                                                                    PNG0x1bddd900x1de1PNG image data, 52 x 336, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0014380964832004
                                                                                    PNG0x1bdfb740x1bePNG image data, 38 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0246636771300448
                                                                                    PNG0x1bdfd340x53bPNG image data, 30 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082150858849888
                                                                                    PNG0x1be02700x440PNG image data, 22 x 66, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010110294117647
                                                                                    PNG0x1be06b00x12ePNG image data, 20 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0298013245033113
                                                                                    PNG0x1be07e00x5b1PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0075497597803706
                                                                                    PNG0x1be0d940x408PNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0106589147286822
                                                                                    PNG0x1be119c0x471PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009674582233949
                                                                                    PNG0x1be16100x4b7PNG image data, 10 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0091135045567523
                                                                                    PNG0x1be1ac80x481PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0095403295750216
                                                                                    PNG0x1be1f4c0x3ecPNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0109561752988048
                                                                                    PNG0x1be23380x452PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0099457504520795
                                                                                    PNG0x1be278c0x414PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010536398467433
                                                                                    PNG0x1be2ba00x39ePNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011879049676026
                                                                                    PNG0x1be2f400x48dPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009442060085837
                                                                                    PNG0x1be33d00x1b3PNG image data, 15 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.025287356321839
                                                                                    PNG0x1be35840xeaPNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0299145299145298
                                                                                    PNG0x1be36700x1ae0PNG image data, 38 x 114, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0015988372093023
                                                                                    PNG0x1be51500xb43PNG image data, 22 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038154699965314
                                                                                    PNG0x1be5c940x609PNG image data, 11 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0071197411003237
                                                                                    PNG0x1be62a00x18aePNG image data, 43 x 234, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0017410572966128
                                                                                    PNG0x1be7b500x1177PNG image data, 43 x 135, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0024602997092373
                                                                                    PNG0x1be8cc80x25ecPNG image data, 43 x 330, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011330861145447
                                                                                    PNG0x1beb2b40xacbPNG image data, 22 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039811798769454
                                                                                    PNG0x1bebd800xbc8PNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036472148541113
                                                                                    PNG0x1bec9480xc2ePNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035279025016035
                                                                                    PNG0x1bed5780x5ddPNG image data, 15 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0073284477015323
                                                                                    PNG0x1bedb580x597PNG image data, 15 x 76, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0076869322152342
                                                                                    PNG0x1bee0f00x5f8PNG image data, 15 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.007198952879581
                                                                                    PNG0x1bee6e80x237PNG image data, 54 x 69, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0194003527336861
                                                                                    PNG0x1bee9200x588PNG image data, 22 x 44, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0077683615819208
                                                                                    PNG0x1beeea80x4b6PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0091210613598673
                                                                                    PNG0x1bef3600x532PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082706766917293
                                                                                    PNG0x1bef8940x5fePNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0071707953063884
                                                                                    PNG0x1befe940xdd3PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9960440802486578
                                                                                    PNG0x1bf0c680x7cPNG image data, 1 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9919354838709677
                                                                                    PNG0x1bf0ce40x13c1PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021752026893416
                                                                                    PNG0x1bf20a80x37dPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0123180291153415
                                                                                    PNG0x1bf24280x395PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0119956379498365
                                                                                    PNG0x1bf27c00x125ePNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023394300297745
                                                                                    PNG0x1bf3a200x13b4PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021808088818398
                                                                                    PNG0x1bf4dd40x369PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126002290950744
                                                                                    PNG0x1bf51400x3ccPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0113168724279835
                                                                                    PNG0x1bf550c0x1320PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002246732026144
                                                                                    PNG0x1bf682c0x13acPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021842732327244
                                                                                    PNG0x1bf7bd80x364PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012672811059908
                                                                                    PNG0x1bf7f3c0x3baPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0115303983228512
                                                                                    PNG0x1bf82f80x1274PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023285351397122
                                                                                    PNG0x1bf956c0x139fPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021899263388414
                                                                                    PNG0x1bfa90c0x380PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0122767857142858
                                                                                    PNG0x1bfac8c0x352PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0129411764705882
                                                                                    PNG0x1bfafe00x1288PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002318718381113
                                                                                    PNG0x1bfc2680x211PNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0207939508506616
                                                                                    PNG0x1bfc47c0x2e4PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0148648648648648
                                                                                    PNG0x1bfc7600x13adPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021838395870557
                                                                                    PNG0x1bfdb100x365PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126582278481013
                                                                                    PNG0x1bfde780x374PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1bfe1ec0x126bPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023329798515377
                                                                                    PNG0x1bff4580xd4PNG image data, 3 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.028301886792453
                                                                                    PNG0x1bff52c0x1394PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00219473264166
                                                                                    PNG0x1c008c00x374PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1c00c340x3f4PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0108695652173914
                                                                                    PNG0x1c010280x1304PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0022596548890714
                                                                                    PNG0x1c0232c0x1397PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021934197407776
                                                                                    PNG0x1c036c40x373PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0124575311438277
                                                                                    PNG0x1c03a380x33dPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0132689987937273
                                                                                    PNG0x1c03d780x119ePNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002439024390244
                                                                                    PNG0x1c04f180xa6PNG image data, 15 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1c04fc00x211PNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0207939508506616
                                                                                    PNG0x1c051d40x2f7PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0144927536231885
                                                                                    PNG0x1c054cc0x16ePNG image data, 9 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.030054644808743
                                                                                    PNG0x1c0563c0x73PNG image data, 5 x 5, 8-bit/color RGB, non-interlacedEnglishUnited States0.9826086956521739
                                                                                    PNG0x1c056b00x117PNG image data, 11 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.021505376344086
                                                                                    PNG0x1c057c80x67PNG image data, 2 x 55, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9902912621359223
                                                                                    PNG0x1c058300xcePNG image data, 90 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0242718446601942
                                                                                    PNG0x1c059000xa40PNG image data, 86 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9733231707317073
                                                                                    PNG0x1c063400x283PNG image data, 86 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0171073094867806
                                                                                    PNG0x1c065c40x93PNG image data, 5 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0136054421768708
                                                                                    PNG0x1c066580x96aPNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004564315352697
                                                                                    PNG0x1c06fc40x99bPNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0044733631557543
                                                                                    PNG0x1c079600x2f7PNG image data, 11 x 45, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0144927536231885
                                                                                    PNG0x1c07c580x1ffPNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0215264187866928
                                                                                    PNG0x1c07e580x1f7PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.021868787276342
                                                                                    PNG0x1c080500xb6PNG image data, 2 x 20, 8-bit/color RGB, non-interlacedEnglishUnited States1.010989010989011
                                                                                    PNG0x1c081080x94PNG image data, 11 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0135135135135136
                                                                                    PNG0x1c0819c0x3e6PNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0110220440881763
                                                                                    PNG0x1c085840x3e6PNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0110220440881763
                                                                                    PNG0x1c0896c0x315PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0139416983523448
                                                                                    PNG0x1c08c840x259PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0183028286189684
                                                                                    PNG0x1c08ee00x205PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0212765957446808
                                                                                    PNG0x1c090e80x176PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0294117647058822
                                                                                    PNG0x1c092600x124PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0136986301369864
                                                                                    PNG0x1c093840xd7PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1c0945c0x28fPNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.016793893129771
                                                                                    PNG0x1c096ec0x225PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0200364298724955
                                                                                    PNG0x1c099140xdd3PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9960440802486578
                                                                                    PNG0x1c0a6e80x123PNG image data, 72 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0378006872852235
                                                                                    PNG0x1c0a80c0x10bPNG image data, 30 x 24, 8-bit/color RGB, non-interlacedEnglishUnited States1.0337078651685394
                                                                                    PNG0x1c0a9180x83PNG image data, 35 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.0076335877862594
                                                                                    PNG0x1c0a99c0x12fPNG image data, 9 x 9, 8-bit/color RGB, non-interlacedEnglishUnited States1.0264026402640265
                                                                                    PNG0x1c0aacc0x48dPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009442060085837
                                                                                    PNG0x1c0af5c0x261PNG image data, 72 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0180623973727423
                                                                                    PNG0x1c0b1c00x79PNG image data, 4 x 4, 8-bit/color RGB, non-interlacedEnglishUnited States0.9752066115702479
                                                                                    PNG0x1c0b23c0x1b5PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9931350114416476
                                                                                    PNG0x1c0b3f40x293PNG image data, 70 x 31, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0166919575113809
                                                                                    PNG0x1c0b6880x11aPNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9716312056737588
                                                                                    PNG0x1c0b7a40xdePNG image data, 22 x 38, 8-bit/color RGB, non-interlacedEnglishUnited States1.027027027027027
                                                                                    PNG0x1c0b8840x38dPNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012101210121012
                                                                                    PNG0x1c0bc140x265PNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0179445350734095
                                                                                    PNG0x1c0be7c0x124PNG image data, 30 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0308219178082192
                                                                                    PNG0x1c0bfa00xaaPNG image data, 2 x 19, 8-bit/color RGB, non-interlacedEnglishUnited States1.011764705882353
                                                                                    PNG0x1c0c04c0x12aPNG image data, 20 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0268456375838926
                                                                                    PNG0x1c0c1780x209PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.021113243761996
                                                                                    PNG0x1c0c3840xf5PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.0244897959183674
                                                                                    PNG0x1c0c47c0x9fPNG image data, 54 x 31, 8-bit/color RGB, non-interlacedEnglishUnited States1.0125786163522013
                                                                                    PNG0x1c0c51c0x148PNG image data, 54 x 124, 8-bit/color RGB, non-interlacedEnglishUnited States1.0335365853658536
                                                                                    PNG0x1c0c6640xacPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0174418604651163
                                                                                    PNG0x1c0c7100x8bPNG image data, 3 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States1.014388489208633
                                                                                    PNG0x1c0c79c0xa4PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1c0c8400x94PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.0067567567567568
                                                                                    PNG0x1c0c8d40x87PNG image data, 15 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1c0c95c0xa6PNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1c0ca040xc5PNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0203045685279188
                                                                                    PNG0x1c0cacc0xa54PNG image data, 13 x 156, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004160363086233
                                                                                    PNG0x1c0d5200x1edaPNG image data, 52 x 336, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001392757660167
                                                                                    PNG0x1c0f3fc0x1cbPNG image data, 38 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0239651416122004
                                                                                    PNG0x1c0f5c80x53bPNG image data, 30 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082150858849888
                                                                                    PNG0x1c0fb040x4f3PNG image data, 22 x 66, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0086819258089976
                                                                                    PNG0x1c0fff80x11aPNG image data, 20 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.024822695035461
                                                                                    PNG0x1c101140x5afPNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0075601374570446
                                                                                    PNG0x1c106c40x3ffPNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010752688172043
                                                                                    PNG0x1c10ac40x461PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0098126672613739
                                                                                    PNG0x1c10f280x4ccPNG image data, 10 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.008957654723127
                                                                                    PNG0x1c113f40x474PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0096491228070175
                                                                                    PNG0x1c118680x3efPNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0109235352532273
                                                                                    PNG0x1c11c580x44aPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0100182149362478
                                                                                    PNG0x1c120a40x41fPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0104265402843602
                                                                                    PNG0x1c124c40x39bPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0119176598049837
                                                                                    PNG0x1c128600x4a1PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009282700421941
                                                                                    PNG0x1c12d040x1b3PNG image data, 15 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.025287356321839
                                                                                    PNG0x1c12eb80xf9PNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.036144578313253
                                                                                    PNG0x1c12fb40x1bfaPNG image data, 38 x 114, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001535883831332
                                                                                    PNG0x1c14bb00xb43PNG image data, 22 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038154699965314
                                                                                    PNG0x1c156f40x609PNG image data, 11 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0071197411003237
                                                                                    PNG0x1c15d000x18aePNG image data, 43 x 234, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0017410572966128
                                                                                    PNG0x1c175b00x1177PNG image data, 43 x 135, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0024602997092373
                                                                                    PNG0x1c187280x25ecPNG image data, 43 x 330, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011330861145447
                                                                                    PNG0x1c1ad140xac7PNG image data, 22 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039869517941282
                                                                                    PNG0x1c1b7dc0xa82PNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004089219330855
                                                                                    PNG0x1c1c2600xac7PNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039869517941282
                                                                                    PNG0x1c1cd280x5d3PNG image data, 15 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0073775989268947
                                                                                    PNG0x1c1d2fc0x575PNG image data, 15 x 76, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0078740157480315
                                                                                    PNG0x1c1d8740x5eaPNG image data, 15 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0072655217965654
                                                                                    PNG0x1c1de600x222PNG image data, 54 x 69, 8-bit/color RGBA, non-interlacedEnglishUnited States1.02014652014652
                                                                                    PNG0x1c1e0840x588PNG image data, 22 x 44, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0077683615819208
                                                                                    PNG0x1c1e60c0x552PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0080763582966226
                                                                                    PNG0x1c1eb600x532PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082706766917293
                                                                                    PNG0x1c1f0940x624PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.006997455470738
                                                                                    PNG0x1c1f6b80xf6fPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0027841052898
                                                                                    PNG0x1c206280x98PNG image data, 1 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.013157894736842
                                                                                    PNG0x1c206c00x13c1PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021752026893416
                                                                                    PNG0x1c21a840x37dPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0123180291153415
                                                                                    PNG0x1c21e040x395PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0119956379498365
                                                                                    PNG0x1c2219c0xbeaPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036065573770492
                                                                                    PNG0x1c22d880x13b4PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021808088818398
                                                                                    PNG0x1c2413c0x369PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126002290950744
                                                                                    PNG0x1c244a80x3ccPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0113168724279835
                                                                                    PNG0x1c248740xcb2PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033846153846153
                                                                                    PNG0x1c255280x13acPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021842732327244
                                                                                    PNG0x1c268d40x364PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012672811059908
                                                                                    PNG0x1c26c380x3baPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0115303983228512
                                                                                    PNG0x1c26ff40xbffPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035818951481603
                                                                                    PNG0x1c27bf40x139fPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021899263388414
                                                                                    PNG0x1c28f940x380PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0122767857142858
                                                                                    PNG0x1c293140x352PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0129411764705882
                                                                                    PNG0x1c296680xbf8PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035900783289817
                                                                                    PNG0x1c2a2600x1e3PNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0227743271221532
                                                                                    PNG0x1c2a4440x3d2PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0112474437627812
                                                                                    PNG0x1c2a8180x13adPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021838395870557
                                                                                    PNG0x1c2bbc80x365PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126582278481013
                                                                                    PNG0x1c2bf300x374PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1c2c2a40xb9aPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037037037037038
                                                                                    PNG0x1c2ce400xd4PNG image data, 3 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.028301886792453
                                                                                    PNG0x1c2cf140x1394PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00219473264166
                                                                                    PNG0x1c2e2a80x374PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1c2e61c0x3f4PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0108695652173914
                                                                                    PNG0x1c2ea100xc62PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034700315457412
                                                                                    PNG0x1c2f6740x1397PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021934197407776
                                                                                    PNG0x1c30a0c0x373PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0124575311438277
                                                                                    PNG0x1c30d800x33dPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0132689987937273
                                                                                    PNG0x1c310c00xb84PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0003392130257802
                                                                                    PNG0x1c31c440xb1PNG image data, 15 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0169491525423728
                                                                                    PNG0x1c31cf80x1daPNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0232067510548524
                                                                                    PNG0x1c31ed40x375PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0124293785310734
                                                                                    PNG0x1c3224c0x1a5PNG image data, 9 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0261282660332542
                                                                                    PNG0x1c323f40x71PNG image data, 5 x 5, 8-bit/color RGB, non-interlacedEnglishUnited States0.9911504424778761
                                                                                    PNG0x1c324680x11aPNG image data, 11 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0283687943262412
                                                                                    PNG0x1c325840x67PNG image data, 2 x 55, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9902912621359223
                                                                                    PNG0x1c325ec0xe0PNG image data, 90 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.03125
                                                                                    PNG0x1c326cc0xa40PNG image data, 86 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9733231707317073
                                                                                    PNG0x1c3310c0x283PNG image data, 86 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0171073094867806
                                                                                    PNG0x1c333900x93PNG image data, 5 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0136054421768708
                                                                                    PNG0x1c334240x985PNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00451374640952
                                                                                    PNG0x1c33dac0x9caPNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00438946528332
                                                                                    PNG0x1c347780x339PNG image data, 11 x 45, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0133333333333334
                                                                                    PNG0x1c34ab40x214PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0206766917293233
                                                                                    PNG0x1c34cc80x22ePNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0197132616487454
                                                                                    PNG0x1c34ef80xb3PNG image data, 2 x 20, 8-bit/color RGB, non-interlacedEnglishUnited States1.011173184357542
                                                                                    PNG0x1c34fac0x95PNG image data, 11 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9932885906040269
                                                                                    PNG0x1c350440x414PNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010536398467433
                                                                                    PNG0x1c354580x414PNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010536398467433
                                                                                    PNG0x1c3586c0x1fbPNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0216962524654833
                                                                                    PNG0x1c35a680x179PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0159151193633953
                                                                                    PNG0x1c35be40x179PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0053050397877985
                                                                                    PNG0x1c35d600x114PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0289855072463767
                                                                                    PNG0x1c35e740x10ePNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011111111111111
                                                                                    PNG0x1c35f840xb6PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0054945054945055
                                                                                    PNG0x1c3603c0x17ePNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0287958115183247
                                                                                    PNG0x1c361bc0x15cPNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0201149425287357
                                                                                    PNG0x1c363180xf6fPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0027841052898
                                                                                    PNG0x1c372880x143PNG image data, 72 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0340557275541795
                                                                                    PNG0x1c373cc0x110PNG image data, 30 x 24, 8-bit/color RGB, non-interlacedEnglishUnited States1.0294117647058822
                                                                                    PNG0x1c374dc0x87PNG image data, 35 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.0074074074074073
                                                                                    PNG0x1c375640x13bPNG image data, 9 x 9, 8-bit/color RGB, non-interlacedEnglishUnited States1.0253968253968253
                                                                                    PNG0x1c376a00x4a1PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009282700421941
                                                                                    PNG0x1c37b440x25ePNG image data, 72 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.018151815181518
                                                                                    PNG0x1c37da40x79PNG image data, 4 x 4, 8-bit/color RGB, non-interlacedEnglishUnited States0.9752066115702479
                                                                                    PNG0x1c37e200x167PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9972144846796658
                                                                                    PNG0x1c37f880x278PNG image data, 70 x 31, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0174050632911393
                                                                                    PNG0x1c382000x11aPNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9680851063829787
                                                                                    PNG0x1c3831c0xd4PNG image data, 22 x 38, 8-bit/color RGB, non-interlacedEnglishUnited States1.0235849056603774
                                                                                    PNG0x1c383f00x38dPNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012101210121012
                                                                                    PNG0x1c387800x265PNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0179445350734095
                                                                                    PNG0x1c389e80x11aPNG image data, 30 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0319148936170213
                                                                                    PNG0x1c38b040xaaPNG image data, 2 x 19, 8-bit/color RGB, non-interlacedEnglishUnited States1.011764705882353
                                                                                    PNG0x1c38bb00x12aPNG image data, 20 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0268456375838926
                                                                                    PNG0x1c38cdc0x209PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.021113243761996
                                                                                    PNG0x1c38ee80xf5PNG image data, 10 x 28, 8-bit/color RGB, non-interlacedEnglishUnited States1.0244897959183674
                                                                                    PNG0x1c38fe00xa6PNG image data, 54 x 31, 8-bit/color RGB, non-interlacedEnglishUnited States1.0180722891566265
                                                                                    PNG0x1c390880x150PNG image data, 54 x 124, 8-bit/color RGB, non-interlacedEnglishUnited States1.0327380952380953
                                                                                    PNG0x1c391d80xacPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0174418604651163
                                                                                    PNG0x1c392840x8bPNG image data, 3 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1c393100x98PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.006578947368421
                                                                                    PNG0x1c393a80x91PNG image data, 9 x 8, 8-bit/color RGB, non-interlacedEnglishUnited States1.006896551724138
                                                                                    PNG0x1c3943c0x7dPNG image data, 15 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.008
                                                                                    PNG0x1c394bc0xa6PNG image data, 7 x 7, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1c395640xbdPNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0105820105820107
                                                                                    PNG0x1c396240xa07PNG image data, 13 x 156, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004285157771718
                                                                                    PNG0x1c3a02c0x1de1PNG image data, 52 x 336, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0014380964832004
                                                                                    PNG0x1c3be100x1bePNG image data, 38 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0246636771300448
                                                                                    PNG0x1c3bfd00x53bPNG image data, 30 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082150858849888
                                                                                    PNG0x1c3c50c0x46cPNG image data, 22 x 66, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0097173144876326
                                                                                    PNG0x1c3c9780xafPNG image data, 20 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0171428571428571
                                                                                    PNG0x1c3ca280x701PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0061349693251533
                                                                                    PNG0x1c3d12c0x498PNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0093537414965987
                                                                                    PNG0x1c3d5c40x5c1PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0074677528852682
                                                                                    PNG0x1c3db880x539PNG image data, 10 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082273747195214
                                                                                    PNG0x1c3e0c40x5c7PNG image data, 23 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0074374577417173
                                                                                    PNG0x1c3e68c0x47fPNG image data, 9 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009556907037359
                                                                                    PNG0x1c3eb0c0x585PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0077848549186128
                                                                                    PNG0x1c3f0940x546PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0081481481481482
                                                                                    PNG0x1c3f5dc0x4e1PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0088070456365092
                                                                                    PNG0x1c3fac00x5b0PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.007554945054945
                                                                                    PNG0x1c400700x1b3PNG image data, 15 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.025287356321839
                                                                                    PNG0x1c402240xeaPNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0299145299145298
                                                                                    PNG0x1c403100x1ad9PNG image data, 38 x 114, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0016004655899897
                                                                                    PNG0x1c41dec0xb43PNG image data, 22 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038154699965314
                                                                                    PNG0x1c429300x609PNG image data, 11 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0071197411003237
                                                                                    PNG0x1c42f3c0x18aePNG image data, 43 x 234, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0017410572966128
                                                                                    PNG0x1c447ec0x1177PNG image data, 43 x 135, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0024602997092373
                                                                                    PNG0x1c459640x25ecPNG image data, 43 x 330, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011330861145447
                                                                                    PNG0x1c47f500xad3PNG image data, 22 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039696860339227
                                                                                    PNG0x1c48a240xbc8PNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036472148541113
                                                                                    PNG0x1c495ec0xc2ePNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035279025016035
                                                                                    PNG0x1c4a21c0x5ddPNG image data, 15 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0073284477015323
                                                                                    PNG0x1c4a7fc0x597PNG image data, 15 x 76, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0076869322152342
                                                                                    PNG0x1c4ad940x5f8PNG image data, 15 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.007198952879581
                                                                                    PNG0x1c4b38c0x228PNG image data, 54 x 69, 8-bit/color RGBA, non-interlacedEnglishUnited States1.019927536231884
                                                                                    PNG0x1c4b5b40x588PNG image data, 22 x 44, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0077683615819208
                                                                                    PNG0x1c4bb3c0x38aPNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0121412803532008
                                                                                    PNG0x1c4bec80x532PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082706766917293
                                                                                    PNG0x1c4c3fc0x32fPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0134969325153373
                                                                                    PNG0x1c4c72c0xef8PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9950417536534447
                                                                                    PNG0x1c4d6240x7cPNG image data, 1 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9919354838709677
                                                                                    PNG0x1c4d6a00x13c1PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021752026893416
                                                                                    PNG0x1c4ea640x37dPNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0123180291153415
                                                                                    PNG0x1c4ede40x395PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0119956379498365
                                                                                    PNG0x1c4f17c0x125ePNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023394300297745
                                                                                    PNG0x1c503dc0x13b4PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021808088818398
                                                                                    PNG0x1c517900x369PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126002290950744
                                                                                    PNG0x1c51afc0x3ccPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0113168724279835
                                                                                    PNG0x1c51ec80x1320PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002246732026144
                                                                                    PNG0x1c531e80x13acPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021842732327244
                                                                                    PNG0x1c545940x364PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012672811059908
                                                                                    PNG0x1c548f80x3baPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0115303983228512
                                                                                    PNG0x1c54cb40x1274PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023285351397122
                                                                                    PNG0x1c55f280x139fPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021899263388414
                                                                                    PNG0x1c572c80x380PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0122767857142858
                                                                                    PNG0x1c576480x352PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0129411764705882
                                                                                    PNG0x1c5799c0x1288PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002318718381113
                                                                                    PNG0x1c58c240x99dPNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004469727752946
                                                                                    PNG0x1c595c40x2e6PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0148247978436657
                                                                                    PNG0x1c598ac0x13adPNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021838395870557
                                                                                    PNG0x1c5ac5c0x365PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0126582278481013
                                                                                    PNG0x1c5afc40x374PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1c5b3380x126bPNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023329798515377
                                                                                    PNG0x1c5c5a40xd4PNG image data, 3 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.028301886792453
                                                                                    PNG0x1c5c6780x1394PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00219473264166
                                                                                    PNG0x1c5da0c0x374PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.012443438914027
                                                                                    PNG0x1c5dd800x3f4PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0108695652173914
                                                                                    PNG0x1c5e1740x1304PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0022596548890714
                                                                                    PNG0x1c5f4780x1397PNG image data, 52 x 252, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021934197407776
                                                                                    PNG0x1c608100x373PNG image data, 80 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0124575311438277
                                                                                    PNG0x1c60b840x33dPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0132689987937273
                                                                                    PNG0x1c60ec40x119ePNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002439024390244
                                                                                    PNG0x1c620640xa6PNG image data, 15 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0120481927710843
                                                                                    PNG0x1c6210c0x99dPNG image data, 100 x 34, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004469727752946
                                                                                    PNG0x1c62aac0x2f7PNG image data, 100 x 136, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0144927536231885
                                                                                    PNG0x1c62da40x17ePNG image data, 9 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0287958115183247
                                                                                    PNG0x1c62f240x71PNG image data, 5 x 5, 8-bit/color RGB, non-interlacedEnglishUnited States0.9911504424778761
                                                                                    PNG0x1c62f980x117PNG image data, 11 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.021505376344086
                                                                                    PNG0x1c630b00x67PNG image data, 2 x 55, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9902912621359223
                                                                                    PNG0x1c631180xd7PNG image data, 90 x 12, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0232558139534884
                                                                                    PNG0x1c631f00xa40PNG image data, 86 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9733231707317073
                                                                                    PNG0x1c63c300x283PNG image data, 86 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0171073094867806
                                                                                    PNG0x1c63eb40x93PNG image data, 5 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0136054421768708
                                                                                    PNG0x1c63f480x96aPNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004564315352697
                                                                                    PNG0x1c648b40x99bPNG image data, 18 x 54, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0044733631557543
                                                                                    PNG0x1c652500x2f7PNG image data, 11 x 45, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0144927536231885
                                                                                    PNG0x1c655480x1d3PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.019271948608137
                                                                                    PNG0x1c6571c0x1f8PNG image data, 70 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0138888888888888
                                                                                    PNG0x1c659140x67PNG image data, 2 x 20, 8-bit/color RGB, non-interlacedEnglishUnited States0.9514563106796117
                                                                                    PNG0x1c6597c0x95PNG image data, 11 x 11, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                    PNG0x1c65a140x39dPNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011891891891892
                                                                                    PNG0x1c65db40x39dPNG image data, 17 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.011891891891892
                                                                                    PNG0x1c661540x1c1PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.024498886414254
                                                                                    PNG0x1c663180x153PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0324483775811208
                                                                                    PNG0x1c6646c0x15fPNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0113960113960114
                                                                                    PNG0x1c665cc0x100PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.03515625
                                                                                    PNG0x1c666cc0x108PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.018939393939394
                                                                                    PNG0x1c667d40xb6PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010989010989011
                                                                                    PNG0x1c6688c0x151PNG image data, 17 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.032640949554896
                                                                                    PNG0x1c669e00x135PNG image data, 13 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.029126213592233
                                                                                    PNG0x1c66b180xdd3PNG image data, 57 x 120, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9960440802486578
                                                                                    PNG0x1c678ec0x129PNG image data, 72 x 15, 8-bit/color RGB, non-interlacedEnglishUnited States1.0303030303030303
                                                                                    PNG0x1c67a180x10bPNG image data, 30 x 24, 8-bit/color RGB, non-interlacedEnglishUnited States1.0337078651685394
                                                                                    PNG0x1c67b240x87PNG image data, 35 x 3, 8-bit/color RGB, non-interlacedEnglishUnited States1.0074074074074073
                                                                                    PNG0x1c67bac0x12fPNG image data, 9 x 9, 8-bit/color RGB, non-interlacedEnglishUnited States1.0264026402640265
                                                                                    PNG0x1c67cdc0x48dPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.009442060085837
                                                                                    PNG0x1c6816c0xdd1PNG image data, 72 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003109980209217
                                                                                    PNG0x1c68f400xd61PNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032116788321168
                                                                                    PNG0x1c69ca40x265PNG image data, 55 x 22, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0179445350734095
                                                                                    PNG0x1c69f0c0xbb9PNG image data, 20 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036654448517162
                                                                                    PNG0x1c6aac80xc66PNG image data, 10 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034656584751103
                                                                                    PNG0x1c6b7300xb90PNG image data, 10 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037162162162163
                                                                                    PNG0x1c6c2c00xb07PNG image data, 5 x 5, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003896563939072
                                                                                    PNG0x1c6cdc80xb50PNG image data, 7 x 7, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037983425414365
                                                                                    PNG0x1c6d9180x2885PNG image data, 42 x 348, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0010604453870626
                                                                                    PNG0x1c701a00xd8ePNG image data, 38 x 38, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031700288184437
                                                                                    PNG0x1c70f300x53bPNG image data, 30 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0082150858849888
                                                                                    PNG0x1c7146c0x4f3PNG image data, 22 x 66, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0086819258089976
                                                                                    PNG0x1c719600x130fPNG image data, 22 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0022545603607296
                                                                                    PNG0x1c72c700xe74PNG image data, 10 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002972972972973
                                                                                    PNG0x1c73ae40x11baPNG image data, 22 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002423975319524
                                                                                    PNG0x1c74ca00xecePNG image data, 11 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0029023746701846
                                                                                    PNG0x1c75b700x11baPNG image data, 22 x 154, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002423975319524
                                                                                    PNG0x1c76d2c0xe74PNG image data, 10 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002972972972973
                                                                                    PNG0x1c77ba00x1206PNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023840485478976
                                                                                    PNG0x1c78da80x11bcPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0024229074889868
                                                                                    PNG0x1c79f640x112aPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025034137460174
                                                                                    PNG0x1c7b0900x127aPNG image data, 22 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023255813953489
                                                                                    PNG0x1c7c30c0xd3ePNG image data, 15 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003244837758112
                                                                                    PNG0x1c7d04c0xbacPNG image data, 32 x 8, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036813922356091
                                                                                    PNG0x1c7dbf80x146aPNG image data, 56 x 69, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0021048603138156
                                                                                    PNG0x1c7f0640x122fPNG image data, 22 x 132, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023630504833512
                                                                                    PNG0x1c802940xdecPNG image data, 11 x 110, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0030864197530864
                                                                                    PNG0x1c810800x1100PNG image data, 42 x 228, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025275735294117
                                                                                    PNG0x1c821800x11edPNG image data, 42 x 140, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023970363913706
                                                                                    PNG0x1c833700x1864PNG image data, 42 x 330, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0003203074951954
                                                                                    PNG0x1c84bd40x10b5PNG image data, 22 x 88, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025718961889174
                                                                                    PNG0x1c85c8c0x124bPNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023489216314327
                                                                                    PNG0x1c86ed80x1256PNG image data, 14 x 276, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0023434171282488
                                                                                    PNG0x1c881300xf2cPNG image data, 15 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002832131822863
                                                                                    PNG0x1c8905c0xedePNG image data, 15 x 76, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0028901734104045
                                                                                    PNG0x1c89f3c0xf69PNG image data, 15 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0027883396704689
                                                                                    PNG0x1c8aea80xe20PNG image data, 22 x 44, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0030420353982301
                                                                                    PNG0x1c8bcc80xdc7PNG image data, 64 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031187978451943
                                                                                    PNG0x1c8ca900xbaePNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036789297658864
                                                                                    PNG0x1c8d6400xd91PNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003167290526922
                                                                                    PNG0x1c8e3d40xb12PNG image data, 1 x 23, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003881439661256
                                                                                    PNG0x1c8eee80xbc3PNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036532713384259
                                                                                    PNG0x1c8faac0xc9fPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003404518724853
                                                                                    PNG0x1c9074c0xd7dPNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031856356791196
                                                                                    PNG0x1c914cc0xbf7PNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0035912504080966
                                                                                    PNG0x1c920c40xc96PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034140285536934
                                                                                    PNG0x1c92d5c0xd8cPNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031718569780854
                                                                                    PNG0x1c93ae80xbdaPNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036255767963085
                                                                                    PNG0x1c946c40xca0PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034034653465347
                                                                                    PNG0x1c953640xd80PNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031828703703705
                                                                                    PNG0x1c960e40xbe2PNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036160420775806
                                                                                    PNG0x1c96cc80xc8cPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034246575342465
                                                                                    PNG0x1c979540xd7bPNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031874818893074
                                                                                    PNG0x1c986d00xbe7PNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036101083032491
                                                                                    PNG0x1c992b80xc94PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034161490683229
                                                                                    PNG0x1c99f4c0xd80PNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031828703703705
                                                                                    PNG0x1c9accc0xd4PNG image data, 3 x 26, 8-bit/color RGBA, non-interlacedEnglishUnited States1.028301886792453
                                                                                    PNG0x1c9ada00xbd0PNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003637566137566
                                                                                    PNG0x1c9b9700xc97PNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034129692832765
                                                                                    PNG0x1c9c6080xd7aPNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031884057971014
                                                                                    PNG0x1c9d3840xbdaPNG image data, 3 x 92, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0036255767963085
                                                                                    PNG0x1c9df600xc8fPNG image data, 80 x 19, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003421461897356
                                                                                    PNG0x1c9ebf00xd86PNG image data, 13 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031773541305604
                                                                                    PNG0x1c9f9780x1908PNG image data, 50 x 178, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9887640449438202
                                                                                    PNG0x1ca12800xb75PNG image data, 3 x 61, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0037504261847938
                                                                                    PNG0x1ca1df80xbd0PNG image data, 9 x 51, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003637566137566
                                                                                    PNG0x1ca29c80x1570PNG image data, 18 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0020043731778425
                                                                                    PNG0x1ca3f380x1623PNG image data, 18 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0019410622904534
                                                                                    STYLE_XML0x1ca555c0x4e01HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.1839851770243878
                                                                                    STYLE_XML0x1caa3600x4b09HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.20396689052006872
                                                                                    STYLE_XML0x1caee6c0x4aa6HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.20460491889063318
                                                                                    STYLE_XML0x1cb39140x4a18HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.20397511598481655
                                                                                    STYLE_XML0x1cb832c0x1955HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.1918272937548188
                                                                                    RT_CURSOR0x1cb9c840x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                    RT_CURSOR0x1cb9db80xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                    RT_CURSOR0x1cb9e6c0x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                                                    RT_CURSOR0x1cb9fa00x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                                                    RT_CURSOR0x1cba0d40x134dataEnglishUnited States0.37337662337662336
                                                                                    RT_CURSOR0x1cba2080x134dataEnglishUnited States0.37662337662337664
                                                                                    RT_CURSOR0x1cba33c0x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                    RT_CURSOR0x1cba4700x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                                                    RT_CURSOR0x1cba5a40x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                    RT_CURSOR0x1cba6d80x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                    RT_CURSOR0x1cba80c0x134dataEnglishUnited States0.44155844155844154
                                                                                    RT_CURSOR0x1cba9400x134dataEnglishUnited States0.4155844155844156
                                                                                    RT_CURSOR0x1cbaa740x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                                                    RT_CURSOR0x1cbaba80x134dataEnglishUnited States0.2662337662337662
                                                                                    RT_CURSOR0x1cbacdc0x134dataEnglishUnited States0.2824675324675325
                                                                                    RT_CURSOR0x1cbae100x134dataEnglishUnited States0.3246753246753247
                                                                                    RT_CURSOR0x1cbaf440x134dataEnglishUnited States0.20454545454545456
                                                                                    RT_CURSOR0x1cbb0780x134dataEnglishUnited States0.2857142857142857
                                                                                    RT_CURSOR0x1cbb1ac0x134dataEnglishUnited States0.4675324675324675
                                                                                    RT_CURSOR0x1cbb2e00x134dataEnglishUnited States0.2532467532467532
                                                                                    RT_CURSOR0x1cbb4140x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.40584415584415584
                                                                                    RT_CURSOR0x1cbb5480x134dataEnglishUnited States0.4383116883116883
                                                                                    RT_CURSOR0x1cbb67c0x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                    RT_CURSOR0x1cbb7b00x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"EnglishUnited States0.39285714285714285
                                                                                    RT_CURSOR0x1cbb8e40x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4512987012987013
                                                                                    RT_CURSOR0x1cbba180x134dataEnglishUnited States0.37337662337662336
                                                                                    RT_CURSOR0x1cbbb4c0x134dataEnglishUnited States0.4448051948051948
                                                                                    RT_CURSOR0x1cbbc800x134dataEnglishUnited States0.525974025974026
                                                                                    RT_BITMAP0x1cbbdb40x62cDevice independent bitmap graphic, 324 x 9 x 4, image size 1476EnglishUnited States0.2430379746835443
                                                                                    RT_BITMAP0x1cbc3e00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.5818965517241379
                                                                                    RT_BITMAP0x1cbc4c80x4a0Device independent bitmap graphic, 144 x 15 x 4, image size 1080EnglishUnited States0.3783783783783784
                                                                                    RT_BITMAP0x1cbc9680x197aDevice independent bitmap graphic, 144 x 15 x 24, image size 6482, resolution 2834 x 2834 px/mEnglishUnited States0.380098129408157
                                                                                    RT_BITMAP0x1cbe2e40xc8Device independent bitmap graphic, 13 x 12 x 4, image size 96EnglishUnited States0.51
                                                                                    RT_BITMAP0x1cbe3ac0xc8Device independent bitmap graphic, 13 x 12 x 4, image size 96EnglishUnited States0.515
                                                                                    RT_BITMAP0x1cbe4740xc8Device independent bitmap graphic, 13 x 12 x 4, image size 96EnglishUnited States0.43
                                                                                    RT_BITMAP0x1cbe53c0xc8Device independent bitmap graphic, 13 x 12 x 4, image size 96EnglishUnited States0.44
                                                                                    RT_BITMAP0x1cbe6040x182aDevice independent bitmap graphic, 128 x 16 x 24, image size 6146, resolution 2834 x 2834 px/mEnglishUnited States0.2924345295829292
                                                                                    RT_BITMAP0x1cbfe300x468Device independent bitmap graphic, 128 x 16 x 4, image size 1024EnglishUnited States0.3058510638297872
                                                                                    RT_BITMAP0x1cc02980x528Device independent bitmap graphic, 16 x 16 x 8, image size 256EnglishUnited States0.4803030303030303
                                                                                    RT_BITMAP0x1cc07c00x528Device independent bitmap graphic, 16 x 16 x 8, image size 256EnglishUnited States0.4765151515151515
                                                                                    RT_BITMAP0x1cc0ce80x158Device independent bitmap graphic, 32 x 15 x 4, image size 240EnglishUnited States0.41569767441860467
                                                                                    RT_BITMAP0x1cc0e400x188Device independent bitmap graphic, 48 x 12 x 4, image size 288EnglishUnited States0.39285714285714285
                                                                                    RT_BITMAP0x1cc0fc80x1e8Device independent bitmap graphic, 48 x 16 x 4, image size 384EnglishUnited States0.5081967213114754
                                                                                    RT_BITMAP0x1cc11b00xad2Device independent bitmap graphic, 29 x 31 x 24, image size 2730, resolution 2834 x 2834 px/mEnglishUnited States0.18736462093862816
                                                                                    RT_BITMAP0x1cc1c840xad2Device independent bitmap graphic, 29 x 31 x 24, image size 2730, resolution 2834 x 2834 px/mEnglishUnited States0.1844765342960289
                                                                                    RT_BITMAP0x1cc27580xb0aDevice independent bitmap graphic, 31 x 29 x 24, image size 2786, resolution 2834 x 2834 px/mEnglishUnited States0.19497523000707714
                                                                                    RT_BITMAP0x1cc32640x7e2Device independent bitmap graphic, 25 x 26 x 24, image size 1978, resolution 2834 x 2834 px/mEnglishUnited States0.24033696729435083
                                                                                    RT_BITMAP0x1cc3a480xb0aDevice independent bitmap graphic, 31 x 29 x 24, image size 2786, resolution 2834 x 2834 px/mEnglishUnited States0.1935598018400566
                                                                                    RT_BITMAP0x1cc45540x134Device independent bitmap graphic, 17 x 17 x 4, image size 204EnglishUnited States0.37337662337662336
                                                                                    RT_BITMAP0x1cc46880x928Device independent bitmap graphic, 48 x 16 x 24, image size 0, resolution 2834 x 2834 px/mEnglishUnited States0.533703071672355
                                                                                    RT_BITMAP0x1cc4fb00x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 2834 x 2834 px/mEnglishUnited States0.7518518518518519
                                                                                    RT_BITMAP0x1cc52dc0x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 2834 x 2834 px/mEnglishUnited States0.3790123456790123
                                                                                    RT_BITMAP0x1cc56080xc2aDevice independent bitmap graphic, 64 x 16 x 24, image size 3074, resolution 2834 x 2834 px/mEnglishUnited States0.42485549132947975
                                                                                    RT_BITMAP0x1cc62340x20aDevice independent bitmap graphic, 13 x 12 x 24, image size 482, resolution 2834 x 2834 px/mEnglishUnited States0.9367816091954023
                                                                                    RT_BITMAP0x1cc64400x20aDevice independent bitmap graphic, 13 x 12 x 24, image size 482, resolution 2834 x 2834 px/mEnglishUnited States0.4482758620689655
                                                                                    RT_BITMAP0x1cc664c0x20aDevice independent bitmap graphic, 13 x 12 x 24, image size 482, resolution 2834 x 2834 px/mEnglishUnited States0.33524904214559387
                                                                                    RT_BITMAP0x1cc68580x20aDevice independent bitmap graphic, 13 x 12 x 24, image size 482, resolution 2834 x 2834 px/mEnglishUnited States0.3371647509578544
                                                                                    RT_BITMAP0x1cc6a640x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 2834 x 2834 px/mEnglishUnited States0.6320987654320988
                                                                                    RT_BITMAP0x1cc6d900x2256Device independent bitmap graphic, 324 x 9 x 24, image size 8750, resolution 2834 x 2834 px/mEnglishUnited States0.0608646188850967
                                                                                    RT_BITMAP0x1cc8fe80x602aDevice independent bitmap graphic, 192 x 32 x 32, image size 24578, resolution 2834 x 2834 px/mEnglishUnited States0.2250385896498497
                                                                                    RT_BITMAP0x1ccf0140x2028Device independent bitmap graphic, 128 x 16 x 32, image size 0EnglishUnited States0.24708454810495628
                                                                                    RT_BITMAP0x1cd103c0x13daDevice independent bitmap graphic, 35 x 36 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.11570247933884298
                                                                                    RT_BITMAP0x1cd24180x13daDevice independent bitmap graphic, 35 x 36 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.10999606454151908
                                                                                    RT_BITMAP0x1cd37f40x13daDevice independent bitmap graphic, 36 x 35 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.11511216056670602
                                                                                    RT_BITMAP0x1cd4bd00xeb2Device independent bitmap graphic, 31 x 30 x 32, image size 3722, resolution 2834 x 2834 px/mEnglishUnited States0.13157894736842105
                                                                                    RT_BITMAP0x1cd5a840x13daDevice independent bitmap graphic, 36 x 35 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.11983471074380166
                                                                                    RT_BITMAP0x1cd6e600x13daDevice independent bitmap graphic, 35 x 36 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.27371113734750097
                                                                                    RT_BITMAP0x1cd823c0x13daDevice independent bitmap graphic, 35 x 36 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.2699724517906336
                                                                                    RT_BITMAP0x1cd96180x13daDevice independent bitmap graphic, 36 x 35 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.2426210153482881
                                                                                    RT_BITMAP0x1cda9f40xeb2Device independent bitmap graphic, 31 x 30 x 32, image size 3722, resolution 2834 x 2834 px/mEnglishUnited States0.3413078149920255
                                                                                    RT_BITMAP0x1cdb8a80x13daDevice independent bitmap graphic, 36 x 35 x 32, image size 5042, resolution 2834 x 2834 px/mEnglishUnited States0.23868555686737505
                                                                                    RT_BITMAP0x1cdcc840x5a66Device independent bitmap graphic, 77 x 75 x 32, image size 23102, resolution 2834 x 2834 px/mEnglishUnited States0.046365914786967416
                                                                                    RT_BITMAP0x1ce26ec0xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                    RT_BITMAP0x1ce27a40x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                    RT_ICON0x1ce28e80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144ChineseChina0.10390345296919845
                                                                                    RT_ICON0x1d249100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.33198924731182794
                                                                                    RT_ICON0x1d24bf80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.41216216216216217
                                                                                    RT_ICON0x1d24d200x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.42905405405405406
                                                                                    RT_ICON0x1d24e480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.2661290322580645
                                                                                    RT_ICON0x1d251300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.18010752688172044
                                                                                    RT_ICON0x1d254180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.35135135135135137
                                                                                    RT_ICON0x1d255400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.06092057761732852
                                                                                    RT_ICON0x1d25de80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.07658959537572255
                                                                                    RT_ICON0x1d263500xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States0.042901234567901236
                                                                                    RT_ICON0x1d26ff80x368Device independent bitmap graphic, 16 x 32 x 24, image size 768EnglishUnited States0.10550458715596331
                                                                                    RT_ICON0x1d273600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.6400709219858156
                                                                                    RT_ICON0x1d277c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5
                                                                                    RT_MENU0x1d278f00x11cdataEnglishUnited States0.573943661971831
                                                                                    RT_DIALOG0x1d27a0c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27a4c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27a8c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27acc0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27b0c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27b4c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27b8c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27bcc0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27c0c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27c4c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27c8c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27ccc0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27d0c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27d4c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27d8c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27dcc0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27e0c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27e4c0x40dataChineseChina0.8125
                                                                                    RT_DIALOG0x1d27e8c0x40dataChineseChina0.828125
                                                                                    RT_DIALOG0x1d27ecc0x13cdataEnglishUnited States0.5949367088607594
                                                                                    RT_DIALOG0x1d280080x1a4dataEnglishUnited States0.5380952380952381
                                                                                    RT_DIALOG0x1d281ac0xe6dataEnglishUnited States0.6347826086956522
                                                                                    RT_DIALOG0x1d282940x390dataEnglishUnited States0.4418859649122807
                                                                                    RT_DIALOG0x1d286240x21cdataEnglishUnited States0.5037037037037037
                                                                                    RT_DIALOG0x1d288400x390dataEnglishUnited States0.4692982456140351
                                                                                    RT_DIALOG0x1d28bd00x1dcdataEnglishUnited States0.5441176470588235
                                                                                    RT_DIALOG0x1d28dac0x346dataEnglishUnited States0.46897374701670647
                                                                                    RT_DIALOG0x1d290f40x334dataEnglishUnited States0.43658536585365854
                                                                                    RT_DIALOG0x1d294280x58dataEnglishUnited States0.8068181818181818
                                                                                    RT_DIALOG0x1d294800x23cdataEnglishUnited States0.5122377622377622
                                                                                    RT_DIALOG0x1d296bc0x1c2dataEnglishUnited States0.5066666666666667
                                                                                    RT_DIALOG0x1d298800x160dataEnglishUnited States0.5994318181818182
                                                                                    RT_DIALOG0x1d299e00xb2dataEnglishUnited States0.7191011235955056
                                                                                    RT_DIALOG0x1d29a940x3d4dataEnglishUnited States0.3408163265306122
                                                                                    RT_DIALOG0x1d29e680x19edataEnglishUnited States0.6280193236714976
                                                                                    RT_DIALOG0x1d2a0080x1a2dataEnglishUnited States0.5741626794258373
                                                                                    RT_DIALOG0x1d2a1ac0x34dataEnglishUnited States0.8076923076923077
                                                                                    RT_DIALOG0x1d2a1e00x2a8dataEnglishUnited States0.5338235294117647
                                                                                    RT_DIALOG0x1d2a4880x382dataEnglishUnited States0.48552338530066813
                                                                                    RT_DIALOG0x1d2a80c0xe8dataEnglishUnited States0.6336206896551724
                                                                                    RT_DIALOG0x1d2a8f40x34dataEnglishUnited States0.9038461538461539
                                                                                    RT_STRING0x1d2a9280x32cdataEnglishUnited States0.4125615763546798
                                                                                    RT_STRING0x1d2ac540x248dataEnglishUnited States0.5085616438356164
                                                                                    RT_STRING0x1d2ae9c0x84dataEnglishUnited States0.5833333333333334
                                                                                    RT_STRING0x1d2af200x2a8dataEnglishUnited States0.36176470588235293
                                                                                    RT_STRING0x1d2b1c80x20edataEnglishUnited States0.3155893536121673
                                                                                    RT_STRING0x1d2b3d80x24cdataEnglishUnited States0.4370748299319728
                                                                                    RT_STRING0x1d2b6240x3cdataEnglishUnited States0.65
                                                                                    RT_STRING0x1d2b6600x16edataEnglishUnited States0.39344262295081966
                                                                                    RT_STRING0x1d2b7d00xa6Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0EnglishUnited States0.7228915662650602
                                                                                    RT_STRING0x1d2b8780x184dataEnglishUnited States0.4742268041237113
                                                                                    RT_STRING0x1d2b9fc0x66dataEnglishUnited States0.696078431372549
                                                                                    RT_STRING0x1d2ba640x1d6Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0EnglishUnited States0.35319148936170214
                                                                                    RT_STRING0x1d2bc3c0x186dataEnglishUnited States0.5384615384615384
                                                                                    RT_STRING0x1d2bdc40xb2dataEnglishUnited States0.6179775280898876
                                                                                    RT_STRING0x1d2be780x48Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0EnglishUnited States0.7083333333333334
                                                                                    RT_STRING0x1d2bec00x18cdataEnglishUnited States0.398989898989899
                                                                                    RT_STRING0x1d2c04c0x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                                                    RT_STRING0x1d2c0d00x2adataEnglishUnited States0.5476190476190477
                                                                                    RT_STRING0x1d2c0fc0x184dataEnglishUnited States0.48711340206185566
                                                                                    RT_STRING0x1d2c2800x4eedataEnglishUnited States0.375594294770206
                                                                                    RT_STRING0x1d2c7700x264dataEnglishUnited States0.3333333333333333
                                                                                    RT_STRING0x1d2c9d40x2dadataEnglishUnited States0.3698630136986301
                                                                                    RT_STRING0x1d2ccb00x8adataEnglishUnited States0.6594202898550725
                                                                                    RT_STRING0x1d2cd3c0xacdataEnglishUnited States0.45348837209302323
                                                                                    RT_STRING0x1d2cde80xdedataEnglishUnited States0.536036036036036
                                                                                    RT_STRING0x1d2cec80x4a8dataEnglishUnited States0.3221476510067114
                                                                                    RT_STRING0x1d2d3700x228dataEnglishUnited States0.4003623188405797
                                                                                    RT_STRING0x1d2d5980x2cdataEnglishUnited States0.5227272727272727
                                                                                    RT_STRING0x1d2d5c40x53edataEnglishUnited States0.2965722801788376
                                                                                    RT_GROUP_CURSOR0x1d2db040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db7c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2db900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dba40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dbb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dbcc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dbe00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dbf40x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0
                                                                                    RT_GROUP_CURSOR0x1d2dc180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc2c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc7c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dc900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dca40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dcb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dccc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dce00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dcf40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dd080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_CURSOR0x1d2dd1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                    RT_GROUP_ICON0x1d2dd300x14dataChineseChina1.1
                                                                                    RT_GROUP_ICON0x1d2dd440x22dataEnglishUnited States1.0588235294117647
                                                                                    RT_GROUP_ICON0x1d2dd680x22dataEnglishUnited States1.0588235294117647
                                                                                    RT_GROUP_ICON0x1d2dd8c0x5adataEnglishUnited States0.7444444444444445
                                                                                    RT_GROUP_ICON0x1d2dde80x22dataEnglishUnited States1.1176470588235294
                                                                                    RT_VERSION0x1d2de0c0x2a4dataChineseChina0.46449704142011833
                                                                                    RT_MANIFEST0x1d2e0b00x327XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (747), with CRLF line terminatorsEnglishUnited States0.5241635687732342
                                                                                    None0x1d2e3d80x1cdataEnglishUnited States1.2857142857142858
                                                                                    None0x1d2e3f40x18dataEnglishUnited States1.2916666666666667

                                                                                    Imports

                                                                                    DLLImport
                                                                                    WS2_32.dllbind, closesocket, connect, getpeername, getsockname, getsockopt, htons, ntohs, setsockopt, WSAIoctl, getaddrinfo, freeaddrinfo, send, listen, recvfrom, sendto, ioctlsocket, gethostname, WSAStartup, recv, WSASetLastError, getservbyname, gethostbyname, htonl, shutdown, select, __WSAFDIsSet, socket, WSAGetLastError, accept, WSACleanup
                                                                                    KERNEL32.dllLockFile, UnlockFile, lstrcmpiW, GetThreadLocale, lstrcmpA, SetThreadPriority, GetPrivateProfileIntW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GlobalGetAtomNameW, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GlobalFlags, FindResourceExW, SearchPathW, GetProfileIntW, LoadLibraryA, GetUserDefaultLCID, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, WaitForSingleObjectEx, GetFullPathNameW, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, EnumSystemLocalesW, IsValidLocale, GetOEMCP, IsValidCodePage, GetConsoleCP, ReadConsoleW, GetConsoleMode, QueryPerformanceFrequency, HeapQueryInformation, SetStdHandle, GetCommandLineW, GetCommandLineA, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, RtlUnwind, LCMapStringW, GetCPInfo, GetStringTypeW, lstrcmpW, GlobalDeleteAtom, GetModuleHandleA, FreeResource, EncodePointer, OutputDebugStringA, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, FlushFileBuffers, GlobalFindAtomW, QueryPerformanceCounter, GlobalAddAtomW, GetFileTime, GetFileSizeEx, GetFileAttributesExW, FileTimeToLocalFileTime, GlobalSize, VerifyVersionInfoW, VerSetConditionMask, FormatMessageA, GetFileType, ExpandEnvironmentStringsA, SleepEx, CreateMutexA, lstrcpynW, SetFileTime, LocalFileTimeToFileTime, FreeConsole, ReadConsoleOutputCharacterW, AttachConsole, DeleteVolumeMountPointW, SetVolumeLabelW, ResetEvent, WaitForMultipleObjects, PeekNamedPipe, TerminateThread, CreateThread, DuplicateHandle, GetProcessHeap, DeleteCriticalSection, DecodePointer, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, HeapFree, GetFirmwareEnvironmentVariableW, GlobalMemoryStatusEx, GlobalUnlock, GlobalLock, MoveFileExW, RemoveDirectoryW, GetFileAttributesW, FormatMessageW, GetACP, CreatePipe, SetThreadExecutionState, GetTempPathW, GetLongPathNameW, GetTempFileNameW, CreateEventW, GetWindowsDirectoryW, GetSystemDirectoryW, ReleaseMutex, CreateMutexW, GetStdHandle, WriteConsoleW, SetEndOfFile, MoveFileW, DeleteFileW, AllocConsole, GetBinaryTypeW, GetVolumeInformationW, DefineDosDeviceW, FindVolumeClose, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, QueryDosDeviceW, FindFirstVolumeW, GlobalFree, SetFilePointerEx, GetVolumeNameForVolumeMountPointW, GlobalMemoryStatus, GetTickCount, SystemTimeToFileTime, GetSystemTime, GlobalAlloc, LocalFree, LocalAlloc, MulDiv, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetPrivateProfileStringA, GetPrivateProfileStringW, WinExec, lstrlenW, lstrcatW, GetDiskFreeSpaceExW, GetDriveTypeW, GetLogicalDriveStringsW, GetVersionExW, GetSystemInfo, InterlockedDecrement, LoadLibraryExW, FreeLibrary, LoadLibraryExA, GetFileSize, SetFilePointer, VirtualQuery, SetThreadContext, FlushInstructionCache, GetThreadContext, GetCurrentThread, SuspendThread, VirtualAlloc, InterlockedCompareExchange, VirtualFree, VirtualProtect, ExitProcess, LoadLibraryW, OpenProcess, ResumeThread, TerminateProcess, SetLastError, GetCurrentProcess, GetCurrentThreadId, GetLocalTime, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, GetCurrentDirectoryW, CreateDirectoryW, CopyFileExW, SetFileAttributesW, SetErrorMode, CopyFileW, OutputDebugStringW, GetExitCodeProcess, SetEvent, WriteFile, IsBadReadPtr, ReadFile, SetConsoleMode, DeviceIoControl, GetLastError, CreateFileW, lstrcpyW, Sleep, CreateProcessW, GetCurrentProcessId, InitializeCriticalSection, FindResourceW, LoadResource, LockResource, SizeofResource, FindClose, FindNextFileW, FindFirstFileW, WaitForSingleObject, CloseHandle, LeaveCriticalSection, EnterCriticalSection, GetTimeZoneInformation, FindFirstFileExW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetConsoleCtrlHandler, FlushConsoleInputBuffer, ReadConsoleInputA
                                                                                    USER32.dllCheckDlgButton, MoveWindow, GetMonitorInfoW, MonitorFromWindow, WinHelpW, SetScrollInfo, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, GetWindow, GetLastActivePopup, GetTopWindow, GetClassLongW, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthW, RemovePropW, GetPropW, SetPropW, GetScrollRange, SetScrollRange, GetScrollPos, ScrollWindow, ValidateRect, EndPaint, BeginPaint, GetForegroundWindow, SetActiveWindow, TrackPopupMenu, SetMenu, GetMenu, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, RegisterClassW, CallWindowProcW, GetMessageTime, PeekMessageW, DispatchMessageW, LoadMenuW, RemoveMenu, InsertMenuW, GetMenuItemID, GetMenuState, GetMenuStringW, SetRect, ShowScrollBar, SetScrollPos, GetNextDlgTabItem, GetActiveWindow, PostThreadMessageW, WaitMessage, SubtractRect, IsClipboardFormatAvailable, IsCharLowerW, SetCapture, GetDesktopWindow, GetCursorPos, GetClassInfoW, DefWindowProcW, DrawFrameControl, IsRectEmpty, FrameRect, GetFocus, BringWindowToTop, GetNextDlgGroupItem, ReleaseCapture, GetCapture, WindowFromPoint, CopyIcon, MessageBeep, DestroyCursor, GetWindowLongW, SetWindowTextW, IsWindowEnabled, GetWindowTextW, GetClassNameW, ShowWindow, EnumChildWindows, SetMenuDefaultItem, GetWindowThreadProcessId, UnregisterClassW, ExitWindowsEx, SetForegroundWindow, DrawIcon, IsIconic, RegisterDeviceNotificationW, LoadIconW, SendMessageTimeoutW, EnumWindows, GrayStringW, DrawTextExW, TabbedTextOutW, UpdateWindow, GetScrollInfo, GetKeyNameTextW, MapVirtualKeyW, CharUpperW, GetMessageW, TranslateMessage, CharNextW, DestroyMenu, PostQuitMessage, SetWindowContextHelpId, MapDialogRect, SetWindowRgn, GetSysColorBrush, DrawFocusRect, SetLayeredWindowAttributes, EnumDisplayMonitors, ShowOwnedPopups, SetRectEmpty, AppendMenuW, GetSubMenu, GetMenuItemInfoW, GetMenuItemCount, OffsetRect, IsDialogMessageW, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, LoadBitmapW, GetWindowDC, DrawStateW, EndDialog, CreateDialogIndirectParamW, MapVirtualKeyExW, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, GetComboBoxInfo, CreateMenu, HideCaret, InvertRect, GetWindowRgn, CopyImage, SendDlgItemMessageA, RealChildWindowFromPoint, UnpackDDElParam, InsertMenuItemW, TranslateAcceleratorW, CharUpperBuffW, RegisterClipboardFormatW, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, MessageBoxA, GetUserObjectInformationW, GetProcessWindowStation, ToUnicodeEx, GetUpdateRect, SetClassLongW, DestroyAcceleratorTable, ModifyMenuW, GetIconInfo, GetDoubleClickTime, SetCursorPos, LoadImageW, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, RegisterWindowMessageW, PostMessageW, EnableWindow, GetSysColor, InvalidateRect, SetParent, InflateRect, DrawTextW, IntersectRect, SetTimer, GetMessagePos, ScreenToClient, GetClientRect, PtInRect, KillTimer, SendMessageW, GetWindowRect, GetSystemMetrics, LockWindowUpdate, RedrawWindow, GetParent, IsWindow, MessageBoxW, wsprintfW, DestroyIcon, ClientToScreen, CreatePopupMenu, CopyRect, FillRect, LoadCursorW, SetWindowLongW, SetCursor, GetDC, InvalidateRgn, CopyAcceleratorTableW, MonitorFromPoint, UnionRect, EnableScrollBar, UpdateLayeredWindow, GetMenuDefaultItem, ReleaseDC, SystemParametersInfoW, DrawEdge, DrawIconEx, NotifyWinEvent, DeleteMenu, GetSystemMenu, GetAsyncKeyState, TrackMouseEvent, IsZoomed, ReuseDDElParam
                                                                                    GDI32.dllSelectPalette, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, MoveToEx, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CombineRgn, CreateRectRgnIndirect, SetRectRgn, DPtoLP, ExtSelectClipRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, EnumFontFamiliesW, GetTextCharsetInfo, CreateRoundRectRgn, CreateDIBSection, GetRgnBox, RealizePalette, SetPixel, StretchBlt, SetDIBColorTable, OffsetRgn, CreatePalette, GetPaletteEntries, EnumFontFamiliesExW, GetNearestPaletteIndex, GetSystemPaletteEntries, LPtoDP, ExtFloodFill, SetPaletteEntries, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, GetViewportOrgEx, GetWindowOrgEx, SetPixelV, GetTextFaceW, SelectClipRgn, SaveDC, RestoreDC, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetPixel, GetObjectType, GetClipBox, ExcludeClipRect, CreatePatternBrush, SetBkColor, GetDeviceCaps, CreateDCW, CopyMetaFileW, GetTextMetricsW, GetCurrentObject, CreateRectRgn, Rectangle, DeleteDC, GetBkColor, Escape, ExtTextOutW, RectVisible, PtVisible, TextOutW, CreatePen, GetMapMode, CreateDIBitmap, CreateBitmap, GetTextColor, CreateFontW, GetTextExtentPoint32W, DeleteObject, GetStockObject, RoundRect, BitBlt, PatBlt, CreateCompatibleBitmap, CreateCompatibleDC, CreateSolidBrush, SetBkMode, SetTextColor, SelectObject, CreateFontIndirectW, CreateEllipticRgn, CreateHatchBrush, GetObjectW
                                                                                    MSIMG32.dllTransparentBlt, AlphaBlend
                                                                                    WINSPOOL.DRVClosePrinter, DocumentPropertiesW, OpenPrinterW
                                                                                    ADVAPI32.dllGetUserNameW, RegOpenKeyExW, RegQueryValueExW, RegEnumKeyExW, CryptEnumProvidersA, CryptSignHashA, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptAcquireContextA, ReportEventA, RegisterEventSourceA, DeregisterEventSource, RegQueryValueW, SetEntriesInAclW, GetSecurityInfo, SetSecurityInfo, InitializeAcl, ConvertStringSidToSidW, LookupAccountNameW, ConvertSidToStringSidW, RegEnumValueW, RegEnumKeyW, RegDeleteKeyW, CryptGetHashParam, RegCloseKey, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, CryptDecrypt, CryptReleaseContext, CryptDestroyHash, CryptDestroyKey, CryptEncrypt, CryptDeriveKey, CryptHashData, CryptCreateHash, CryptAcquireContextW, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, RegLoadKeyW, RegUnLoadKeyW, LookupAccountSidW
                                                                                    SHELL32.dllDragQueryFileW, DragFinish, SHAppBarMessage, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderLocation, SHGetDesktopFolder, SHGetMalloc, SHCreateDirectoryExW
                                                                                    COMCTL32.dllInitCommonControlsEx, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_GetImageInfo, _TrackMouseEvent
                                                                                    SHLWAPI.dllUrlUnescapeW, PathStripToRootW, PathIsUNCW, PathRemoveExtensionW, PathFindExtensionW, PathIsDirectoryW, PathCombineW, PathFindFileNameW, PathRemoveFileSpecW, PathFileExistsW, StrFormatKBSizeW
                                                                                    UxTheme.dllGetThemeSysColor, IsAppThemed, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, IsThemeBackgroundPartiallyTransparent, GetThemePartSize, GetWindowTheme, DrawThemeText, GetCurrentThemeName, DrawThemeParentBackground
                                                                                    ole32.dllCoInitializeEx, CoUninitialize, CoCreateInstance, CoInitialize, CoRegisterMessageFilter, CoRevokeClassObject, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, RevokeDragDrop, RegisterDragDrop, OleGetClipboard, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, DoDragDrop, OleIsCurrentClipboard, OleFlushClipboard, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoGetClassObject, CoDisconnectObject, CLSIDFromProgID, CoCreateGuid, CLSIDFromString, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CreateStreamOnHGlobal, StringFromGUID2, CoSetProxyBlanket, CoInitializeSecurity, CoLockObjectExternal
                                                                                    OLEAUT32.dllSysFreeString, SysAllocString, VariantClear, VarBstrCat, SysStringLen, SafeArrayAccessData, VariantInit, LoadTypeLib, VarBstrFromDate, VariantCopy, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, OleCreateFontIndirect, VariantChangeType, SysAllocStringLen, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayUnaccessData
                                                                                    oledlg.dllOleUIBusyW
                                                                                    urlmon.dllCoInternetSetFeatureEnabled
                                                                                    gdiplus.dllGdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize, GdipCreateBitmapFromStream, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipSetInterpolationMode, GdipGetImageHeight, GdiplusShutdown, GdiplusStartup, GdipDrawString, GdipSetStringFormatLineAlign, GdipSetStringFormatAlign, GdipDeleteFont, GdipCreateFontFamilyFromName, GdipDeleteFontFamily, GdipGetGenericFontFamilySansSerif, GdipCreateFont, GdipGetDpiY, GdipDeleteStringFormat, GdipCreateStringFormat, GdipLoadImageFromStream, GdipGetImageWidth, GdipGraphicsClear, GdipSetSolidFillColor, GdipAddPathEllipseI, GdipResetPath, GdipDrawPath, GdipClosePathFigure, GdipAddPathArcI, GdipDeletePen, GdipCreatePen1, GdipDeletePath, GdipCreatePath, GdipFillPath, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipSetSmoothingMode, GdipGetImageGraphicsContext, GdipCreateBitmapFromScan0, GdipReleaseDC, GdipImageSelectActiveFrame, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipImageGetFrameCount, GdipImageGetFrameDimensionsList, GdipImageGetFrameDimensionsCount, GdipCloneImage, GdipDisposeImage, GdipDrawImageRectI, GdipFillRectangleI, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateSolidFill, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipFree
                                                                                    SETUPAPI.dllSetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailW, SetupDiGetClassDevsW
                                                                                    VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                    dbghelp.dllMiniDumpWriteDump
                                                                                    OLEACC.dllCreateStdAccessibleObject, AccessibleObjectFromWindow, LresultFromObject
                                                                                    WININET.dllInternetCrackUrlW, InternetCanonicalizeUrlW, InternetCloseHandle, InternetOpenUrlW, InternetReadFile, InternetSetFilePointer, InternetWriteFile, InternetQueryDataAvailable, InternetQueryOptionW, InternetGetLastResponseInfoW, InternetSetStatusCallbackW, InternetOpenW, HttpQueryInfoW
                                                                                    IMM32.dllImmGetContext, ImmGetOpenStatus, ImmReleaseContext
                                                                                    WINMM.dllPlaySoundW
                                                                                    CRYPT32.dllCertOpenStore, CertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateContextProperty

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    ChineseChina
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Aug 17, 2023 06:15:16.284509897 CEST4972080192.168.2.3175.43.23.67
                                                                                    Aug 17, 2023 06:15:19.280435085 CEST4972080192.168.2.3175.43.23.67
                                                                                    Aug 17, 2023 06:15:25.280869007 CEST4972080192.168.2.3175.43.23.67
                                                                                    Aug 17, 2023 06:15:37.346203089 CEST4972980192.168.2.3123.6.40.84
                                                                                    Aug 17, 2023 06:15:40.360263109 CEST4972980192.168.2.3123.6.40.84
                                                                                    Aug 17, 2023 06:15:46.360944986 CEST4972980192.168.2.3123.6.40.84
                                                                                    Aug 17, 2023 06:15:58.363087893 CEST4973180192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:16:01.471441984 CEST4973180192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:16:07.472002983 CEST4973180192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:16:21.740437031 CEST4975780192.168.2.361.243.158.136
                                                                                    Aug 17, 2023 06:16:24.754720926 CEST4975780192.168.2.361.243.158.136
                                                                                    Aug 17, 2023 06:16:30.770860910 CEST4975780192.168.2.361.243.158.136
                                                                                    Aug 17, 2023 06:16:42.814678907 CEST4976080192.168.2.3218.24.84.71
                                                                                    Aug 17, 2023 06:16:45.813330889 CEST4976080192.168.2.3218.24.84.71
                                                                                    Aug 17, 2023 06:16:51.829487085 CEST4976080192.168.2.3218.24.84.71
                                                                                    Aug 17, 2023 06:17:04.534523010 CEST4976280192.168.2.3116.153.56.77
                                                                                    Aug 17, 2023 06:17:07.549603939 CEST4976280192.168.2.3116.153.56.77
                                                                                    Aug 17, 2023 06:17:13.565709114 CEST4976280192.168.2.3116.153.56.77
                                                                                    Aug 17, 2023 06:17:26.411212921 CEST4976380192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:17:29.426455021 CEST4976380192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:17:35.442600012 CEST4976380192.168.2.361.243.158.204
                                                                                    Aug 17, 2023 06:17:48.178662062 CEST4976580192.168.2.336.249.86.56
                                                                                    Aug 17, 2023 06:17:51.194107056 CEST4976580192.168.2.336.249.86.56
                                                                                    Aug 17, 2023 06:17:57.303944111 CEST4976580192.168.2.336.249.86.56
                                                                                    Aug 17, 2023 06:18:09.915121078 CEST4976780192.168.2.361.243.158.244
                                                                                    Aug 17, 2023 06:18:12.914568901 CEST4976780192.168.2.361.243.158.244
                                                                                    Aug 17, 2023 06:18:18.930835009 CEST4976780192.168.2.361.243.158.244
                                                                                    Aug 17, 2023 06:18:31.120160103 CEST4976880192.168.2.336.248.64.77
                                                                                    Aug 17, 2023 06:18:34.201714039 CEST4976880192.168.2.336.248.64.77
                                                                                    Aug 17, 2023 06:18:40.213860989 CEST4976880192.168.2.336.248.64.77
                                                                                    Aug 17, 2023 06:18:52.982408047 CEST4976980192.168.2.3123.6.40.190
                                                                                    Aug 17, 2023 06:18:55.996432066 CEST4976980192.168.2.3123.6.40.190
                                                                                    Aug 17, 2023 06:19:01.996964931 CEST4976980192.168.2.3123.6.40.190
                                                                                    Aug 17, 2023 06:19:14.796576977 CEST4977080192.168.2.361.243.158.194
                                                                                    Aug 17, 2023 06:19:17.811038971 CEST4977080192.168.2.361.243.158.194
                                                                                    Aug 17, 2023 06:19:23.811475992 CEST4977080192.168.2.361.243.158.194

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Aug 17, 2023 06:15:15.319724083 CEST5645253192.168.2.38.8.8.8
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST53564528.8.8.8192.168.2.3
                                                                                    Aug 17, 2023 06:16:20.170907021 CEST6176953192.168.2.38.8.8.8
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST53617698.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Aug 17, 2023 06:15:15.319724083 CEST192.168.2.38.8.8.80x475aStandard query (0)jsy.newitboy.comA (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.170907021 CEST192.168.2.38.8.8.80xdc08Standard query (0)jsy.newitboy.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)jsy.newitboy.comjsy.newitboy.com.s2-web.dogedns.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)jsy.newitboy.com.s2-web.dogedns.comjsy.newitboy.com.cdn.dnsv1.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)jsy.newitboy.com.cdn.dnsv1.com.cni2j7ovst.sched.sma.tdnsstic1.cnCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn175.43.23.67A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn123.6.40.84A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.204A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn123.6.40.190A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn36.249.86.56A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn218.60.51.110A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.194A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.136A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.244A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn42.56.78.61A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn218.24.84.71A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn116.153.56.77A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:15:16.269484043 CEST8.8.8.8192.168.2.30x475aNo error (0)i2j7ovst.sched.sma.tdnsstic1.cn36.248.64.77A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)jsy.newitboy.comjsy.newitboy.com.s2-web.dogedns.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)jsy.newitboy.com.s2-web.dogedns.comjsy.newitboy.com.cdn.dnsv1.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)jsy.newitboy.com.cdn.dnsv1.com.cni2j7ovst.sched.sma.tdnsstic1.cnCNAME (Canonical name)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.136A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn218.24.84.71A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn116.153.56.77A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.204A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn36.249.86.56A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.244A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn36.248.64.77A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn123.6.40.190A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn61.243.158.194A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn42.56.78.61A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn218.60.51.110A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn123.6.40.84A (IP address)IN (0x0001)false
                                                                                    Aug 17, 2023 06:16:20.744865894 CEST8.8.8.8192.168.2.30xdc08No error (0)i2j7ovst.sched.sma.tdnsstic1.cn175.43.23.67A (IP address)IN (0x0001)false

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:06:15:09
                                                                                    Start date:17/08/2023
                                                                                    Path:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\k3yYC4F6nT.exe
                                                                                    Imagebase:0xb30000
                                                                                    File size:30'775'808 bytes
                                                                                    MD5 hash:F9D4A14F2DE2540CA26FC868055C65B3
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:4.5%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:7%
                                                                                      Total number of Nodes:1078
                                                                                      Total number of Limit Nodes:66
                                                                                      execution_graph 30641 ccd2ce GdipGetImageWidth 30642 b3f6b0 60 API calls 30648 b606b0 66 API calls 30650 b318b4 34 API calls 30653 dd2cd3 37 API calls __cftoe 30656 b3fca0 35 API calls 30658 b486a0 120 API calls 30662 c77add 68 API calls __EH_prolog3_GS 30668 c498e0 6 API calls _memcpy_s 30673 c8eaef 43 API calls __EH_prolog3_GS 30674 dc64f5 20 API calls 30677 b32098 12 API calls 30684 c2c0f0 6 API calls 30686 b34080 310 API calls 3 library calls 30687 c474f0 WideCharToMultiByte 30689 b6f880 5 API calls _memcpy_s 30692 bd8080 7 API calls _memcpy_s 30695 df06e0 21 API calls 30696 dc729e 64 API calls 6 library calls 30697 c3d480 64 API calls 29488 b530f0 29489 b530fc 29488->29489 29490 b5310a 29488->29490 29491 b531f0 KiUserExceptionDispatcher 29489->29491 29495 b531f0 29490->29495 29492 b53105 29491->29492 29494 b53121 29496 b53255 29495->29496 29499 b531fe 29495->29499 29503 b5325e _memcpy_s 29496->29503 29510 dbf942 29496->29510 29499->29496 29500 b53224 29499->29500 29501 b5323f 29500->29501 29502 b53229 29500->29502 29509 b532f0 KiUserExceptionDispatcher _memcpy_s 29501->29509 29508 b532f0 KiUserExceptionDispatcher _memcpy_s 29502->29508 29503->29494 29506 b53239 29506->29494 29507 b5324f 29507->29494 29508->29506 29509->29507 29511 dbf953 std::invalid_argument::invalid_argument 29510->29511 29514 dc3a5a 29511->29514 29513 dbf961 29516 dc3a7a 29514->29516 29515 dc3aac KiUserExceptionDispatcher 29515->29513 29516->29515 30698 c56a80 23 API calls __dosmaperr 30699 b69af0 23 API calls 30700 b6caf0 124 API calls 2 library calls 30701 b67cf0 26 API calls 30704 dd8a94 32 API calls 2 library calls 30705 ccd286 GdipGetImagePaletteSize 30709 b310e5 79 API calls 30711 b606e0 74 API calls _memcpy_s 30712 b666e0 21 API calls std::_Facet_Register 30714 b322ef InitializeCriticalSectionAndSpinCount GetLastError __onexit IsDebuggerPresent OutputDebugStringW 30717 ccd2ac GdipGetImagePixelFormat 29397 b31ad1 29402 d3dad1 29397->29402 29401 b31ae0 29406 d3d54a 29402->29406 29404 b31ad6 29405 dbe02b __onexit 29404->29405 29405->29401 29407 d3d556 __EH_prolog3 29406->29407 29416 c816ad 29407->29416 29411 d3d58e 29412 d3d597 GetProfileIntW GetProfileIntW 29411->29412 29413 d3d5cf 29411->29413 29412->29413 29430 ca4a4d 29 API calls 29413->29430 29415 d3d5d6 std::locale::_Init 29415->29404 29431 c8dc77 29416->29431 29419 ca49d9 29420 ca49e6 29419->29420 29421 ca4a47 29419->29421 29422 ca49f4 29420->29422 29486 ca4970 InitializeCriticalSection 29420->29486 29487 c778cc 28 API calls __CxxThrowException@8 29421->29487 29426 ca4a03 EnterCriticalSection 29422->29426 29427 ca4a35 EnterCriticalSection 29422->29427 29424 ca4a4c 29428 ca4a1a InitializeCriticalSection 29426->29428 29429 ca4a2d LeaveCriticalSection 29426->29429 29427->29411 29428->29429 29429->29427 29430->29415 29436 ca11e6 29431->29436 29433 c8dc86 29434 c816b5 29433->29434 29446 ca1190 29433->29446 29434->29419 29439 ca11f2 __EH_prolog3 29436->29439 29438 ca1237 29474 ca12a2 EnterCriticalSection 29438->29474 29439->29438 29452 ca0ee0 EnterCriticalSection 29439->29452 29481 c778cc 28 API calls __CxxThrowException@8 29439->29481 29443 ca124a 29482 ca135d 28 API calls 3 library calls 29443->29482 29444 ca1265 std::locale::_Init 29444->29433 29447 ca119c __EH_prolog3_catch 29446->29447 29448 ca11cb std::locale::_Init 29447->29448 29449 ca49d9 33 API calls 29447->29449 29448->29433 29451 ca11aa 29449->29451 29485 ca4a4d 29 API calls 29451->29485 29453 ca0efd 29452->29453 29455 ca0f38 29453->29455 29456 ca0f4d GlobalHandle GlobalUnlock 29453->29456 29464 ca0fa6 _memcpy_s 29453->29464 29454 ca0fc0 LeaveCriticalSection 29454->29439 29458 ca0f40 GlobalAlloc 29455->29458 29457 c77c64 29456->29457 29459 ca0f6e GlobalReAlloc 29457->29459 29460 ca0f7b 29458->29460 29459->29460 29461 ca0f7f 29460->29461 29462 ca0f86 GlobalLock 29460->29462 29463 ca0fed LeaveCriticalSection 29461->29463 29465 ca0fdd GlobalHandle GlobalLock 29461->29465 29462->29464 29483 c778f6 28 API calls __CxxThrowException@8 29463->29483 29464->29454 29465->29463 29467 ca1070 EnterCriticalSection 29484 ca12f6 28 API calls 29467->29484 29469 ca1086 LeaveCriticalSection LocalFree 29470 ca10a3 29469->29470 29472 ca10a7 TlsSetValue 29470->29472 29471 ca0ff9 29471->29467 29473 ca10b1 29471->29473 29472->29473 29473->29439 29475 ca12bb 29474->29475 29476 ca12e6 LeaveCriticalSection 29474->29476 29475->29476 29478 ca12c0 TlsGetValue 29475->29478 29477 ca1244 29476->29477 29477->29443 29477->29444 29478->29476 29479 ca12cc 29478->29479 29479->29476 29480 ca12d8 LeaveCriticalSection 29479->29480 29480->29477 29481->29439 29482->29444 29483->29471 29484->29469 29485->29448 29486->29422 29487->29424 30718 b3dad0 24 API calls 30719 b318d6 35 API calls 30724 cd68a7 58 API calls 3 library calls 30728 b334c0 78 API calls 30729 ddfaa8 EnterCriticalSection LeaveCriticalSection 30732 cca6b0 54 API calls 30733 bd18c0 PathFileExistsW GetFileAttributesW SetFileAttributesW DeleteFileW 29549 b6cc30 29550 b6cc4d 29549->29550 29579 c36500 29550->29579 29554 b6cc72 29555 c36460 9 API calls 29554->29555 29556 b6cc77 29555->29556 29557 b6cc7d 29556->29557 29563 b6cc9e 29556->29563 29604 c364c0 WSACleanup 29557->29604 29559 b6cc8b 29605 dbdb97 29559->29605 29561 b6cc9a 29589 b44380 29563->29589 29564 b6cd1b 29601 c364a0 29564->29601 29567 b6cd34 29612 c364c0 WSACleanup 29567->29612 29569 b6cd55 29569->29569 29571 b531f0 KiUserExceptionDispatcher 29569->29571 29570 b6cd42 29572 dbdb97 _memcpy_s 5 API calls 29570->29572 29574 b6cd93 29571->29574 29573 b6cd51 29572->29573 29613 c364c0 WSACleanup 29574->29613 29576 b6cda1 29577 dbdb97 _memcpy_s 5 API calls 29576->29577 29578 b6cdb0 29577->29578 29614 c366d0 29579->29614 29581 b6cc6a 29582 c36460 29581->29582 29583 c36474 29582->29583 29584 c3646d 29582->29584 29588 c3647b 29583->29588 29627 c43820 6 API calls 29583->29627 29585 c36500 8 API calls 29584->29585 29585->29583 29587 c3648a 29587->29554 29588->29554 29590 b44390 29589->29590 29592 b44402 29590->29592 29628 dd14c8 29590->29628 29592->29564 29594 dd14c8 std::_Facet_Register 21 API calls 29596 b443e1 29594->29596 29595 b443eb 29595->29564 29596->29595 29635 dd14b6 32 API calls __Getcoll 29596->29635 29598 b44478 29636 b44150 32 API calls _memcpy_s 29598->29636 29600 b44488 29600->29564 29639 c36520 29601->29639 29603 b6cd2d 29603->29567 29603->29569 29604->29559 29606 dbdba2 IsProcessorFeaturePresent 29605->29606 29607 dbdba0 29605->29607 29609 dbdc15 29606->29609 29607->29561 29742 dbdbd9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29609->29742 29611 dbdcf8 29611->29561 29612->29570 29613->29576 29615 c366e4 29614->29615 29616 c366e8 29614->29616 29615->29581 29617 c36733 29616->29617 29620 c36748 29616->29620 29626 c367a0 7 API calls _memcpy_s 29616->29626 29617->29581 29619 c36755 29619->29581 29620->29619 29623 c3f500 29620->29623 29622 c36762 29622->29581 29624 c3f50b socket 29623->29624 29625 c3f51c 29623->29625 29624->29625 29625->29622 29626->29620 29627->29587 29633 de0eea std::_Locinfo::_Locinfo_ctor 29628->29633 29629 de0f28 29638 dc622a 20 API calls __dosmaperr 29629->29638 29631 de0f13 RtlAllocateHeap 29632 b443c3 29631->29632 29631->29633 29632->29594 29632->29595 29633->29629 29633->29631 29637 decad6 7 API calls 2 library calls 29633->29637 29635->29598 29636->29600 29637->29633 29638->29632 29640 c36531 29639->29640 29641 c3652b 29639->29641 29642 c36544 29640->29642 29643 c3655a 29640->29643 29641->29603 29667 c48420 38 API calls _memcpy_s 29642->29667 29648 c3656b 29643->29648 29668 c399c0 9 API calls 29643->29668 29646 c36574 29646->29603 29647 c3654f 29647->29603 29648->29646 29649 c365af 29648->29649 29650 c365cd 29648->29650 29669 c3a0a0 60 API calls 29649->29669 29651 c365d6 29650->29651 29652 c365ec 29650->29652 29670 c3a330 60 API calls 29651->29670 29661 c36610 29652->29661 29656 c365b5 29656->29603 29657 c365e2 29657->29603 29660 c365fe 29660->29603 29665 c36623 29661->29665 29662 c365f2 29671 c3a330 60 API calls 29662->29671 29665->29662 29672 c39b00 29665->29672 29690 c48340 29665->29690 29695 c3a220 29665->29695 29667->29647 29668->29648 29669->29656 29670->29657 29671->29660 29673 c39b41 29672->29673 29674 c39ddd 29673->29674 29676 c39b57 29673->29676 29675 dbdb97 _memcpy_s 5 API calls 29674->29675 29677 c39dee 29675->29677 29678 c39b5f 29676->29678 29682 c39b74 29676->29682 29677->29665 29679 dbdb97 _memcpy_s 5 API calls 29678->29679 29680 c39b70 29679->29680 29680->29665 29681 c39c32 29687 c39d21 29681->29687 29710 c47b60 29681->29710 29682->29681 29684 c39c1c 29682->29684 29685 dbdb97 _memcpy_s 5 API calls 29684->29685 29686 c39c2e 29685->29686 29686->29665 29688 dbdb97 _memcpy_s 5 API calls 29687->29688 29689 c39dd9 29688->29689 29689->29665 29691 c48363 29690->29691 29692 c4834a 29690->29692 29691->29665 29693 c4835c Sleep 29692->29693 29694 c4834c WSASetLastError 29692->29694 29693->29691 29694->29665 29740 c4b140 GetTickCount 29695->29740 29697 c3a23e 29698 c3a312 29697->29698 29700 c3a25f 29697->29700 29699 dbdb97 _memcpy_s 5 API calls 29698->29699 29702 c3a324 29699->29702 29701 c3a267 29700->29701 29707 c3a27b 29700->29707 29703 dbdb97 _memcpy_s 5 API calls 29701->29703 29702->29665 29704 c3a277 29703->29704 29704->29665 29706 c3a2ea 29708 dbdb97 _memcpy_s 5 API calls 29706->29708 29707->29706 29741 c4bad0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29707->29741 29709 c3a30e 29708->29709 29709->29665 29711 c47bbd 29710->29711 29714 c47ba9 29710->29714 29712 c48340 2 API calls 29711->29712 29713 c47bc3 29712->29713 29715 dbdb97 _memcpy_s 5 API calls 29713->29715 29714->29711 29718 c47bed 29714->29718 29738 c4b140 GetTickCount 29714->29738 29717 c47bd3 29715->29717 29717->29687 29718->29711 29732 c47d48 29718->29732 29719 c47dc1 select 29720 c47e02 WSAGetLastError 29719->29720 29721 c47e9a 29719->29721 29720->29732 29722 c47eb2 29721->29722 29723 c47e9e 29721->29723 29724 c47eb4 29722->29724 29737 c47ec7 29722->29737 29725 dbdb97 _memcpy_s 5 API calls 29723->29725 29726 dbdb97 _memcpy_s 5 API calls 29724->29726 29728 c47eae 29725->29728 29729 c47ec3 29726->29729 29728->29687 29729->29687 29730 c47edf __WSAFDIsSet 29731 c47ef4 __WSAFDIsSet 29730->29731 29730->29737 29735 c47f0b __WSAFDIsSet 29731->29735 29731->29737 29732->29719 29732->29723 29732->29724 29739 c4b140 GetTickCount 29732->29739 29733 c47f32 29734 dbdb97 _memcpy_s 5 API calls 29733->29734 29736 c47f41 29734->29736 29735->29737 29736->29687 29737->29730 29737->29731 29737->29733 29737->29735 29738->29718 29739->29732 29740->29697 29741->29707 29742->29611 30735 b6a230 KiUserExceptionDispatcher _memcpy_s 30736 cca44a GdipCreateBitmapFromScan0 30738 bd8430 CloseHandle 30740 c2b450 26 API calls 30741 b34020 EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection WaitForSingleObject 30742 b33a20 62 API calls 30406 b53420 30407 b534f9 30406->30407 30408 b53439 30406->30408 30415 dbf962 30407->30415 30409 b53455 30408->30409 30411 dbf942 KiUserExceptionDispatcher 30408->30411 30412 dbf942 KiUserExceptionDispatcher 30409->30412 30414 b53469 _memcpy_s 30409->30414 30411->30409 30413 b53517 30412->30413 30416 dbf973 std::invalid_argument::invalid_argument 30415->30416 30417 dc3a5a __CxxThrowException@8 KiUserExceptionDispatcher 30416->30417 30418 dbf981 30417->30418 30745 b66620 22 API calls 30747 c9f650 InitializeCriticalSectionAndSpinCount GetLastError 30542 b31a2f 30547 c9bdf7 30542->30547 30544 b31a34 30551 dbe02b __onexit 30544->30551 30546 b31a3e 30548 c9be03 __EH_prolog3 30547->30548 30549 c9ca6f 156 API calls 30548->30549 30550 c9bfec std::locale::_Init 30549->30550 30550->30544 30551->30546 30751 dc6471 24 API calls 2 library calls 30752 ccd262 GdipGetImagePalette 30756 b31005 34 API calls 30760 c2b800 24 API calls 30762 ccd20f 8 API calls 30768 b31a78 232 API calls 30779 b31a5b LoadCursorW LoadCursorW __onexit 30780 bd3250 84 API calls _memcpy_s 30781 ccd23c GdipGetImageHeight 30782 d79425 53 API calls _memcpy_s 30789 b3204a 58 API calls 30791 b335b0 75 API calls 30794 ccf9c2 184 API calls __EH_prolog3_GS 30796 de67cf 11 API calls 2 library calls 30348 b3eda0 30349 b3edf8 30348->30349 30354 b3ee2c 30349->30354 30356 b3e710 30349->30356 30351 b3ee51 30369 b3ea90 24 API calls _memcpy_s 30351->30369 30368 b3ea90 24 API calls _memcpy_s 30354->30368 30355 b3ee5f 30357 b3e77a 30356->30357 30358 b3e71f 30356->30358 30359 dbf942 KiUserExceptionDispatcher 30357->30359 30360 b3e737 30358->30360 30361 b3e724 30358->30361 30362 b3e784 30359->30362 30364 b3e75c 30360->30364 30374 b3e0e0 23 API calls _memcpy_s 30360->30374 30370 b3e920 30361->30370 30364->30354 30367 b3e752 30367->30354 30368->30351 30369->30355 30372 b3e960 _memcpy_s 30370->30372 30373 b3e72d 30372->30373 30375 b3eba0 23 API calls 30372->30375 30373->30354 30374->30367 30375->30373 30802 bc31a0 90 API calls 2 library calls 30803 cce1d1 156 API calls 30807 c479e0 6 API calls 30808 b53190 25 API calls _memcpy_s 30811 dee9f0 34 API calls 4 library calls 30086 dd1dec 30089 dd1d2b 30086->30089 30088 dd1dfe 30092 dd1d37 30089->30092 30090 dd1d45 30110 dc622a 20 API calls __dosmaperr 30090->30110 30092->30090 30094 dd1d75 30092->30094 30093 dd1d4a 30111 dc6151 23 API calls _memcpy_s 30093->30111 30096 dd1d7a 30094->30096 30097 dd1d87 30094->30097 30112 dc622a 20 API calls __dosmaperr 30096->30112 30099 dd1d96 30097->30099 30100 dd1da3 30097->30100 30113 dc622a 20 API calls __dosmaperr 30099->30113 30104 de817d 30100->30104 30103 dd1d55 30103->30088 30105 de80ed 30104->30105 30114 ddd0df 30105->30114 30108 de8115 30108->30103 30110->30093 30111->30103 30112->30103 30113->30103 30119 ddd110 30114->30119 30116 ddd30f 30133 dc6151 23 API calls _memcpy_s 30116->30133 30118 ddd264 30118->30108 30126 de3299 30118->30126 30119->30119 30122 ddd259 30119->30122 30129 dd9955 36 API calls 2 library calls 30119->30129 30121 ddd2ad 30121->30122 30130 dd9955 36 API calls 2 library calls 30121->30130 30122->30118 30132 dc622a 20 API calls __dosmaperr 30122->30132 30124 ddd2cc 30124->30122 30131 dd9955 36 API calls 2 library calls 30124->30131 30134 de290d 30126->30134 30128 de32b4 30128->30108 30129->30121 30130->30124 30131->30122 30132->30116 30133->30118 30137 de2919 30134->30137 30135 de2927 30189 dc622a 20 API calls __dosmaperr 30135->30189 30137->30135 30139 de2960 30137->30139 30138 de292c 30190 dc6151 23 API calls _memcpy_s 30138->30190 30145 de2f70 30139->30145 30144 de2936 30144->30128 30146 de2f8d 30145->30146 30147 de2fbb 30146->30147 30148 de2fa2 30146->30148 30192 ddd7b6 30147->30192 30206 dc6217 20 API calls __dosmaperr 30148->30206 30151 de2fc0 30152 de2fc9 30151->30152 30153 de2fe0 30151->30153 30208 dc6217 20 API calls __dosmaperr 30152->30208 30205 de2c26 CreateFileW 30153->30205 30154 de2fa7 30207 dc622a 20 API calls __dosmaperr 30154->30207 30158 de2fce 30209 dc622a 20 API calls __dosmaperr 30158->30209 30159 de2984 30191 de29ad LeaveCriticalSection __wsopen_s 30159->30191 30161 de3096 GetFileType 30162 de30e8 30161->30162 30163 de30a1 GetLastError 30161->30163 30214 ddd6ff 21 API calls __dosmaperr 30162->30214 30212 dc61f4 20 API calls __dosmaperr 30163->30212 30164 de306b GetLastError 30211 dc61f4 20 API calls __dosmaperr 30164->30211 30166 de3019 30166->30161 30166->30164 30210 de2c26 CreateFileW 30166->30210 30168 de30af CloseHandle 30168->30154 30170 de30d8 30168->30170 30213 dc622a 20 API calls __dosmaperr 30170->30213 30172 de305e 30172->30161 30172->30164 30174 de3109 30178 de3182 30174->30178 30215 de29d9 44 API calls 4 library calls 30174->30215 30175 de30dd 30175->30154 30177 de317b 30177->30178 30179 de3193 30177->30179 30216 de26f5 26 API calls 2 library calls 30178->30216 30179->30159 30181 de3211 CloseHandle 30179->30181 30217 de2c26 CreateFileW 30181->30217 30183 de323c 30184 de3246 GetLastError 30183->30184 30188 de318b 30183->30188 30218 dc61f4 20 API calls __dosmaperr 30184->30218 30186 de3252 30219 ddd8c8 21 API calls __dosmaperr 30186->30219 30188->30159 30189->30138 30190->30144 30191->30144 30193 ddd7c2 30192->30193 30220 de074f EnterCriticalSection 30193->30220 30196 ddd7ee 30224 ddd595 21 API calls 3 library calls 30196->30224 30197 ddd7c9 30197->30196 30201 ddd85c EnterCriticalSection 30197->30201 30203 ddd810 30197->30203 30198 ddd839 30198->30151 30200 ddd7f3 30200->30203 30225 ddd6dc EnterCriticalSection 30200->30225 30202 ddd869 LeaveCriticalSection 30201->30202 30201->30203 30202->30197 30221 ddd8bf 30203->30221 30205->30166 30206->30154 30207->30159 30208->30158 30209->30154 30210->30172 30211->30154 30212->30168 30213->30175 30214->30174 30215->30177 30216->30188 30217->30183 30218->30186 30219->30188 30220->30197 30226 de0797 LeaveCriticalSection 30221->30226 30223 ddd8c6 30223->30198 30224->30200 30225->30203 30226->30223 30817 b94380 58 API calls 2 library calls 30818 b9ab80 6 API calls _memcpy_s 30822 b311f5 __onexit 30824 ccf78b 6 API calls _memcpy_s 30826 dc0b88 22 API calls _Atexit 30827 dbdb8d ___security_init_cookie 30419 b945e0 30420 b945ee 30419->30420 30426 b9460f 30419->30426 30421 b44260 33 API calls 30420->30421 30423 b945fe 30421->30423 30422 b946d9 CreateFileW 30424 b946fc 30422->30424 30434 b94718 30422->30434 30439 b32420 30423->30439 30427 b44260 33 API calls 30424->30427 30426->30422 30433 b946d8 30426->30433 30435 b44260 33 API calls 30426->30435 30431 b9470f 30427->30431 30428 b94721 SetFilePointer 30429 b94735 SetEndOfFile 30432 b32420 48 API calls 30431->30432 30432->30434 30433->30422 30434->30428 30434->30429 30436 b9468b 30435->30436 30436->30436 30437 b946ac DeleteFileW MoveFileW 30436->30437 30438 b946d4 30437->30438 30438->30433 30440 b32430 EnterCriticalSection 30439->30440 30441 b3244f 30439->30441 30444 b94830 30440->30444 30443 b32448 LeaveCriticalSection 30443->30441 30470 dcb441 30444->30470 30448 b94880 30451 b948c2 30448->30451 30452 b94897 30448->30452 30450 b948ee 30499 b4b960 30450->30499 30453 b44260 33 API calls 30451->30453 30454 b44260 33 API calls 30452->30454 30455 b948a1 30453->30455 30454->30455 30486 b94750 30455->30486 30457 b949f9 30458 b94a19 30457->30458 30459 b94a06 _wcschr 30457->30459 30463 b94750 27 API calls 30458->30463 30459->30458 30460 b949e0 30503 dbdcfc ___report_securityfailure 30460->30503 30464 b94a3f 30463->30464 30466 dbdb97 _memcpy_s 5 API calls 30464->30466 30465 b94a5b 30468 b94a9e 30465->30468 30469 b94a90 CloseHandle 30465->30469 30467 b94a50 30466->30467 30467->30443 30468->30443 30469->30468 30504 dcb3c2 30470->30504 30472 b94864 30472->30450 30473 dd8f75 30472->30473 30474 dd8f8f 30473->30474 30475 dd8fa3 30473->30475 30515 dc622a 20 API calls __dosmaperr 30474->30515 30478 dd8fb0 30475->30478 30481 dd8fbd 30475->30481 30477 dd8f94 30516 dc6151 23 API calls _memcpy_s 30477->30516 30517 dc622a 20 API calls __dosmaperr 30478->30517 30482 dd8f9f 30481->30482 30518 de934f 23 API calls 3 library calls 30481->30518 30483 dbdb97 _memcpy_s 5 API calls 30482->30483 30485 dd8fe6 30483->30485 30485->30448 30487 b94773 OutputDebugStringW 30486->30487 30488 b9477a 30486->30488 30487->30488 30490 b947ab 30488->30490 30493 b94790 GetStdHandle WriteConsoleW 30488->30493 30489 b94816 30492 dbdb97 _memcpy_s 5 API calls 30489->30492 30490->30489 30491 b947b7 WideCharToMultiByte 30490->30491 30494 dd14c8 std::_Facet_Register 21 API calls 30491->30494 30495 b94825 30492->30495 30493->30490 30496 b947d7 WideCharToMultiByte 30494->30496 30495->30450 30497 b947f3 30496->30497 30497->30497 30498 b947fa WriteFile 30497->30498 30498->30489 30500 b4b975 30499->30500 30519 dcb059 30500->30519 30503->30465 30505 dcb3e5 30504->30505 30506 dcb3d1 30504->30506 30511 dcb3e1 __alldvrm 30505->30511 30514 de6779 11 API calls 2 library calls 30505->30514 30512 dc622a 20 API calls __dosmaperr 30506->30512 30508 dcb3d6 30513 dc6151 23 API calls _memcpy_s 30508->30513 30511->30472 30512->30508 30513->30511 30514->30511 30515->30477 30516->30482 30517->30482 30518->30482 30522 dc7ce1 30519->30522 30523 dc7d09 30522->30523 30524 dc7d21 30522->30524 30537 dc622a 20 API calls __dosmaperr 30523->30537 30524->30523 30526 dc7d29 30524->30526 30539 dc623d 32 API calls 2 library calls 30526->30539 30528 dc7d0e 30538 dc6151 23 API calls _memcpy_s 30528->30538 30529 dc7d39 30540 dc839a 20 API calls __dosmaperr 30529->30540 30532 dbdb97 _memcpy_s 5 API calls 30533 b4b983 30532->30533 30533->30457 30533->30460 30535 dc7d19 30535->30532 30536 dc7db1 30541 dc83cf 20 API calls _free 30536->30541 30537->30528 30538->30535 30539->30529 30540->30536 30541->30535 30552 bd0fe0 30553 bd102e 30552->30553 30554 bd1258 30552->30554 30553->30554 30555 bd103a 30553->30555 30556 b44260 33 API calls 30554->30556 30557 b44260 33 API calls 30555->30557 30558 bd1262 30556->30558 30559 bd104b 30557->30559 30560 b40010 66 API calls 30558->30560 30561 b40010 66 API calls 30559->30561 30562 bd121b 30560->30562 30563 bd1054 WideCharToMultiByte 30561->30563 30564 dbdb97 _memcpy_s 5 API calls 30562->30564 30565 dd14c8 std::_Facet_Register 21 API calls 30563->30565 30566 bd1284 30564->30566 30567 bd108c WideCharToMultiByte 30565->30567 30568 bd10b0 30567->30568 30568->30568 30569 bd10b7 WideCharToMultiByte 30568->30569 30570 dd14c8 std::_Facet_Register 21 API calls 30569->30570 30571 bd10dc WideCharToMultiByte 30570->30571 30572 bd1103 30571->30572 30582 bd0b60 30572->30582 30574 bd1207 30634 b40670 23 API calls 30574->30634 30575 bd11f9 30633 b490d0 60 API calls 30575->30633 30580 bd1131 30580->30574 30580->30575 30630 dd1be1 23 API calls 30580->30630 30631 b49160 68 API calls 30580->30631 30632 b3f970 60 API calls 30580->30632 30635 dc3380 30582->30635 30584 bd0b9a CryptAcquireContextW 30585 bd0bb8 CryptCreateHash 30584->30585 30586 bd0d5a GetLastError 30584->30586 30587 bd0bd4 CryptHashData 30585->30587 30588 bd0d13 GetLastError 30585->30588 30589 b44260 33 API calls 30586->30589 30591 bd0bec CryptDeriveKey 30587->30591 30592 bd0cc3 GetLastError 30587->30592 30590 b44260 33 API calls 30588->30590 30593 bd0d6b 30589->30593 30594 bd0d24 30590->30594 30596 bd0c0b CryptEncrypt 30591->30596 30597 bd0cb6 GetLastError 30591->30597 30595 bd0cce 30592->30595 30598 b44260 33 API calls 30593->30598 30599 b44260 33 API calls 30594->30599 30600 b44260 33 API calls 30595->30600 30601 bd0c5d GetLastError 30596->30601 30602 bd0c23 CryptDestroyKey CryptDestroyHash CryptReleaseContext 30596->30602 30597->30595 30603 bd0d77 30598->30603 30604 bd0d30 30599->30604 30605 bd0cd4 30600->30605 30607 b44260 33 API calls 30601->30607 30606 dbdb97 _memcpy_s 5 API calls 30602->30606 30640 bd0a70 72 API calls _memcpy_s 30603->30640 30639 bd0a70 72 API calls _memcpy_s 30604->30639 30611 b44260 33 API calls 30605->30611 30612 bd0c59 30606->30612 30613 bd0c6e 30607->30613 30609 bd0d80 30615 dbdb97 _memcpy_s 5 API calls 30609->30615 30617 bd0ce0 30611->30617 30612->30580 30614 b44260 33 API calls 30613->30614 30618 bd0c7a 30614->30618 30619 bd0d92 30615->30619 30616 bd0d39 CryptReleaseContext 30620 dbdb97 _memcpy_s 5 API calls 30616->30620 30638 bd0a70 72 API calls _memcpy_s 30617->30638 30637 bd0a70 72 API calls _memcpy_s 30618->30637 30619->30580 30623 bd0d56 30620->30623 30623->30580 30624 bd0ce9 CryptDestroyHash CryptReleaseContext 30626 dbdb97 _memcpy_s 5 API calls 30624->30626 30625 bd0c83 CryptDestroyKey CryptDestroyHash CryptReleaseContext 30628 dbdb97 _memcpy_s 5 API calls 30625->30628 30627 bd0d0f 30626->30627 30627->30580 30629 bd0cb2 30628->30629 30629->30580 30630->30580 30631->30580 30632->30580 30633->30574 30634->30562 30636 dc3398 30635->30636 30636->30584 30636->30636 30637->30625 30638->30624 30639->30616 30640->30609 30014 bd2fd0 PathFileExistsW 30015 bd3018 GetFileAttributesW 30014->30015 30016 bd3137 30014->30016 30018 bd302c 30015->30018 30019 bd3024 30015->30019 30017 b44260 33 API calls 30016->30017 30021 bd3141 30017->30021 30037 b44260 30018->30037 30019->30016 30019->30018 30023 b40010 66 API calls 30021->30023 30022 bd303d 30049 b40010 30022->30049 30032 bd310b 30023->30032 30025 bd3046 GetFileVersionInfoSizeW 30028 bd3070 _memcpy_s 30025->30028 30026 dbdb97 _memcpy_s 5 API calls 30027 bd3163 30026->30027 30029 bd308c GetFileVersionInfoW 30028->30029 30036 bd30e9 30028->30036 30031 b44260 33 API calls 30029->30031 30033 bd30bc VerQueryValueW 30031->30033 30032->30026 30034 bd30cb 30033->30034 30033->30036 30035 b44260 33 API calls 30034->30035 30035->30036 30058 b40670 23 API calls 30036->30058 30039 b44270 30037->30039 30038 dd14c8 std::_Facet_Register 21 API calls 30041 b442a3 30038->30041 30039->30038 30040 b442e2 30039->30040 30040->30022 30042 dd14c8 std::_Facet_Register 21 API calls 30041->30042 30043 b442cb 30041->30043 30045 b442c1 30042->30045 30043->30022 30045->30043 30059 dd14b6 32 API calls __Getcoll 30045->30059 30046 b44358 30060 b44150 32 API calls _memcpy_s 30046->30060 30048 b44368 30048->30022 30050 b4003f 30049->30050 30051 b4004f 30050->30051 30061 b405a0 30050->30061 30053 b40087 30051->30053 30054 b4006f 30051->30054 30070 b40420 60 API calls 30053->30070 30069 c789d0 34 API calls 30054->30069 30057 b40078 30057->30025 30058->30032 30059->30046 30060->30048 30062 b405b2 30061->30062 30063 b405ad 30061->30063 30071 c77208 30062->30071 30085 c778f6 28 API calls __CxxThrowException@8 30063->30085 30067 b405a0 57 API calls 30068 b405ca 30067->30068 30069->30057 30070->30057 30072 c77214 __EH_prolog3 30071->30072 30073 c76efb std::_Facet_Register 21 API calls 30072->30073 30074 c7721b 30073->30074 30075 dc3a5a __CxxThrowException@8 KiUserExceptionDispatcher 30074->30075 30076 c7724c GetMenuItemCount GetMenuItemCount 30075->30076 30077 b405b8 30076->30077 30083 c77273 30076->30083 30077->30067 30078 c77275 GetSubMenu 30078->30083 30079 c7728b GetMenuItemCount 30080 c7729b GetSubMenu 30079->30080 30079->30083 30082 c772b0 RemoveMenu 30080->30082 30080->30083 30081 c772ca GetSubMenu 30081->30083 30084 c772e0 RemoveMenu 30081->30084 30082->30083 30083->30077 30083->30078 30083->30079 30083->30080 30083->30081 30084->30083 30085->30062 30838 dee9ab WriteConsoleW CreateFileW ___initconout 30839 b6a1c0 23 API calls 30843 ba43c0 63 API calls _memcpy_s 29517 b53130 29518 b5313b 29517->29518 29520 b53144 29517->29520 29521 b53520 29518->29521 29522 b5352f 29521->29522 29523 b53548 29521->29523 29522->29523 29540 dc6161 29522->29540 29523->29520 29525 b5355a 29526 dc6161 23 API calls 29525->29526 29527 b5355f 29526->29527 29528 dc6161 23 API calls 29527->29528 29529 b53564 29528->29529 29530 dc6161 23 API calls 29529->29530 29531 b53569 29530->29531 29532 dbf942 KiUserExceptionDispatcher 29531->29532 29533 b535df 29532->29533 29534 dbf962 KiUserExceptionDispatcher 29533->29534 29535 b53679 29534->29535 29536 b537e0 25 API calls 29535->29536 29537 b536fa 29536->29537 29538 b5375f 29537->29538 29539 b53520 25 API calls 29537->29539 29538->29520 29539->29538 29545 dc60d6 23 API calls 3 library calls 29540->29545 29542 dc6170 29546 dc617e IsProcessorFeaturePresent 29542->29546 29544 dc617d 29545->29542 29547 dc6189 29546->29547 29548 dc619e GetCurrentProcess TerminateProcess 29547->29548 29548->29544 30848 b3233a 59 API calls 30849 cce141 157 API calls 30855 bc0920 74 API calls 30856 ccb36d 57 API calls std::_Facet_Register 30858 b32311 __onexit InitializeCriticalSectionAndSpinCount 30864 b6d300 56 API calls _memcpy_s 30867 de6965 11 API calls 2 library calls 30868 c39700 39 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29743 c84b04 29744 c84b13 29743->29744 29745 c84b1a 29743->29745 29747 c9ca6f 29744->29747 29748 c9ca90 _memcpy_s 29747->29748 29757 c9cb17 29747->29757 29750 c9cac0 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW KiUserCallbackDispatcher 29748->29750 29749 dbdb97 _memcpy_s 5 API calls 29751 c9cb2a 29749->29751 29758 c9d270 29750->29758 29751->29745 29753 c9cb09 29828 c9cd37 29753->29828 29757->29749 29915 dbeb02 29758->29915 29760 c9d27c GetSysColor 29761 c9d291 GetSysColor 29760->29761 29762 c9d29d GetSysColor 29760->29762 29761->29762 29764 c9d2b4 GetSysColor 29762->29764 29765 c9d2c0 29762->29765 29764->29765 29766 c9d2d6 22 API calls 29765->29766 29767 c9d40b GetSysColor 29766->29767 29768 c9d400 29766->29768 29769 c9d421 GetSysColorBrush 29767->29769 29768->29769 29770 c9d438 GetSysColorBrush 29769->29770 29812 c9d433 29769->29812 29772 c9d447 GetSysColorBrush 29770->29772 29770->29812 29772->29812 29774 c9d463 CreateSolidBrush 29921 c83782 29774->29921 29777 c838fc 50 API calls 29778 c9d481 CreateSolidBrush 29777->29778 29779 c83782 49 API calls 29778->29779 29780 c9d492 29779->29780 29781 c838fc 50 API calls 29780->29781 29782 c9d49f CreateSolidBrush 29781->29782 29783 c83782 49 API calls 29782->29783 29784 c9d4b0 29783->29784 29785 c838fc 50 API calls 29784->29785 29786 c9d4bd CreateSolidBrush 29785->29786 29787 c83782 49 API calls 29786->29787 29788 c9d4d1 29787->29788 29789 c838fc 50 API calls 29788->29789 29790 c9d4de CreateSolidBrush 29789->29790 29791 c83782 49 API calls 29790->29791 29792 c9d4ef 29791->29792 29793 c838fc 50 API calls 29792->29793 29794 c9d4fc CreateSolidBrush 29793->29794 29795 c83782 49 API calls 29794->29795 29796 c9d50d 29795->29796 29797 c838fc 50 API calls 29796->29797 29798 c9d51a CreateSolidBrush 29797->29798 29799 c83782 49 API calls 29798->29799 29800 c9d52b 29799->29800 29801 c838fc 50 API calls 29800->29801 29802 c9d538 CreatePen 29801->29802 29803 c83782 49 API calls 29802->29803 29804 c9d54f 29803->29804 29805 c838fc 50 API calls 29804->29805 29806 c9d55c CreatePen 29805->29806 29807 c83782 49 API calls 29806->29807 29808 c9d573 29807->29808 29809 c838fc 50 API calls 29808->29809 29810 c9d580 CreatePen 29809->29810 29811 c83782 49 API calls 29810->29811 29811->29812 29813 c9d5b7 CreateSolidBrush 29812->29813 29814 c838fc 50 API calls 29812->29814 29818 c9d637 29812->29818 29916 c838fc 29812->29916 29943 c778cc 28 API calls __CxxThrowException@8 29812->29943 29944 c9c567 7 API calls _memcpy_s 29812->29944 29815 c83782 49 API calls 29813->29815 29814->29812 29817 c9d623 29815->29817 29927 cd0166 29817->29927 29819 c83782 49 API calls 29818->29819 29821 c9d650 CreatePatternBrush 29819->29821 29823 c83782 49 API calls 29821->29823 29825 c9d661 29823->29825 29945 b419e0 29825->29945 29826 c9d687 std::locale::_Init 29826->29753 29829 c9cd46 __EH_prolog3_GS 29828->29829 29830 c9cd55 GetDeviceCaps 29829->29830 29832 c9cd96 29830->29832 29831 c9cdd1 29833 c9cdef 29831->29833 29838 c8394e 49 API calls 29831->29838 29832->29831 29834 c8394e 49 API calls 29832->29834 29835 c9ce0d 29833->29835 29841 c8394e 49 API calls 29833->29841 29837 c9cdca DeleteObject 29834->29837 29836 c9ce2b 29835->29836 29842 c8394e 49 API calls 29835->29842 29839 c9ce49 29836->29839 29847 c8394e 49 API calls 29836->29847 29837->29831 29840 c9cde8 DeleteObject 29838->29840 29843 c9ce67 29839->29843 29850 c8394e 49 API calls 29839->29850 29840->29833 29844 c9ce06 DeleteObject 29841->29844 29846 c9ce24 DeleteObject 29842->29846 29845 c9ce85 29843->29845 29851 c8394e 49 API calls 29843->29851 29844->29835 29848 c9cea3 29845->29848 29855 c8394e 49 API calls 29845->29855 29846->29836 29849 c9ce42 DeleteObject 29847->29849 29852 c9cec1 29848->29852 29859 c8394e 49 API calls 29848->29859 29849->29839 29853 c9ce60 DeleteObject 29850->29853 29854 c9ce7e DeleteObject 29851->29854 29856 c9cedf 29852->29856 29860 c8394e 49 API calls 29852->29860 29853->29843 29854->29845 29858 c9ce9c DeleteObject 29855->29858 29976 c9c9c4 29856->29976 29858->29848 29862 c9ceba DeleteObject 29859->29862 29863 c9ced8 DeleteObject 29860->29863 29861 c9cef7 _memcpy_s 29864 c9cf04 GetTextCharsetInfo 29861->29864 29862->29852 29863->29856 29865 c9cf3c lstrcpyW 29864->29865 29867 c9cfd9 CreateFontIndirectW 29865->29867 29868 c9cf6d 29865->29868 29869 c83782 49 API calls 29867->29869 29868->29867 29870 c9cf76 EnumFontFamiliesW 29868->29870 29875 c9cfeb 29869->29875 29871 c9cf92 lstrcpyW 29870->29871 29872 c9cfa7 EnumFontFamiliesW 29870->29872 29871->29867 29873 c9cfc6 lstrcpyW 29872->29873 29873->29867 29876 c9d02a CreateFontIndirectW 29875->29876 29877 c83782 49 API calls 29876->29877 29878 c9d03c 29877->29878 29879 c9c9c4 SystemParametersInfoW 29878->29879 29880 c9d057 CreateFontIndirectW 29879->29880 29881 c83782 49 API calls 29880->29881 29882 c9d07f CreateFontIndirectW 29881->29882 29883 c83782 49 API calls 29882->29883 29884 c9d0ab CreateFontIndirectW 29883->29884 29885 c83782 49 API calls 29884->29885 29886 c9d0cc GetSystemMetrics lstrcpyW CreateFontIndirectW 29885->29886 29887 c83782 49 API calls 29886->29887 29888 c9d108 GetStockObject 29887->29888 29889 c9d1ab GetStockObject 29888->29889 29890 c9d132 GetObjectW 29888->29890 29979 c839ee 29889->29979 29890->29889 29892 c9d143 lstrcpyW CreateFontIndirectW 29890->29892 29894 c83782 49 API calls 29892->29894 29893 c9d1b9 GetObjectW CreateFontIndirectW 29895 c83782 49 API calls 29893->29895 29896 c9d192 CreateFontIndirectW 29894->29896 29897 c9d1e2 CreateFontIndirectW 29895->29897 29898 c83782 49 API calls 29896->29898 29899 c83782 49 API calls 29897->29899 29898->29889 29900 c9d203 29899->29900 29992 c9d68d 29900->29992 29902 c9d244 29903 b419e0 50 API calls 29902->29903 29906 c9d259 29903->29906 29904 c9d20a 29904->29902 29905 c9d26a 29904->29905 30003 c7b85d 49 API calls 29904->30003 30007 c778cc 28 API calls __CxxThrowException@8 29905->30007 29908 c83056 50 API calls 29906->29908 29911 c9d264 29908->29911 29910 c9d26f 30004 dbeae0 29911->30004 29915->29760 29917 c83902 29916->29917 29918 c83905 29916->29918 29917->29774 29950 c8394e 29918->29950 29920 c8390a DeleteObject 29920->29774 29922 c8378f 29921->29922 29926 c837a4 29921->29926 29923 c84273 49 API calls 29922->29923 29924 c83799 29923->29924 29965 ca2022 28 API calls 29924->29965 29926->29777 29928 cd016f 29927->29928 29938 c9d675 29927->29938 29928->29938 29966 ccb42a 61 API calls 29928->29966 29930 cd0182 29967 ccb42a 61 API calls 29930->29967 29932 cd018c 29968 ccb42a 61 API calls 29932->29968 29934 cd0196 29969 ccb42a 61 API calls 29934->29969 29936 cd01a0 29970 ccb42a 61 API calls 29936->29970 29939 c83056 29938->29939 29971 c83912 29939->29971 29941 c83086 ReleaseDC 29942 c83097 29941->29942 29942->29826 29943->29770 29944->29812 29946 c838fc 50 API calls 29945->29946 29947 b41a23 29946->29947 29948 dbdb97 _memcpy_s 5 API calls 29947->29948 29949 b41a3b 29948->29949 29949->29817 29951 c83959 29950->29951 29952 c83960 29950->29952 29954 c84273 29951->29954 29952->29920 29956 c8427f __EH_prolog3 29954->29956 29955 c842ca std::locale::_Init 29955->29952 29956->29955 29960 c76efb 29956->29960 29962 c76f02 29960->29962 29961 dd14c8 std::_Facet_Register 21 API calls 29961->29962 29962->29961 29963 c76f2c 29962->29963 29963->29955 29964 ca4a71 28 API calls 2 library calls 29963->29964 29964->29955 29965->29926 29966->29930 29967->29932 29968->29934 29969->29936 29970->29938 29972 c8391e 29971->29972 29974 c83925 29971->29974 29975 c84202 49 API calls 3 library calls 29972->29975 29974->29941 29975->29974 29977 c9c9d9 SystemParametersInfoW 29976->29977 29978 c9c9d3 29976->29978 29977->29861 29978->29977 29980 c84273 49 API calls 29979->29980 29981 c839f8 __EH_prolog3_catch 29980->29981 29991 ca4d04 std::locale::_Init 29981->29991 30008 ca21c3 28 API calls 29981->30008 29983 ca4d17 29983->29991 30009 ca21c3 28 API calls 29983->30009 29985 ca4d24 29985->29991 30010 d3a0a7 28 API calls 29985->30010 29987 ca4d53 29989 ca4d5f 29987->29989 30011 c778f6 28 API calls __CxxThrowException@8 29987->30011 30012 ca2022 28 API calls 29989->30012 29991->29893 29993 c9d699 __EH_prolog3_GS 29992->29993 29994 c9d6c3 GetTextMetricsW 29993->29994 30013 c778cc 28 API calls __CxxThrowException@8 29993->30013 29996 c83eb4 29994->29996 29997 c9d704 GetTextMetricsW 29996->29997 29998 c9d73f 29997->29998 29999 c83056 50 API calls 29998->29999 30000 c9d747 29999->30000 30001 dbeae0 5 API calls 30000->30001 30002 c9d74c 30001->30002 30002->29904 30003->29904 30005 dbdb97 _memcpy_s 5 API calls 30004->30005 30006 dbeaeb 30005->30006 30006->30006 30007->29910 30008->29983 30009->29985 30010->29987 30011->29989 30012->29991 30013->29994 30877 de5938 33 API calls __Getcoll 30880 b32359 29 API calls 30884 c1a530 28 API calls 2 library calls 30227 dd112f 30228 dd113c 30227->30228 30229 dd1150 30227->30229 30246 dc622a 20 API calls __dosmaperr 30228->30246 30239 dd105a 30229->30239 30232 dd1141 30247 dc6151 23 API calls _memcpy_s 30232->30247 30233 dd115d 30235 dd1165 CreateThread 30233->30235 30237 dd114c 30233->30237 30236 dd1184 GetLastError 30235->30236 30235->30237 30265 dd0f4f 30235->30265 30248 dc61f4 20 API calls __dosmaperr 30236->30248 30249 de09ba 30239->30249 30243 dd1073 30244 dd107a GetModuleHandleExW 30243->30244 30245 dd1092 30243->30245 30244->30245 30245->30233 30246->30232 30247->30237 30248->30237 30254 de09c7 std::_Locinfo::_Locinfo_ctor 30249->30254 30250 de0a07 30263 dc622a 20 API calls __dosmaperr 30250->30263 30251 de09f2 RtlAllocateHeap 30252 dd106a 30251->30252 30251->30254 30256 de1298 30252->30256 30254->30250 30254->30251 30262 decad6 7 API calls 2 library calls 30254->30262 30257 de12a3 RtlFreeHeap 30256->30257 30261 de12cc __dosmaperr 30256->30261 30258 de12b8 30257->30258 30257->30261 30264 dc622a 20 API calls __dosmaperr 30258->30264 30260 de12be GetLastError 30260->30261 30261->30243 30262->30254 30263->30252 30264->30260 30266 dd0f5b 30265->30266 30267 dd0f6f 30266->30267 30268 dd0f62 GetLastError ExitThread 30266->30268 30279 de3685 GetLastError 30267->30279 30270 dd0f74 30299 de6b68 30270->30299 30272 dd0f8a 30306 dd11bc 30272->30306 30280 de369b 30279->30280 30283 de36a1 30279->30283 30311 de65fd 11 API calls 2 library calls 30280->30311 30282 de09ba std::_Locinfo::_Locinfo_ctor 20 API calls 30284 de36b3 30282->30284 30283->30282 30285 de36f0 SetLastError 30283->30285 30286 de36bb 30284->30286 30312 de6653 11 API calls 2 library calls 30284->30312 30285->30270 30288 de1298 _free 20 API calls 30286->30288 30290 de36c1 30288->30290 30289 de36d0 30289->30286 30291 de36d7 30289->30291 30292 de36fc SetLastError 30290->30292 30313 de34f7 20 API calls __Getcoll 30291->30313 30314 de1239 21 API calls _Atexit 30292->30314 30294 de36e2 30296 de1298 _free 20 API calls 30294->30296 30298 de36e9 30296->30298 30298->30285 30298->30292 30300 de6b8d 30299->30300 30301 de6b83 30299->30301 30315 de630b 5 API calls 2 library calls 30300->30315 30303 dbdb97 _memcpy_s 5 API calls 30301->30303 30304 dd0f7f 30303->30304 30304->30272 30309 de6a49 10 API calls 2 library calls 30304->30309 30305 de6ba4 30305->30301 30316 dd1003 30306->30316 30309->30272 30311->30283 30312->30289 30313->30294 30315->30305 30325 de3709 GetLastError 30316->30325 30318 dd1012 ExitThread 30320 dd1030 30321 dd1043 30320->30321 30323 dd103c CloseHandle 30320->30323 30321->30318 30324 dd104f FreeLibraryAndExitThread 30321->30324 30323->30321 30326 de3728 30325->30326 30327 de3722 30325->30327 30329 de09ba std::_Locinfo::_Locinfo_ctor 17 API calls 30326->30329 30331 de377f SetLastError 30326->30331 30345 de65fd 11 API calls 2 library calls 30327->30345 30330 de373a 30329->30330 30332 de3742 30330->30332 30346 de6653 11 API calls 2 library calls 30330->30346 30334 dd100e 30331->30334 30336 de1298 _free 17 API calls 30332->30336 30334->30318 30334->30320 30344 de6a9b 10 API calls 2 library calls 30334->30344 30335 de3757 30335->30332 30337 de375e 30335->30337 30338 de3748 30336->30338 30347 de34f7 20 API calls __Getcoll 30337->30347 30340 de3776 SetLastError 30338->30340 30340->30334 30341 de3769 30342 de1298 _free 17 API calls 30341->30342 30343 de376f 30342->30343 30343->30331 30343->30340 30344->30320 30345->30326 30346->30335 30347->30341 30376 b40340 30377 b4034d 30376->30377 30378 b4036f 30376->30378 30379 b40368 30377->30379 30383 b402e0 30377->30383 30380 b405a0 57 API calls 30378->30380 30382 b40379 30380->30382 30384 b402f9 30383->30384 30388 b40307 30383->30388 30390 b40220 30384->30390 30385 b40333 30385->30379 30387 b40301 30387->30379 30388->30385 30403 b402a0 23 API calls 30388->30403 30391 b40241 30390->30391 30392 b40254 30391->30392 30395 b4029a 30391->30395 30404 b405d0 23 API calls 2 library calls 30392->30404 30394 b4026e 30394->30387 30396 b402c7 30395->30396 30397 b402f9 30395->30397 30401 b40307 30395->30401 30396->30387 30399 b40220 23 API calls 30397->30399 30398 b40333 30398->30387 30400 b40301 30399->30400 30400->30387 30401->30398 30405 b402a0 23 API calls 30401->30405 30403->30385 30404->30394 30405->30398 30887 b6f340 27 API calls _memcpy_s 30888 b9ab40 GdipDrawImageI

                                                                                      Executed Functions

                                                                                      Function 00BD0B60 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 192encryptionCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,00000001,?,00000000,?,00000000,00000001,?), ref: 00BD0BAA
                                                                                      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0BC6
                                                                                      • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0BDE
                                                                                      • CryptDeriveKey.ADVAPI32(00000001,00006801,00000001,00000001,?,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0BFD
                                                                                      • CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0C19
                                                                                      • CryptDestroyKey.ADVAPI32(?,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0C30
                                                                                      • CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0C39
                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0C44
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0C5D
                                                                                      • CryptDestroyKey.ADVAPI32(?), ref: 00BD0C89
                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 00BD0C92
                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BD0C9D
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0CB6
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0CC3
                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 00BD0CEF
                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BD0CFA
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0D13
                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00BD0D41
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD0D5A
                                                                                      Strings
                                                                                      • P^`iiiiisxzz&1:<KTZeflr|"//1<FNT^mtz'2455;HHQ^`crx)2258GV]gu{}}}!)05?INQ, xrefs: 00BD0CC9
                                                                                      • KSVdddddkz*/002AKT^_fqx(1:?COWZdhl{|)/9D, xrefs: 00BD0C6E, 00BD0CD4, 00BD0D24, 00BD0D6B
                                                                                      • GSWdddddfsx!$1;=FJVeeop|*67DIQS]ivv %.9>GS\\^jps!%*006<GNT[en}'(-266BHHW, xrefs: 00BD0CBC
                                                                                      • GNP_____hss| $//1899@EOXckvz!%(((29CRTT^lmr##.;IMZhkmux(23777FFLQ]^^flmmxy &49:@@FMMY\\kmt}*7?LX[iv'-5?L, xrefs: 00BD0D61
                                                                                      • GJQRRRRRWZ[foy #//=BFMY`nz*4CFPUW]ix *08GQ]fuy)33@JOO\efgnvw&.9@LWamp||#, xrefs: 00BD0C64
                                                                                      • NUW\\\\\^gpyy%28GJXZ\ackw(-4?GJYalot"-0:HIJP]`npx|+33BGSTcflxy|)2>MZgp!!, xrefs: 00BD0D1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Crypt$ContextDestroyErrorHashLast$Release$AcquireCreateDataDeriveEncrypt
                                                                                      • String ID: GJQRRRRRWZ[foy #//=BFMY`nz*4CFPUW]ix *08GQ]fuy)33@JOO\efgnvw&.9@LWamp||#$GNP_____hss| $//1899@EOXckvz!%(((29CRTT^lmr##.;IMZhkmux(23777FFLQ]^^flmmxy &49:@@FMMY\\kmt}*7?LX[iv'-5?L$GSWdddddfsx!$1;=FJVeeop|*67DIQS]ivv %.9>GS\\^jps!%*006<GNT[en}'(-266BHHW$KSVdddddkz*/002AKT^_fqx(1:?COWZdhl{|)/9D$NUW\\\\\^gpyy%28GJXZ\ackw(-4?GJYalot"-0:HIJP]`npx|+33BGSTcflxy|)2>MZgp!!$P^`iiiiisxzz&1:<KTZeflr|"//1<FNT^mtz'2455;HHQ^`crx)2258GV]gu{}}}!)05?INQ
                                                                                      • API String ID: 176726681-1294274950
                                                                                      • Opcode ID: 2f47c595944ffedd1856f4891db8a8f40f6fce7b75cb66d9e1a7e23c2a87dad7
                                                                                      • Instruction ID: 941191ed5fc1977cb40864dee8a6ba049c4ac8ae9e57061f92d55b41b14ec5c5
                                                                                      • Opcode Fuzzy Hash: 2f47c595944ffedd1856f4891db8a8f40f6fce7b75cb66d9e1a7e23c2a87dad7
                                                                                      • Instruction Fuzzy Hash: 9E515031B01108AFCF10BFA5FC49BAEBBB5EB84701F1445AAF906E6390EB714914D7A1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DEA7A0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 311 dea7a0-dea7c8 call dea3df call dea43d 316 dea7ce-dea7da call dea3e5 311->316 317 dea968-dea99d call dc617e call dea3df call dea43d 311->317 316->317 323 dea7e0-dea7eb 316->323 339 deaac5-deab21 call dc617e call ddbeb8 317->339 340 dea9a3-dea9af call dea3e5 317->340 325 dea7ed-dea7ef 323->325 326 dea821-dea82a call de1298 323->326 328 dea7f1-dea7f5 325->328 338 dea82d-dea832 326->338 331 dea7f7-dea7f9 328->331 332 dea811-dea813 328->332 335 dea80d-dea80f 331->335 336 dea7fb-dea801 331->336 337 dea816-dea818 332->337 335->337 336->332 341 dea803-dea80b 336->341 342 dea81e 337->342 343 dea962-dea967 337->343 338->338 344 dea834-dea855 call de0eea call de1298 338->344 361 deab2b-deab2e 339->361 362 deab23-deab29 339->362 340->339 352 dea9b5-dea9c1 call dea411 340->352 341->328 341->335 342->326 344->343 357 dea85b-dea85e 344->357 352->339 363 dea9c7-dea9e8 call de1298 GetTimeZoneInformation 352->363 360 dea861-dea866 357->360 360->360 366 dea868-dea87a call de32b9 360->366 364 deab30-deab40 call de0eea 361->364 365 deab71-deab83 361->365 362->365 376 dea9ee-deaa0f 363->376 377 deaaa1-deaac4 call dea3d9 call dea3cd call dea3d3 363->377 379 deab4a-deab63 call ddbeb8 364->379 380 deab42 364->380 370 deab85-deab88 365->370 371 deab93 call dea975 365->371 366->317 381 dea880-dea893 call de7f00 366->381 370->371 375 deab8a-deab91 call dea7a0 370->375 386 deab98-deabaf call de1298 call dbdb97 371->386 375->386 384 deaa19-deaa20 376->384 385 deaa11-deaa16 376->385 406 deab68-deab6e call de1298 379->406 407 deab65-deab66 379->407 387 deab43-deab48 call de1298 380->387 381->317 405 dea899-dea89c 381->405 392 deaa38-deaa3b 384->392 393 deaa22-deaa29 384->393 385->384 411 deab70 387->411 398 deaa3e-deaa5f call de0a3d WideCharToMultiByte 392->398 393->392 395 deaa2b-deaa36 393->395 395->398 416 deaa6d-deaa6f 398->416 417 deaa61-deaa64 398->417 412 dea89e-dea8a2 405->412 413 dea8a4-dea8ad 405->413 406->411 407->387 411->365 412->405 412->413 418 dea8af 413->418 419 dea8b0-dea8bd call dcc77c 413->419 423 deaa71-deaa8d WideCharToMultiByte 416->423 417->416 422 deaa66-deaa6b 417->422 418->419 428 dea8c0-dea8c4 419->428 422->423 425 deaa8f-deaa92 423->425 426 deaa9c-deaa9f 423->426 425->426 429 deaa94-deaa9a 425->429 426->377 430 dea8ce-dea8cf 428->430 431 dea8c6-dea8c8 428->431 429->377 430->428 432 dea8ca-dea8cc 431->432 433 dea8d1-dea8d4 431->433 432->430 432->433 434 dea918-dea91a 433->434 435 dea8d6-dea8e9 call dcc77c 433->435 436 dea91c-dea91e 434->436 437 dea921-dea930 434->437 443 dea8f0-dea8f4 435->443 436->437 439 dea948-dea94b 437->439 440 dea932-dea944 call de7f00 437->440 444 dea94e-dea960 call dea3d9 call dea3cd 439->444 440->444 449 dea946 440->449 446 dea8eb-dea8ed 443->446 447 dea8f6-dea8f9 443->447 444->343 446->447 450 dea8ef 446->450 447->434 451 dea8fb-dea90b call dcc77c 447->451 449->317 450->443 457 dea912-dea916 451->457 457->434 458 dea90d-dea90f 457->458 458->434 459 dea911 458->459 459->457
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00DEA822
                                                                                      • _free.LIBCMT ref: 00DEA846
                                                                                      • _free.LIBCMT ref: 00DEA9CD
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F22148), ref: 00DEA9DF
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00DEAA57
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00DEAA84
                                                                                      • _free.LIBCMT ref: 00DEAB99
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                      • String ID: Pacific Daylight Time$Pacific Standard Time
                                                                                      • API String ID: 314583886-1154798116
                                                                                      • Opcode ID: 2aa7fa332eabd0f0c7f4eeb0807af15f03a9876169acaf9ae79fad0fa2817281
                                                                                      • Instruction ID: e4bdb45b4e3ddc6d3f66fa7d1138524d880498bdf7bde37061b9f043b27827cf
                                                                                      • Opcode Fuzzy Hash: 2aa7fa332eabd0f0c7f4eeb0807af15f03a9876169acaf9ae79fad0fa2817281
                                                                                      • Instruction Fuzzy Hash: 7FC15C719002879FDB24BF7EDC41AAD7BB8EF46310F5841AAE49497241E730AE42CB71
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C47B60 Relevance: 7.8, APIs: 5, Instructions: 297networkCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 811 c47b60-c47ba7 812 c47bbd 811->812 813 c47ba9-c47bb0 811->813 814 c47bbe-c47bd6 call c48340 call dbdb97 812->814 813->812 815 c47bb2-c47bb6 813->815 817 c47bd7-c47bd9 815->817 818 c47bb8-c47bbb 815->818 820 c47bf5 817->820 821 c47bdb-c47bf3 call c4b140 817->821 818->812 818->815 824 c47bfc-c47c2c 820->824 821->824 827 c47c30-c47c43 824->827 828 c47d21-c47d2b 827->828 829 c47c49-c47c5d 827->829 828->827 830 c47d31-c47d33 828->830 831 c47c63-c47c71 829->831 832 c47d1b 829->832 833 c47d35-c47d37 830->833 834 c47d48-c47d68 830->834 835 c47c73-c47c77 831->835 836 c47cab-c47cae 831->836 832->828 833->834 839 c47d39-c47d3b 833->839 840 c47d6e 834->840 841 c47c8e-c47c90 835->841 842 c47c79 835->842 837 c47cb0-c47cb4 836->837 838 c47ce1-c47ce4 836->838 845 c47cc4-c47cc6 837->845 846 c47cb6-c47cbd 837->846 838->832 849 c47ce6-c47cea 838->849 839->834 847 c47d3d-c47d43 839->847 848 c47d74-c47d76 840->848 841->836 844 c47c92-c47c95 841->844 843 c47c80-c47c87 842->843 843->841 850 c47c89-c47c8c 843->850 844->836 851 c47c97-c47ca5 844->851 845->838 853 c47cc8-c47ccb 845->853 846->845 852 c47cbf-c47cc2 846->852 847->814 854 c47d78-c47da9 848->854 855 c47dab 848->855 856 c47cec 849->856 857 c47cfe-c47d00 849->857 850->841 850->843 851->836 852->845 852->846 853->838 859 c47ccd-c47cdb 853->859 860 c47dc1-c47dfc select 854->860 855->860 861 c47dad-c47db7 855->861 862 c47cf0-c47cf7 856->862 857->832 858 c47d02-c47d05 857->858 858->832 866 c47d07-c47d15 858->866 859->838 864 c47e02-c47e0a WSAGetLastError 860->864 865 c47e9a-c47e9c 860->865 861->860 862->857 863 c47cf9-c47cfc 862->863 863->857 863->862 867 c47e20-c47e28 864->867 868 c47e0c-c47e13 864->868 869 c47eb2 865->869 870 c47e9e-c47eb1 call dbdb97 865->870 866->832 874 c47e41-c47e81 call c4b140 call c4b180 867->874 875 c47e2a-c47e3c 867->875 868->870 873 c47e19-c47e1e 868->873 871 c47eb4-c47ec6 call dbdb97 869->871 872 c47ec7-c47ecf 869->872 878 c47ed2-c47edd 872->878 873->867 873->870 874->871 896 c47e83-c47e95 874->896 875->840 882 c47edf-c47eee __WSAFDIsSet 878->882 883 c47f29-c47f30 878->883 885 c47ef4-c47f05 __WSAFDIsSet 882->885 886 c47ef0 882->886 883->878 888 c47f32-c47f44 call dbdb97 883->888 890 c47f07 885->890 891 c47f0b-c47f1c __WSAFDIsSet 885->891 886->885 890->891 894 c47f22-c47f26 891->894 895 c47f1e 891->895 894->883 897 c47f28 894->897 895->894 896->848 897->883
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastselect
                                                                                      • String ID:
                                                                                      • API String ID: 215497628-0
                                                                                      • Opcode ID: c33009d3762bcdcd2478639faf2db17185eed3ca6d2de7a0e8702119b193f763
                                                                                      • Instruction ID: 4f275003a6315385cc0e1a03ca92037ac85466a7a6a64206766fd30195363aa3
                                                                                      • Opcode Fuzzy Hash: c33009d3762bcdcd2478639faf2db17185eed3ca6d2de7a0e8702119b193f763
                                                                                      • Instruction Fuzzy Hash: 95B16E71E042298BDF258F29D8817A9B7B9FF88310F5446E9D869E6241DB309FC58F50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9D270 Relevance: 77.3, APIs: 43, Strings: 1, Instructions: 297COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00C9D277
                                                                                      • GetSysColor.USER32(00000016), ref: 00C9D280
                                                                                      • GetSysColor.USER32(0000000F), ref: 00C9D293
                                                                                      • GetSysColor.USER32(00000015), ref: 00C9D2AA
                                                                                      • GetSysColor.USER32(0000000F), ref: 00C9D2B6
                                                                                      • GetDeviceCaps.GDI32(?,0000000C), ref: 00C9D2DE
                                                                                      • GetSysColor.USER32(0000000F), ref: 00C9D2EC
                                                                                      • GetSysColor.USER32(00000010), ref: 00C9D2FA
                                                                                      • GetSysColor.USER32(00000015), ref: 00C9D308
                                                                                      • GetSysColor.USER32(00000016), ref: 00C9D316
                                                                                      • GetSysColor.USER32(00000014), ref: 00C9D324
                                                                                      • GetSysColor.USER32(00000012), ref: 00C9D332
                                                                                      • GetSysColor.USER32(00000011), ref: 00C9D340
                                                                                      • GetSysColor.USER32(00000006), ref: 00C9D34B
                                                                                      • GetSysColor.USER32(0000000D), ref: 00C9D356
                                                                                      • GetSysColor.USER32(0000000E), ref: 00C9D361
                                                                                      • GetSysColor.USER32(00000005), ref: 00C9D36C
                                                                                      • GetSysColor.USER32(00000008), ref: 00C9D37A
                                                                                      • GetSysColor.USER32(00000009), ref: 00C9D385
                                                                                      • GetSysColor.USER32(00000007), ref: 00C9D390
                                                                                      • GetSysColor.USER32(00000002), ref: 00C9D39B
                                                                                      • GetSysColor.USER32(00000003), ref: 00C9D3A6
                                                                                      • GetSysColor.USER32(0000001B), ref: 00C9D3B4
                                                                                      • GetSysColor.USER32(0000001C), ref: 00C9D3C2
                                                                                      • GetSysColor.USER32(0000000A), ref: 00C9D3D0
                                                                                      • GetSysColor.USER32(0000000B), ref: 00C9D3DE
                                                                                      • GetSysColor.USER32(00000013), ref: 00C9D3EC
                                                                                      • GetSysColor.USER32(0000001A), ref: 00C9D40D
                                                                                      • GetSysColorBrush.USER32(00000010), ref: 00C9D426
                                                                                      • GetSysColorBrush.USER32(00000014), ref: 00C9D43A
                                                                                      • GetSysColorBrush.USER32(00000005), ref: 00C9D449
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D466
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D484
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D4A2
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D4C3
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D4E1
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D4FF
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D51D
                                                                                      • CreatePen.GDI32(00000000,00000001,00000000), ref: 00C9D541
                                                                                      • CreatePen.GDI32(00000000,00000001,00000000), ref: 00C9D565
                                                                                      • CreatePen.GDI32(00000000,00000001,00000000), ref: 00C9D589
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00C9D611
                                                                                      • CreatePatternBrush.GDI32(00000000), ref: 00C9D653
                                                                                      Strings
                                                                                      • /AZWbMa87LBSQ5IsRghQkW73xCTng3/ZUZ8yXf2lbXdjMHr774bLXgv0SB5MrVuRQLFB5m9+8BPiA3zBsaPcPzUaYv/YLmwGfAmyxtgELrH60cwhaG0I/KQ+4O6xteZeOv+Wgn1WFg9eXrsMGxBbeoA26STZ3QVVMN6drYFxfxoSu6Yw2beyHvfLFRJEHv7JOOvUH0VjA2q0OjXHnr38zIDkyOCnohh9qSyZCXSAW9EtQ51z2aX3MYuX61fpCJ6+cmTw, xrefs: 00C9D286
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$BrushCreate$Solid$CapsDeviceH_prolog3Pattern
                                                                                      • String ID: /AZWbMa87LBSQ5IsRghQkW73xCTng3/ZUZ8yXf2lbXdjMHr774bLXgv0SB5MrVuRQLFB5m9+8BPiA3zBsaPcPzUaYv/YLmwGfAmyxtgELrH60cwhaG0I/KQ+4O6xteZeOv+Wgn1WFg9eXrsMGxBbeoA26STZ3QVVMN6drYFxfxoSu6Yw2beyHvfLFRJEHv7JOOvUH0VjA2q0OjXHnr38zIDkyOCnohh9qSyZCXSAW9EtQ51z2aX3MYuX61fpCJ6+cmTw
                                                                                      • API String ID: 3832706086-3633295296
                                                                                      • Opcode ID: 5bc4bc97e89fc75ad33619bba512aa2f0e4d102bef43ebeaf910e51e9a3e4ce8
                                                                                      • Instruction ID: fa53088a9eea39a60f0b7edf89b7f4204f330e95bff55412c0e32b6f35d7cbb3
                                                                                      • Opcode Fuzzy Hash: 5bc4bc97e89fc75ad33619bba512aa2f0e4d102bef43ebeaf910e51e9a3e4ce8
                                                                                      • Instruction Fuzzy Hash: DCC1B370A02612AFCB45BFB1AC1E7ADBB70FF04B01F04451AF616EB291CB34A614DB94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9CD37 Relevance: 70.4, APIs: 35, Strings: 5, Instructions: 373stringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 84 c9cd37-c9cd94 call dbeb36 call c82f12 GetDeviceCaps 89 c9cdaf 84->89 90 c9cd96-c9cda5 84->90 91 c9cdb1 89->91 90->91 92 c9cda7-c9cdad 90->92 93 c9cdb3-c9cdbb 91->93 92->93 94 c9cdbd-c9cdc1 93->94 95 c9cdd1-c9cdd9 93->95 94->95 96 c9cdc3-c9cdcb call c8394e DeleteObject 94->96 97 c9cddb-c9cddf 95->97 98 c9cdef-c9cdf7 95->98 96->95 97->98 100 c9cde1-c9cde9 call c8394e DeleteObject 97->100 101 c9cdf9-c9cdfd 98->101 102 c9ce0d-c9ce15 98->102 100->98 101->102 107 c9cdff-c9ce07 call c8394e DeleteObject 101->107 103 c9ce2b-c9ce33 102->103 104 c9ce17-c9ce1b 102->104 109 c9ce49-c9ce51 103->109 110 c9ce35-c9ce39 103->110 104->103 108 c9ce1d-c9ce25 call c8394e DeleteObject 104->108 107->102 108->103 115 c9ce53-c9ce57 109->115 116 c9ce67-c9ce6f 109->116 110->109 114 c9ce3b-c9ce43 call c8394e DeleteObject 110->114 114->109 115->116 122 c9ce59-c9ce61 call c8394e DeleteObject 115->122 118 c9ce71-c9ce75 116->118 119 c9ce85-c9ce8d 116->119 118->119 123 c9ce77-c9ce7f call c8394e DeleteObject 118->123 124 c9ce8f-c9ce93 119->124 125 c9cea3-c9ceab 119->125 122->116 123->119 124->125 129 c9ce95-c9ce9d call c8394e DeleteObject 124->129 130 c9cead-c9ceb1 125->130 131 c9cec1-c9cec9 125->131 129->125 130->131 135 c9ceb3-c9cebb call c8394e DeleteObject 130->135 136 c9cecb-c9cecf 131->136 137 c9cedf-c9cf3a call c9c9c4 call dc3900 GetTextCharsetInfo 131->137 135->131 136->137 138 c9ced1-c9ced9 call c8394e DeleteObject 136->138 148 c9cf3c-c9cf3f 137->148 149 c9cf41-c9cf45 137->149 138->137 150 c9cf48-c9cf4f 148->150 149->150 151 c9cf47 149->151 152 c9cf51 150->152 153 c9cf53-c9cf6b lstrcpyW 150->153 151->150 152->153 154 c9cfd9-c9d023 CreateFontIndirectW call c83782 call ddcd5b call dbecc0 153->154 155 c9cf6d-c9cf74 153->155 168 c9d02a-c9d130 CreateFontIndirectW call c83782 call c9c9c4 CreateFontIndirectW call c83782 CreateFontIndirectW call c83782 CreateFontIndirectW call c83782 GetSystemMetrics lstrcpyW CreateFontIndirectW call c83782 GetStockObject 154->168 169 c9d025-c9d027 154->169 155->154 157 c9cf76-c9cf90 EnumFontFamiliesW 155->157 158 c9cf92-c9cfa5 lstrcpyW 157->158 159 c9cfa7-c9cfc4 EnumFontFamiliesW 157->159 158->154 161 c9cfcd 159->161 162 c9cfc6-c9cfcb 159->162 164 c9cfd2-c9cfd3 lstrcpyW 161->164 162->164 164->154 182 c9d1ab-c9d210 GetStockObject call c839ee GetObjectW CreateFontIndirectW call c83782 CreateFontIndirectW call c83782 call c9d68d 168->182 183 c9d132-c9d141 GetObjectW 168->183 169->168 196 c9d240-c9d242 182->196 183->182 185 c9d143-c9d1a6 lstrcpyW CreateFontIndirectW call c83782 CreateFontIndirectW call c83782 183->185 185->182 197 c9d212-c9d216 196->197 198 c9d244-c9d254 call b419e0 196->198 200 c9d218-c9d21f 197->200 201 c9d26a-c9d26f call c778cc 197->201 202 c9d259-c9d269 call c83056 call dbeae0 198->202 200->201 203 c9d221-c9d22b call c7b85d 200->203 203->196 211 c9d22d-c9d23c call dbeac5 203->211 211->196
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00C9CD41
                                                                                        • Part of subcall function 00C82F12: __EH_prolog3.LIBCMT ref: 00C82F19
                                                                                        • Part of subcall function 00C82F12: GetWindowDC.USER32(00000000,00000004,00C9D2D6,00000000), ref: 00C82F45
                                                                                      • GetDeviceCaps.GDI32(?,00000058), ref: 00C9CD61
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CDCB
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CDE9
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE07
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE25
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE43
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE61
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE7F
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CE9D
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CEBB
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C9CED9
                                                                                      • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00C9CF11
                                                                                      • lstrcpyW.KERNEL32 ref: 00C9CF61
                                                                                      • EnumFontFamiliesW.GDI32(?,00000000,00C9C85F,Segoe UI), ref: 00C9CF88
                                                                                      • lstrcpyW.KERNEL32 ref: 00C9CF9B
                                                                                      • EnumFontFamiliesW.GDI32(?,00000000,00C9C85F,Tahoma), ref: 00C9CFB9
                                                                                      • lstrcpyW.KERNEL32 ref: 00C9CFD3
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9CFDD
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D02E
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D06D
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D099
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D0BA
                                                                                      • GetSystemMetrics.USER32 ref: 00C9D0D9
                                                                                      • lstrcpyW.KERNEL32 ref: 00C9D0EC
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D0F6
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C9D122
                                                                                      • GetObjectW.GDI32(00000000,0000005C,?,?,?,00000000), ref: 00C9D139
                                                                                      • lstrcpyW.KERNEL32 ref: 00C9D176
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D180
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D199
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C9D1AD
                                                                                      • GetObjectW.GDI32(?,0000005C,?,00000000,?,?,00000000), ref: 00C9D1C2
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D1D0
                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00C9D1F1
                                                                                        • Part of subcall function 00C9D68D: __EH_prolog3_GS.LIBCMT ref: 00C9D694
                                                                                        • Part of subcall function 00C9D68D: GetTextMetricsW.GDI32(?,?,00000006,00000000,00000054,00C9D20A,00000000,?,?,00000000), ref: 00C9D6CA
                                                                                        • Part of subcall function 00C9D68D: GetTextMetricsW.GDI32(?,?,?,?,?,00000000), ref: 00C9D70B
                                                                                        • Part of subcall function 00C778CC: __CxxThrowException@8.LIBVCRUNTIME ref: 00C778E0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceException@8H_prolog3InfoSystemThrowWindow
                                                                                      • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
                                                                                      • API String ID: 3209990573-1395034203
                                                                                      • Opcode ID: 594cee79c3eee4889bc060ac2516cb6d50b7268fcf03f9c90080eb1aaa7de0c7
                                                                                      • Instruction ID: 213a6eb68f2a32c62e38a69db11065ed865eaad714fad2546e23d81508137cd7
                                                                                      • Opcode Fuzzy Hash: 594cee79c3eee4889bc060ac2516cb6d50b7268fcf03f9c90080eb1aaa7de0c7
                                                                                      • Instruction Fuzzy Hash: 5DE18E71A00349DFDF10ABB1DD4DBEEBBB8AF04705F04445AE15AAB2A1DB749A48CF14
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA0EE0 Relevance: 21.2, APIs: 14, Instructions: 182memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 263 ca0ee0-ca0efb EnterCriticalSection 264 ca0f0a-ca0f0f 263->264 265 ca0efd-ca0f04 263->265 267 ca0f2c-ca0f36 264->267 268 ca0f11-ca0f14 264->268 265->264 266 ca0fb5-ca0fb8 265->266 270 ca0fba-ca0fbd 266->270 271 ca0fc0-ca0fdc LeaveCriticalSection 266->271 272 ca0f38-ca0f4b call c77c64 GlobalAlloc 267->272 273 ca0f4d-ca0f78 GlobalHandle GlobalUnlock call c77c64 GlobalReAlloc 267->273 269 ca0f17-ca0f1a 268->269 274 ca0f1c-ca0f22 269->274 275 ca0f24-ca0f26 269->275 270->271 280 ca0f7b-ca0f7d 272->280 273->280 274->269 274->275 275->266 275->267 281 ca0f7f-ca0f82 280->281 282 ca0f86-ca0fb2 GlobalLock call dc3900 280->282 283 ca0fed-ca1015 LeaveCriticalSection call c778f6 281->283 284 ca0f84-ca0fe7 GlobalHandle GlobalLock 281->284 282->266 290 ca1070-ca10ab EnterCriticalSection call ca12f6 LeaveCriticalSection LocalFree call dbeac5 TlsSetValue 283->290 291 ca1017 283->291 284->283 309 ca10b1-ca10b7 290->309 293 ca101a-ca101c 291->293 295 ca101e-ca1025 293->295 296 ca1037-ca1042 293->296 295->296 300 ca1027-ca102e 295->300 297 ca105c-ca105f 296->297 298 ca1044-ca1059 call dbeac5 296->298 301 ca1063 297->301 298->297 300->301 302 ca1030-ca1035 300->302 305 ca1066-ca106a 301->305 302->305 305->293 308 ca106c-ca106e 305->308 308->290 308->309
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(011AABFC,00000000,?,?,011AABE0,?,00CA1231,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70), ref: 00CA0EED
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,011AABE0,?,00CA1231,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70), ref: 00CA0F45
                                                                                      • GlobalHandle.KERNEL32(02CE9060), ref: 00CA0F50
                                                                                      • GlobalUnlock.KERNEL32(00000000,?,?,011AABE0,?,00CA1231,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA0F59
                                                                                      • GlobalReAlloc.KERNEL32 ref: 00CA0F72
                                                                                      • GlobalLock.KERNEL32 ref: 00CA0F87
                                                                                      • LeaveCriticalSection.KERNEL32(011AABFC), ref: 00CA0FCE
                                                                                      • GlobalHandle.KERNEL32(02CE9060), ref: 00CA0FE0
                                                                                      • GlobalLock.KERNEL32 ref: 00CA0FE7
                                                                                      • LeaveCriticalSection.KERNEL32(011AABFC,?,?,011AABE0,?,00CA1231,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA0FEE
                                                                                      • EnterCriticalSection.KERNEL32(?,011AABE0,011AABFC,00000001), ref: 00CA1074
                                                                                      • LeaveCriticalSection.KERNEL32(?,00000000), ref: 00CA1087
                                                                                      • LocalFree.KERNEL32(?), ref: 00CA1090
                                                                                      • TlsSetValue.KERNEL32(00000000,00000000), ref: 00CA10AB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$CriticalSection$Leave$AllocEnterHandleLock$FreeLocalUnlockValue
                                                                                      • String ID:
                                                                                      • API String ID: 3723562325-0
                                                                                      • Opcode ID: 854ab0e5d0ea7ac62765a9f18cd671823cc6645797fbfdffbc0145e4d7c9527d
                                                                                      • Instruction ID: 7a06d86632202aaabde5b0028877ccf6ef55ee503950f91ba46e2bdbee4942d7
                                                                                      • Opcode Fuzzy Hash: 854ab0e5d0ea7ac62765a9f18cd671823cc6645797fbfdffbc0145e4d7c9527d
                                                                                      • Instruction Fuzzy Hash: 0551DF31A00206EFC714DF65EC89A99B7B8FF05355F24826AE915EB260DB31EA51CB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD2FD0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 136COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • PathFileExistsW.SHLWAPI(?,7F82841F), ref: 00BD300A
                                                                                      • GetFileAttributesW.KERNEL32(?,?,7F82841F), ref: 00BD3019
                                                                                      • GetFileVersionInfoSizeW.KERNELBASE(?,00000000,00000000,?,?,7F82841F), ref: 00BD3050
                                                                                      • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000,?,?,?,?,00000000,00EC9948,000000FF), ref: 00BD3096
                                                                                      • VerQueryValueW.VERSION(00000000,00000000,?,00000000,?,00000000,?,00000000), ref: 00BD30BE
                                                                                      Strings
                                                                                      • MMRaaaaaox$147>JOXXfor{)246@JQ]fozz %3?G, xrefs: 00BD3137
                                                                                      • FIJPPPPP]kmz!'1=EQ^`iu .7BOW_jxz{"//0:;I, xrefs: 00BD30B2
                                                                                      • LSXbbbbbhoqu!/058DDKNT\clz$+118CHVZ^mmr!"(29BIIOO\^lmpppz )29;BQ``mw}(03, xrefs: 00BD30DE
                                                                                      • LQQ\\\\\cmt|||))3<JT\\ekmrz{$$/:@AGQ[_m{, xrefs: 00BD302C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$InfoVersion$AttributesExistsPathQuerySizeValue
                                                                                      • String ID: FIJPPPPP]kmz!'1=EQ^`iu .7BOW_jxz{"//0:;I$LQQ\\\\\cmt|||))3<JT\\ekmrz{$$/:@AGQ[_m{$LSXbbbbbhoqu!/058DDKNT\clz$+118CHVZ^mmr!"(29BIIOO\^lmpppz )29;BQ``mw}(03$MMRaaaaaox$147>JOXXfor{)246@JQ]fozz %3?G
                                                                                      • API String ID: 1398469020-2849041400
                                                                                      • Opcode ID: 1f496b581d528ac5bf3d84fd384ff422c7bb190ad724fa3d8df37cb797f97f7a
                                                                                      • Instruction ID: 617a42cdad1d1a16b189d5a02e9fe754c00d8dfe77ad15f04030cd8ceb8ab9eb
                                                                                      • Opcode Fuzzy Hash: 1f496b581d528ac5bf3d84fd384ff422c7bb190ad724fa3d8df37cb797f97f7a
                                                                                      • Instruction Fuzzy Hash: A441A1B190010A9BDB04EBA9DC45BBFB7F8EF44710F10426AF516E7382EB759A058B61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C77208 Relevance: 15.1, APIs: 10, Instructions: 91windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 494 c77208-c77226 call dbeb02 call c76efb 499 c77231-c77247 call dc3a5a 494->499 500 c77228-c7722f call c76f55 494->500 504 c7724c-c7726d GetMenuItemCount * 2 499->504 500->499 505 c772f6-c772fa 504->505 506 c77273-c77274 504->506 507 c77275-c77283 GetSubMenu 506->507 508 c77285-c77289 507->508 509 c772ef-c772f2 507->509 510 c772c3-c772c8 508->510 511 c7728b-c77299 GetMenuItemCount 508->511 509->507 512 c772f4-c772f5 509->512 510->509 514 c772ca-c772d6 GetSubMenu 510->514 511->509 513 c7729b-c772a6 GetSubMenu 511->513 512->505 515 c772b0-c772c1 RemoveMenu 513->515 516 c772a8-c772ac 513->516 517 c772e0-c772e9 RemoveMenu 514->517 518 c772d8-c772dc 514->518 515->509 516->513 519 c772ae 516->519 517->509 518->514 520 c772de 518->520 519->509 520->509
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00C7720F
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00C77247
                                                                                      • GetMenuItemCount.USER32 ref: 00C77256
                                                                                      • GetMenuItemCount.USER32 ref: 00C77262
                                                                                      • GetSubMenu.USER32 ref: 00C77279
                                                                                      • GetMenuItemCount.USER32 ref: 00C7728C
                                                                                      • GetSubMenu.USER32 ref: 00C7729D
                                                                                      • RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,01181E50,00000004,00B405B8,?,?,00B404BE,80070057), ref: 00C772B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CountItem$Exception@8H_prolog3RemoveThrow
                                                                                      • String ID:
                                                                                      • API String ID: 642076194-0
                                                                                      • Opcode ID: f8072c6e6b2cb3a05d5b651b32d1d9f383ae16d259aae64f51c7f43cb8a8358c
                                                                                      • Instruction ID: 93712c63d9f24bd7fc0a60c4b28d5dbde7569653b4c215024898cae2ed73068f
                                                                                      • Opcode Fuzzy Hash: f8072c6e6b2cb3a05d5b651b32d1d9f383ae16d259aae64f51c7f43cb8a8358c
                                                                                      • Instruction Fuzzy Hash: 4D31C33160620DEFDB519F65DC0DEAE3B78FB80310F50862AF529E6252CB709A41DB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B945E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 521 b945e0-b945ec 522 b9460f-b94625 521->522 523 b945ee-b9460e call b44260 call b32420 521->523 525 b946d9-b946fa CreateFileW 522->525 526 b9462b-b9462e 522->526 529 b9471b-b9471f 525->529 530 b946fc-b94718 call b44260 call b32420 525->530 528 b94630-b94639 526->528 528->528 532 b9463b-b94663 call c76f32 528->532 534 b94721-b94734 SetFilePointer 529->534 535 b94735-b94742 SetEndOfFile 529->535 530->529 541 b946d8 532->541 542 b94665-b9466b 532->542 541->525 544 b94670-b9467f 542->544 544->544 545 b94681-b9468f call b44260 544->545 548 b94690-b94699 545->548 548->548 549 b9469b-b9469d 548->549 550 b946a0-b946aa 549->550 550->550 551 b946ac-b946d7 DeleteFileW MoveFileW call c76f3b 550->551 551->541
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(00000001,011B3810,00000001,00BA4ED6), ref: 00B946BE
                                                                                      • MoveFileW.KERNEL32(00000000,00000001), ref: 00B946C8
                                                                                      • CreateFileW.KERNEL32(00000000,40000000,00000003,00000000,00000004,00000080,00000000,00B943E3,011B3810,?,00B94534,?,011B3810,?,00B943E3,00000001), ref: 00B946EE
                                                                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00B94534,?,011B3810,?,00B943E3,00000001,00BA4ED6), ref: 00B9472A
                                                                                        • Part of subcall function 00B32420: EnterCriticalSection.KERNEL32(00B9441B,?,011B3810,?,00B94718,011B3810,00000000,00000000,00000000,?,00B94534,?,011B3810,?,00B943E3,00000001), ref: 00B32434
                                                                                        • Part of subcall function 00B32420: LeaveCriticalSection.KERNEL32(00B9441B,011B3810,?,?,011B3810,?,00B94718,011B3810,00000000,00000000,00000000,?,00B94534,?,011B3810), ref: 00B32449
                                                                                      Strings
                                                                                      • KUZbbbbbpy)+5?@FIOX\es$37<IW]frs"--:<IV`, xrefs: 00B94681
                                                                                      • L[]kkkkkw%+,27=DMS^ejqy%)6;EEJTT[iq|-9EMW`ntw{&+9BDMN\`mw%0:IL[]fhkny'25=ILYdssvz%/5DGSbikz{+-099@NZgrtt, xrefs: 00B945EE
                                                                                      • ELSTTTTTWdmp %17CKOQUV^^``ft|,8:@BGV_dny'23@HM\bisv},14;>JJY]ky&&/9:>DGNOV`hqq{"%379EPPRXahq"*3@MY^jlos")5@KY\crrrzz#,8ABHU]hjp||}%//;EM, xrefs: 00B946FF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$CriticalSection$CreateDeleteEnterLeaveMovePointer
                                                                                      • String ID: ELSTTTTTWdmp %17CKOQUV^^``ft|,8:@BGV_dny'23@HM\bisv},14;>JJY]ky&&/9:>DGNOV`hqq{"%379EPPRXahq"*3@MY^jlos")5@KY\crrrzz#,8ABHU]hjp||}%//;EM$KUZbbbbbpy)+5?@FIOX\es$37<IW]frs"--:<IV`$L[]kkkkkw%+,27=DMS^ejqy%)6;EEJTT[iq|-9EMW`ntw{&+9BDMN\`mw%0:IL[]fhkny'25=ILYdssvz%/5DGSbikz{+-099@NZgrtt
                                                                                      • API String ID: 1132415027-2784382898
                                                                                      • Opcode ID: fc6b1f0b6697931ff1f5b0cf6b958daf7f5eae51117136745dfc5b3e5b270a5b
                                                                                      • Instruction ID: ff9d0e141baff84b4718c4e1ed19a06a7bbf24b29936bfe9223fff35cc79c6de
                                                                                      • Opcode Fuzzy Hash: fc6b1f0b6697931ff1f5b0cf6b958daf7f5eae51117136745dfc5b3e5b270a5b
                                                                                      • Instruction Fuzzy Hash: D64127716002006BDF28AF24EC86B6777A5EF85318F1482D8FD0A6F2D6E7729D56C790
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE2F70 Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 554 de2f70-de2fa0 call de2cbb 557 de2fbb-de2fc7 call ddd7b6 554->557 558 de2fa2-de2fad call dc6217 554->558 563 de2fc9-de2fde call dc6217 call dc622a 557->563 564 de2fe0-de3014 call de2c26 557->564 565 de2faf-de2fb6 call dc622a 558->565 563->565 570 de3019-de3029 564->570 575 de3292-de3298 565->575 573 de302b-de3034 570->573 574 de3096-de309f GetFileType 570->574 579 de306b-de3091 GetLastError call dc61f4 573->579 580 de3036-de303a 573->580 576 de30e8-de30eb 574->576 577 de30a1-de30d2 GetLastError call dc61f4 CloseHandle 574->577 582 de30ed-de30f2 576->582 583 de30f4-de30fa 576->583 577->565 591 de30d8-de30e3 call dc622a 577->591 579->565 580->579 584 de303c-de3069 call de2c26 580->584 587 de30fe-de314c call ddd6ff 582->587 583->587 588 de30fc 583->588 584->574 584->579 597 de314e-de315a call de2e37 587->597 598 de315c-de3180 call de29d9 587->598 588->587 591->565 597->598 603 de3184-de318e call de26f5 597->603 604 de3182 598->604 605 de3193-de31d6 598->605 603->575 604->603 607 de31d8-de31dc 605->607 608 de31f7-de3205 605->608 607->608 610 de31de-de31f2 607->610 611 de320b-de320f 608->611 612 de3290 608->612 610->608 611->612 613 de3211-de3244 CloseHandle call de2c26 611->613 612->575 616 de3278-de328c 613->616 617 de3246-de3272 GetLastError call dc61f4 call ddd8c8 613->617 616->612 617->616
                                                                                      APIs
                                                                                        • Part of subcall function 00DE2C26: CreateFileW.KERNEL32(00000000,00000000,?,00DE3019,?,?,00000000,?,00DE3019,00000000,0000000C), ref: 00DE2C43
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC9A46), ref: 00DE3084
                                                                                      • __dosmaperr.LIBCMT ref: 00DE308B
                                                                                      • GetFileType.KERNEL32(00000000), ref: 00DE3097
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC9A46), ref: 00DE30A1
                                                                                      • __dosmaperr.LIBCMT ref: 00DE30AA
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DE30CA
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00DE3214
                                                                                      • GetLastError.KERNEL32 ref: 00DE3246
                                                                                      • __dosmaperr.LIBCMT ref: 00DE324D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                      • String ID:
                                                                                      • API String ID: 4237864984-0
                                                                                      • Opcode ID: 52e767e49eef5992f3fbd7047ecd16e03d4e9fc742566798588d26104679f540
                                                                                      • Instruction ID: cec0ff7d9fe84f2f47cf2784b8c8d167c98f51d17f691412fee196cd7d6fd93f
                                                                                      • Opcode Fuzzy Hash: 52e767e49eef5992f3fbd7047ecd16e03d4e9fc742566798588d26104679f540
                                                                                      • Instruction Fuzzy Hash: 95A13432A002988FDF19AF69D896BBE7BA1EF06320F18015DF8119F391DA319916C771
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD0FE0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 244COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 622 bd0fe0-bd1028 623 bd102e-bd1034 622->623 624 bd1258-bd126a call b44260 call b40010 622->624 623->624 625 bd103a-bd10ad call b44260 call b40010 WideCharToMultiByte call dd14c8 WideCharToMultiByte 623->625 634 bd126c-bd1287 call dbdb97 624->634 639 bd10b0-bd10b5 625->639 639->639 640 bd10b7-bd1100 WideCharToMultiByte call dd14c8 WideCharToMultiByte 639->640 643 bd1103-bd1108 640->643 643->643 644 bd110a-bd112c call c76f32 call bd0b60 643->644 648 bd1131-bd1136 644->648 649 bd113c-bd1141 648->649 650 bd1207-bd124a call c76f3b call b40670 call dd14d3 * 2 648->650 651 bd11ff-bd1202 call b490d0 649->651 652 bd1147-bd114d 649->652 672 bd124c-bd124f 650->672 673 bd1254-bd1256 650->673 651->650 655 bd1150-bd1169 call dd1be1 652->655 662 bd1170-bd1175 655->662 662->662 664 bd1177-bd117c 662->664 666 bd117e-bd1188 664->666 667 bd118b-bd119a 664->667 666->667 669 bd119c-bd11a3 667->669 670 bd11a5-bd11ac call c77de1 667->670 669->670 676 bd11b1-bd11e5 call b49160 call b3f970 669->676 670->676 672->673 673->634 681 bd11ef-bd11f3 676->681 682 bd11e7-bd11ea 676->682 681->655 683 bd11f9-bd11fc 681->683 682->681 683->651
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,7F82841F), ref: 00BD107E
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00EC9580,000000FF,?,00BC2F63,011B3930), ref: 00BD10A9
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00BC2F63,011B3930), ref: 00BD10D2
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00BC2F63,011B3930), ref: 00BD10F4
                                                                                      Strings
                                                                                      • CNORRRRR]``amx)//4=AOW]__knq{ )*1=LS\gsx, xrefs: 00BD103A
                                                                                      • L[\kkkkkry{|-7:@HU]ksuz}}}-/18GV]lv%13?G, xrefs: 00BD1258
                                                                                      • 0, xrefs: 00BD1184
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID: 0$CNORRRRR]``amx)//4=AOW]__knq{ )*1=LS\gsx$L[\kkkkkry{|-7:@HU]ksuz}}}-/18GV]lv%13?G
                                                                                      • API String ID: 626452242-1703833467
                                                                                      • Opcode ID: 8f0621323e3bac1721ba95b25925bf232dc091527f2e581fea159e66cc70bd86
                                                                                      • Instruction ID: 9c663254d483029f8fb8b02786ea498ac3f00825079c924723c0363c7a9b9074
                                                                                      • Opcode Fuzzy Hash: 8f0621323e3bac1721ba95b25925bf232dc091527f2e581fea159e66cc70bd86
                                                                                      • Instruction Fuzzy Hash: 41918F70A00219AFDB14DFA8DC95BAEBBF8EF49320F144299E521BB3D1D7759904CB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DEA975 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 684 dea975-dea99d call dea3df call dea43d 689 deaac5-deab21 call dc617e call ddbeb8 684->689 690 dea9a3-dea9af call dea3e5 684->690 701 deab2b-deab2e 689->701 702 deab23-deab29 689->702 690->689 696 dea9b5-dea9c1 call dea411 690->696 696->689 703 dea9c7-dea9e8 call de1298 GetTimeZoneInformation 696->703 704 deab30-deab40 call de0eea 701->704 705 deab71-deab83 701->705 702->705 713 dea9ee-deaa0f 703->713 714 deaaa1-deaac4 call dea3d9 call dea3cd call dea3d3 703->714 716 deab4a-deab63 call ddbeb8 704->716 717 deab42 704->717 708 deab85-deab88 705->708 709 deab93 call dea975 705->709 708->709 712 deab8a-deab91 call dea7a0 708->712 722 deab98-deabaf call de1298 call dbdb97 709->722 712->722 720 deaa19-deaa20 713->720 721 deaa11-deaa16 713->721 739 deab68-deab6e call de1298 716->739 740 deab65-deab66 716->740 723 deab43-deab48 call de1298 717->723 727 deaa38-deaa3b 720->727 728 deaa22-deaa29 720->728 721->720 744 deab70 723->744 733 deaa3e-deaa5f call de0a3d WideCharToMultiByte 727->733 728->727 730 deaa2b-deaa36 728->730 730->733 747 deaa6d-deaa6f 733->747 748 deaa61-deaa64 733->748 739->744 740->723 744->705 752 deaa71-deaa8d WideCharToMultiByte 747->752 748->747 751 deaa66-deaa6b 748->751 751->752 753 deaa8f-deaa92 752->753 754 deaa9c-deaa9f 752->754 753->754 755 deaa94-deaa9a 753->755 754->714 755->714
                                                                                      APIs
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F22148), ref: 00DEA9DF
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00DEAA57
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00DEAA84
                                                                                      • _free.LIBCMT ref: 00DEA9CD
                                                                                        • Part of subcall function 00DE1298: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?), ref: 00DE12AE
                                                                                        • Part of subcall function 00DE1298: GetLastError.KERNEL32(?,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?,?), ref: 00DE12C0
                                                                                      • _free.LIBCMT ref: 00DEAB99
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                      • String ID: Pacific Daylight Time$Pacific Standard Time
                                                                                      • API String ID: 1286116820-1154798116
                                                                                      • Opcode ID: e031a08680f7590ac3e9e5ca1faee1178dd70adaa145ce68d2666399099baa2f
                                                                                      • Instruction ID: 279c5180b16a24b248e3268dd97b56e53c0fe2cdd918754ea776ea02a04716fd
                                                                                      • Opcode Fuzzy Hash: e031a08680f7590ac3e9e5ca1faee1178dd70adaa145ce68d2666399099baa2f
                                                                                      • Instruction Fuzzy Hash: 1E51F67190024BAFD724FFAEDC419AE7BB8EF45320B54027AE46497180E730AD41CB71
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00D3D54A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00D3D551
                                                                                        • Part of subcall function 00CA49D9: EnterCriticalSection.KERNEL32(011AAE50,?,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004), ref: 00CA4A0A
                                                                                        • Part of subcall function 00CA49D9: InitializeCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A20
                                                                                        • Part of subcall function 00CA49D9: LeaveCriticalSection.KERNEL32(011AAE50,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A2E
                                                                                        • Part of subcall function 00CA49D9: EnterCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A3B
                                                                                      • GetProfileIntW.KERNEL32 ref: 00D3D5A4
                                                                                      • GetProfileIntW.KERNEL32 ref: 00D3D5BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                                                                                      • String ID: DragDelay$DragMinDist$windows
                                                                                      • API String ID: 3965097884-2101198082
                                                                                      • Opcode ID: 75c41c172abd999e665d91dd2d90d718ff4e785d49bfed3f8dafb9d5a05b7db9
                                                                                      • Instruction ID: cd0da54e71db145b6f1c4ecd735196e7a6f13b17583aec244f38a05b4c092913
                                                                                      • Opcode Fuzzy Hash: 75c41c172abd999e665d91dd2d90d718ff4e785d49bfed3f8dafb9d5a05b7db9
                                                                                      • Instruction Fuzzy Hash: 6A015AB0941700DFD7A0EF75984670ABAE4FB48B00F40492FE08AD7685EBB0A540EF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B94750 Relevance: 9.1, APIs: 6, Instructions: 91fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 769 b94750-b94771 770 b9477a-b9477e 769->770 771 b94773-b94774 OutputDebugStringW 769->771 772 b947ab-b947af 770->772 773 b94780-b94782 770->773 771->770 774 b94819-b94828 call dbdb97 772->774 775 b947b1-b947b5 772->775 776 b94785-b9478e 773->776 775->774 777 b947b7-b947f0 WideCharToMultiByte call dd14c8 WideCharToMultiByte 775->777 776->776 779 b94790-b947a5 GetStdHandle WriteConsoleW 776->779 783 b947f3-b947f8 777->783 779->772 783->783 784 b947fa-b94811 WriteFile call dd14d3 783->784 786 b94816 784->786 786->774
                                                                                      APIs
                                                                                      • OutputDebugStringW.KERNEL32(00B948EE,00B9441B,011B3810,?,?,00B948EE,?,?,?,?,?,011B3810), ref: 00B94774
                                                                                      • GetStdHandle.KERNEL32(000000F5,00B948EE,00B948EC,00B948EE,00000000,00B9441B,011B3810,?,?,00B948EE,?,?,?,?,?,011B3810), ref: 00B9479E
                                                                                      • WriteConsoleW.KERNEL32(00000000,?,?,00B948EE,?,?,?,?,?,011B3810), ref: 00B947A5
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00B948EE,000000FF,00000000,00000000,00000000,00000000,00B943E3,00B9441B,011B3810,?,?,00B948EE,?), ref: 00B947CD
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00B948EE,?), ref: 00B947EB
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000001,00B948EE,00000000,?,?,00B948EE,?,?,?,?,?,011B3810), ref: 00B9480A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWideWrite$ConsoleDebugFileHandleOutputString
                                                                                      • String ID:
                                                                                      • API String ID: 1611463762-0
                                                                                      • Opcode ID: 6b3cd98573445137857c20ffbdb93d3e96b6fd223fad9edb3fc9da2581e79ae1
                                                                                      • Instruction ID: 453610b03461116fb1ddac7dad3c951597511f32cb4f5dd7342b1359a2d9b781
                                                                                      • Opcode Fuzzy Hash: 6b3cd98573445137857c20ffbdb93d3e96b6fd223fad9edb3fc9da2581e79ae1
                                                                                      • Instruction Fuzzy Hash: 782137716002047FEF14AFA4DC8AFFA7BA9EB06710F184299F9156E2C1E7716D05C7A0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE3685 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 787 de3685-de3699 GetLastError 788 de369b-de36a5 call de65fd 787->788 789 de36a7-de36ae call de09ba 787->789 788->789 794 de36f0-de36fb SetLastError 788->794 793 de36b3-de36b9 789->793 795 de36bb 793->795 796 de36c4-de36d2 call de6653 793->796 797 de36bc-de36c2 call de1298 795->797 802 de36d7-de36ee call de34f7 call de1298 796->802 803 de36d4-de36d5 796->803 804 de36fc-de3708 SetLastError call de1239 797->804 802->794 802->804 803->797
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                      • String ID:
                                                                                      • API String ID: 3160817290-0
                                                                                      • Opcode ID: 5c62d054aba4fbbf1255f2ea684e0d08b227cbc700ed66201a0d00a7d6bc147f
                                                                                      • Instruction ID: 4932181c2adf1e4a79d87ce59ea34b7d8a3f6b4b7ee0dbc23b6dcd5f0ef12f4a
                                                                                      • Opcode Fuzzy Hash: 5c62d054aba4fbbf1255f2ea684e0d08b227cbc700ed66201a0d00a7d6bc147f
                                                                                      • Instruction Fuzzy Hash: 61F086352446C13AD6123A3B6C0FB3A1A29CBC17A4B280129F514EB391FE71CA454179
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B94830 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 208COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00B94A0D
                                                                                      • CloseHandle.KERNEL32(00000000,00B9441B), ref: 00B94A91
                                                                                      Strings
                                                                                      • L[\kkkkkntux$.;<FQ^eqqw''/<?@EOORXces#2?, xrefs: 00B948C2
                                                                                      • LSXaaaaaiqv&*/;GTU]go}+3>GV[\^lmx)49AKWZ, xrefs: 00B94897
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle_wcschr
                                                                                      • String ID: LSXaaaaaiqv&*/;GTU]go}+3>GV[\^lmx)49AKWZ$L[\kkkkkntux$.;<FQ^eqqw''/<?@EOORXces#2?
                                                                                      • API String ID: 3901645768-1537257152
                                                                                      • Opcode ID: 100d36e9098ee1f6e291b373ef841b5e89cc27fcf45a13d034fbc414d4f22e1c
                                                                                      • Instruction ID: 7946cd53ba757e5d480956cfb3fe02ba2e9384468a628089abf090fa6c3c2023
                                                                                      • Opcode Fuzzy Hash: 100d36e9098ee1f6e291b373ef841b5e89cc27fcf45a13d034fbc414d4f22e1c
                                                                                      • Instruction Fuzzy Hash: 827112715042418FCB24DF28D491F6BB7E5FF82314F1846BDE989872A1E730E94AC7A2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9CA6F Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 00C9CACC
                                                                                      • VerSetConditionMask.KERNEL32(00000000), ref: 00C9CAD4
                                                                                      • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 00C9CAE5
                                                                                      • KiUserCallbackDispatcher.NTDLL ref: 00C9CAF6
                                                                                        • Part of subcall function 00C9D270: __EH_prolog3.LIBCMT ref: 00C9D277
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000016), ref: 00C9D280
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000F), ref: 00C9D293
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000015), ref: 00C9D2AA
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000F), ref: 00C9D2B6
                                                                                        • Part of subcall function 00C9D270: GetDeviceCaps.GDI32(?,0000000C), ref: 00C9D2DE
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000F), ref: 00C9D2EC
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000010), ref: 00C9D2FA
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000015), ref: 00C9D308
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000016), ref: 00C9D316
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000014), ref: 00C9D324
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000012), ref: 00C9D332
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000011), ref: 00C9D340
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000006), ref: 00C9D34B
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000D), ref: 00C9D356
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000E), ref: 00C9D361
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000005), ref: 00C9D36C
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000008), ref: 00C9D37A
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000009), ref: 00C9D385
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000007), ref: 00C9D390
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000002), ref: 00C9D39B
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(00000003), ref: 00C9D3A6
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000001B), ref: 00C9D3B4
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000001C), ref: 00C9D3C2
                                                                                        • Part of subcall function 00C9D270: GetSysColor.USER32(0000000A), ref: 00C9D3D0
                                                                                        • Part of subcall function 00C9CD37: __EH_prolog3_GS.LIBCMT ref: 00C9CD41
                                                                                        • Part of subcall function 00C9CD37: GetDeviceCaps.GDI32(?,00000058), ref: 00C9CD61
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CDCB
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CDE9
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CE07
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CE25
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CE43
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CE61
                                                                                        • Part of subcall function 00C9CD37: DeleteObject.GDI32(00000000), ref: 00C9CE7F
                                                                                        • Part of subcall function 00C9CB56: GetSystemMetrics.USER32 ref: 00C9CB64
                                                                                        • Part of subcall function 00C9CB56: GetSystemMetrics.USER32 ref: 00C9CB72
                                                                                        • Part of subcall function 00C9CB56: SetRectEmpty.USER32(?), ref: 00C9CB85
                                                                                        • Part of subcall function 00C9CB56: EnumDisplayMonitors.USER32(00000000,00000000,00C9C9EA,?,?,00000000,00C9CB17), ref: 00C9CB95
                                                                                        • Part of subcall function 00C9CB56: SystemParametersInfoW.USER32 ref: 00C9CBA4
                                                                                        • Part of subcall function 00C9CB56: SystemParametersInfoW.USER32 ref: 00C9CBD1
                                                                                        • Part of subcall function 00C9CB56: SystemParametersInfoW.USER32 ref: 00C9CBE5
                                                                                        • Part of subcall function 00C9CB56: SystemParametersInfoW.USER32 ref: 00C9CC0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$DeleteObject$System$Info$Parameters$CapsConditionDeviceMaskMetrics$CallbackDispatcherDisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectUserVerifyVersion
                                                                                      • String ID:
                                                                                      • API String ID: 3326357938-0
                                                                                      • Opcode ID: 7fd307d2ec13933c3b2ab448dc1c66bf7df01e61bf98262d97c0817199783469
                                                                                      • Instruction ID: 618132d98f12e6115e48da262ae2cf864fd0eb356e4664c2b72d718ec53adf0c
                                                                                      • Opcode Fuzzy Hash: 7fd307d2ec13933c3b2ab448dc1c66bf7df01e61bf98262d97c0817199783469
                                                                                      • Instruction Fuzzy Hash: C5117BB1A00258AFDB25AF75DC5AFFB77BCEB48704F00445EB54697281DA744E448FA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DEAAD0 Relevance: 4.6, APIs: 3, Instructions: 80COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00DEAB43
                                                                                      • _free.LIBCMT ref: 00DEAB99
                                                                                        • Part of subcall function 00DEA975: _free.LIBCMT ref: 00DEA9CD
                                                                                        • Part of subcall function 00DEA975: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00F22148), ref: 00DEA9DF
                                                                                        • Part of subcall function 00DEA975: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00DEAA57
                                                                                        • Part of subcall function 00DEA975: WideCharToMultiByte.KERNEL32(00000000,00000000,Pacific Daylight Time,000000FF,?,0000003F,00000000,?), ref: 00DEAA84
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 314583886-0
                                                                                      • Opcode ID: 2a4e1e7ab667c4716c2e3bb9d239dcc310409d337beeff270799b4920b693209
                                                                                      • Instruction ID: 80e555df6be2b4a76c52e61eb4e43fe577bddfc00b9e04bcd2737aa84778d28f
                                                                                      • Opcode Fuzzy Hash: 2a4e1e7ab667c4716c2e3bb9d239dcc310409d337beeff270799b4920b693209
                                                                                      • Instruction Fuzzy Hash: 0D210E7280015A66DB31B63EDC41EEE7779CB91320F550366F598A3141EB70ADC18775
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DD112F Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNEL32 ref: 00DD1178
                                                                                      • GetLastError.KERNEL32(?,?,?,00BBA565,00000000,00000000), ref: 00DD1184
                                                                                      • __dosmaperr.LIBCMT ref: 00DD118B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorLastThread__dosmaperr
                                                                                      • String ID:
                                                                                      • API String ID: 2744730728-0
                                                                                      • Opcode ID: ca3cf67bf364190f7fbd557f75c6f9733305c5540358f5cf13eff5b1329a467f
                                                                                      • Instruction ID: 0f708835370dda0f3e467963eccf3f42053a591d12ce3944b5bf00b956a7406d
                                                                                      • Opcode Fuzzy Hash: ca3cf67bf364190f7fbd557f75c6f9733305c5540358f5cf13eff5b1329a467f
                                                                                      • Instruction Fuzzy Hash: C401803A50121ABFDB25AFA1DC05EAB7F69EF84360F15006AF91897350DA31D81597B0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DD1003 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3709: GetLastError.KERNEL32(?,?,?,00DC622F,00DE0A0C,?,00DE36B3,00000001,00000364,?,00DD0F74,01190B70,00000010), ref: 00DE370E
                                                                                        • Part of subcall function 00DE3709: _free.LIBCMT ref: 00DE3743
                                                                                        • Part of subcall function 00DE3709: SetLastError.KERNEL32(00000000), ref: 00DE3777
                                                                                      • ExitThread.KERNEL32 ref: 00DD1015
                                                                                      • CloseHandle.KERNEL32(?,?,?,00DD11C9,?,?,00DD0FAC,00000000), ref: 00DD103D
                                                                                      • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00DD11C9,?,?,00DD0FAC,00000000), ref: 00DD1053
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                                                      • String ID:
                                                                                      • API String ID: 1198197534-0
                                                                                      • Opcode ID: 44f9b6552fb87c2ced67113daf65b5b9c9dbcf4f1c7b1fed4769e5a67245ab1b
                                                                                      • Instruction ID: d6a2d07f24d649ee66d526044cdccd108d5224fb056642834ecba456e9b61e45
                                                                                      • Opcode Fuzzy Hash: 44f9b6552fb87c2ced67113daf65b5b9c9dbcf4f1c7b1fed4769e5a67245ab1b
                                                                                      • Instruction Fuzzy Hash: 85F05E344016957BDB357B26D84CA3A3BACEF00360B1C8A16F825D73A5E728DDC59670
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DD0F4F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(01190B70,00000010), ref: 00DD0F62
                                                                                      • ExitThread.KERNEL32 ref: 00DD0F69
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorExitLastThread
                                                                                      • String ID:
                                                                                      • API String ID: 1611280651-0
                                                                                      • Opcode ID: bafa651e093e0f16008f8f3724393f5df2e02c2ae65ef8db4366a587f7ab981e
                                                                                      • Instruction ID: 2d47a2411869d386577b5e17cedafe6e8b9c31a560d855835e6b96fefdf330b4
                                                                                      • Opcode Fuzzy Hash: bafa651e093e0f16008f8f3724393f5df2e02c2ae65ef8db4366a587f7ab981e
                                                                                      • Instruction Fuzzy Hash: 79F0AF70900204AFCB14BFB1D90ABAD3B74EF45700F14014EF4026B392CB74A904CBB2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C48340 Relevance: 3.0, APIs: 2, Instructions: 16sleepnetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSASetLastError.WS2_32(00002726,?,00C47BC3,00C39D21,00000000,00000000,?), ref: 00C48351
                                                                                      • Sleep.KERNEL32(00000000,?,00C47BC3,00C39D21,00000000,00000000,?), ref: 00C4835D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 1458359878-0
                                                                                      • Opcode ID: 856d3641926e82e6626cb4a9ce644805c05d3e142843c3fea4bc918fb246fa57
                                                                                      • Instruction ID: 600dddc3cbbeaf64d116368638c4d6f7f3fcec6e81fda6bf796e55310332d583
                                                                                      • Opcode Fuzzy Hash: 856d3641926e82e6626cb4a9ce644805c05d3e142843c3fea4bc918fb246fa57
                                                                                      • Instruction Fuzzy Hash: E5D0C9312542085BAA106BBDBC5D82A37DCBB04A797444A12F52DD92E0EA21E5498551
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B32420 Relevance: 2.5, APIs: 2, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(00B9441B,?,011B3810,?,00B94718,011B3810,00000000,00000000,00000000,?,00B94534,?,011B3810,?,00B943E3,00000001), ref: 00B32434
                                                                                      • LeaveCriticalSection.KERNEL32(00B9441B,011B3810,?,?,011B3810,?,00B94718,011B3810,00000000,00000000,00000000,?,00B94534,?,011B3810), ref: 00B32449
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave
                                                                                      • String ID:
                                                                                      • API String ID: 3168844106-0
                                                                                      • Opcode ID: 431cc0938b64fa503e9706190668bbb1b2b79eb64209010359150b2607f611eb
                                                                                      • Instruction ID: 9acb8ca4f99b1a6ac95985a46ac615072f022edaa1f7a3a96e6a5d66f4ff2a9f
                                                                                      • Opcode Fuzzy Hash: 431cc0938b64fa503e9706190668bbb1b2b79eb64209010359150b2607f611eb
                                                                                      • Instruction Fuzzy Hash: 0FE04F3210156AAF8B00AF46FC48CDE77ADFF853547004061FA0893610D730B9158BA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9BDF7 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00C9BDFE
                                                                                        • Part of subcall function 00C9CA6F: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 00C9CACC
                                                                                        • Part of subcall function 00C9CA6F: VerSetConditionMask.KERNEL32(00000000), ref: 00C9CAD4
                                                                                        • Part of subcall function 00C9CA6F: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 00C9CAE5
                                                                                        • Part of subcall function 00C9CA6F: KiUserCallbackDispatcher.NTDLL ref: 00C9CAF6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ConditionMask$CallbackDispatcherH_prolog3InfoUserVerifyVersion
                                                                                      • String ID:
                                                                                      • API String ID: 594580106-0
                                                                                      • Opcode ID: d8a9553aa5822b25615a1b823b86c2d9bb8c2583dcb12aa1e089f89587f91002
                                                                                      • Instruction ID: 13e72d142dc61e87b13cce1a62a40ff26ddfc5f73b3078319461e03131c1e0e4
                                                                                      • Opcode Fuzzy Hash: d8a9553aa5822b25615a1b823b86c2d9bb8c2583dcb12aa1e089f89587f91002
                                                                                      • Instruction Fuzzy Hash: C551DCB0906F41CED3A9CF3A85417C6FAE0BF89300F10CA2E91AED6361EB7061859F55
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE817D Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wsopen_s
                                                                                      • String ID:
                                                                                      • API String ID: 3347428461-0
                                                                                      • Opcode ID: c2ac06c620c0be857519dcc937493813ff1767eca55344c376a253c432f91887
                                                                                      • Instruction ID: fd591a30619db3b09fb4332a95f7160e68ca7d2c7ae81197ca2ac1cfab4be797
                                                                                      • Opcode Fuzzy Hash: c2ac06c620c0be857519dcc937493813ff1767eca55344c376a253c432f91887
                                                                                      • Instruction Fuzzy Hash: 84112871904249AFCF05EF59E9459AB7BF9EB48310F144069F809AB301DA31E9219BB5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA11E6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00CA11ED
                                                                                        • Part of subcall function 00C778CC: __CxxThrowException@8.LIBVCRUNTIME ref: 00C778E0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8H_prolog3Throw
                                                                                      • String ID:
                                                                                      • API String ID: 3670251406-0
                                                                                      • Opcode ID: bc4b5f40c92090dd9a05ff228f6d36a786ef926d2c849f09013028f280342297
                                                                                      • Instruction ID: faf29c5c7d776f02b4d2a96b061bbf5df4af4b0ece59fc0e9df4199dd75e1a2f
                                                                                      • Opcode Fuzzy Hash: bc4b5f40c92090dd9a05ff228f6d36a786ef926d2c849f09013028f280342297
                                                                                      • Instruction Fuzzy Hash: 7A01D470600207CBDB24AF70DA1176C3AA1FF52354F18412DE9A1CB281DF34CE80D720
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B537E0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 56713a6503e7642a2d55597ef14f1518274b7f9be123e1b080824a1fbfafc88d
                                                                                      • Instruction ID: 16103bc9a4a9cfd045cd8c0921c19d6683d98aff99633c5b11124aa06ce55a08
                                                                                      • Opcode Fuzzy Hash: 56713a6503e7642a2d55597ef14f1518274b7f9be123e1b080824a1fbfafc88d
                                                                                      • Instruction Fuzzy Hash: E3F0A7B5500605469A18A7749883F6F32C8CF14792B0440F9FD5AC7703E615DA5892B6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE09BA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00DE36B3,00000001,00000364,?,00DD0F74,01190B70,00000010), ref: 00DE09FB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 9f7fcb2474b7420a3d18cb601efe6f4eff8336571db8e83622d78866c7aaf0f6
                                                                                      • Instruction ID: 1c86502862056b60621e6c590f4ec310391915e2d13aaf0f9bedee3b3037841d
                                                                                      • Opcode Fuzzy Hash: 9f7fcb2474b7420a3d18cb601efe6f4eff8336571db8e83622d78866c7aaf0f6
                                                                                      • Instruction Fuzzy Hash: 9EF0B4315402A9A6EB217E27DC05B7F7F48EB41770F1C8132A854AA182CAB0D881CAF0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE0EEA Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,?,00B442A3), ref: 00DE0F1C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 3bdf169641b30594d69af936775895d35787f3a81ed6f5a89e35c0d62ca1d327
                                                                                      • Instruction ID: 5b358056d4eabc1d606ce1a97bb4fff2a6dd321f04e1b7fab2d52e4a20dd89c7
                                                                                      • Opcode Fuzzy Hash: 3bdf169641b30594d69af936775895d35787f3a81ed6f5a89e35c0d62ca1d327
                                                                                      • Instruction Fuzzy Hash: FEE0ED311422A66AEA313BA3AC04B5E7F98EF417B1F090031EC50A62C0DEA0CC93C2B1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C3F500 Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WS2_32(00000017,00000002,00000000), ref: 00C3F511
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: socket
                                                                                      • String ID:
                                                                                      • API String ID: 98920635-0
                                                                                      • Opcode ID: f5fb710e35884ce9da91d03ee93b20345e64797e49104eafcb47c568a749c032
                                                                                      • Instruction ID: 42380d96fd3a22b3ce2abceee09fa1f58fc299e7fb69cb99526a24d68ec293c1
                                                                                      • Opcode Fuzzy Hash: f5fb710e35884ce9da91d03ee93b20345e64797e49104eafcb47c568a749c032
                                                                                      • Instruction Fuzzy Hash: BBE04F347222019AEB3C5A35BDAAB7B3212BF02374F548A3CE637D91C1CB61C9456F61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA1190 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_catch.LIBCMT ref: 00CA1197
                                                                                        • Part of subcall function 00CA49D9: EnterCriticalSection.KERNEL32(011AAE50,?,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004), ref: 00CA4A0A
                                                                                        • Part of subcall function 00CA49D9: InitializeCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A20
                                                                                        • Part of subcall function 00CA49D9: LeaveCriticalSection.KERNEL32(011AAE50,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A2E
                                                                                        • Part of subcall function 00CA49D9: EnterCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
                                                                                      • String ID:
                                                                                      • API String ID: 1641187343-0
                                                                                      • Opcode ID: 340ff6051598de4c28aa8515603d4b4147cb681d6aa2a040569cf224203a2899
                                                                                      • Instruction ID: 15b28f5e55c58c2e7951c0157a160321dd4bfaea44f4a37790d0f9c60fd1cc1c
                                                                                      • Opcode Fuzzy Hash: 340ff6051598de4c28aa8515603d4b4147cb681d6aa2a040569cf224203a2899
                                                                                      • Instruction Fuzzy Hash: 4CE0123450020BDBDB44BB70C4027CD7760FF52725F144525F6625B2D1DFB14990A735
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE2C26 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(00000000,00000000,?,00DE3019,?,?,00000000,?,00DE3019,00000000,0000000C), ref: 00DE2C43
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 204d05ca481d89222f5db3f4fa45b4a99890baf3a0505e4f6e5b8a0328fec6f7
                                                                                      • Instruction ID: 6aff17d6a9975196251e8f138766e6c3c9a07c93680063b1aad686a87972bcd1
                                                                                      • Opcode Fuzzy Hash: 204d05ca481d89222f5db3f4fa45b4a99890baf3a0505e4f6e5b8a0328fec6f7
                                                                                      • Instruction Fuzzy Hash: C8D06C3200010DBFDF029F85EC06EDA3BAAFB48754F014040FA1866160C732E861AB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9C9C4 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32 ref: 00C9C9E0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3098949447-0
                                                                                      • Opcode ID: f9bc9cd58eb27e523699ab0b160451cbab43d264684a6891546f247497862f99
                                                                                      • Instruction ID: d1b79c3cd97739430638fa4779a96d18ffad4851663b9945fb0d7d8c915796d8
                                                                                      • Opcode Fuzzy Hash: f9bc9cd58eb27e523699ab0b160451cbab43d264684a6891546f247497862f99
                                                                                      • Instruction Fuzzy Hash: 3FD01270180609EFF701AF95EC0DFA237A8EB15716F414076F6185E5A0C7B26850DFA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C838FC Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C8390B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteObject
                                                                                      • String ID:
                                                                                      • API String ID: 1531683806-0
                                                                                      • Opcode ID: 04de7601743562f59de711584cfae9f1651b06d01fd4724ed76b6776c21c515d
                                                                                      • Instruction ID: 6c47d4d40d73476d6bce0c81fa8ea6e619d48b0be92d332e1c5fc0f972b6ac32
                                                                                      • Opcode Fuzzy Hash: 04de7601743562f59de711584cfae9f1651b06d01fd4724ed76b6776c21c515d
                                                                                      • Instruction Fuzzy Hash: 2DB012B1D06249EECF0077329F0D3173A58DB51B1EF04A8A4F004D5011DBBEC245D705
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 00B36B20 Relevance: 165.4, APIs: 51, Strings: 42, Instructions: 2607fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PathFileExistsW.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B36E02
                                                                                      • PathFileExistsW.SHLWAPI(00000000), ref: 00B36EC7
                                                                                      • PathFileExistsW.SHLWAPI(00000000), ref: 00B36FEC
                                                                                      • PathFileExistsW.SHLWAPI(00000000), ref: 00B370B1
                                                                                      • EnterCriticalSection.KERNEL32(-000003CC,?,00000000,?,?,?,?,?,?), ref: 00B376B6
                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00B376CE
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00B376EA
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 00B37755
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 00B37765
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 00B3777F
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 00B3778B
                                                                                      • PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B37BAB
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B37BB6
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B37BCB
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B37BD2
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00B37C06
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00B37C16
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00B37C30
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00B37C3C
                                                                                      • PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,?,?), ref: 00B37D86
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B37D91
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?), ref: 00B37DA6
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B37DAD
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000000,?,?,?,?,?,?), ref: 00B38171
                                                                                      • GetFileAttributesW.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00B3817C
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,00000000,?,?,?,?,?,?), ref: 00B38191
                                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00B38198
                                                                                      • EnterCriticalSection.KERNEL32(-000003CC,80004005,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B38279
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B38291
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B382AD
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000000), ref: 00B38318
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 00B38328
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 00B38342
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00B3834E
                                                                                      • PathFileExistsW.SHLWAPI(?,00000000,?,?,?,?,?,?), ref: 00B38762
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 00B3876D
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?), ref: 00B38782
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00B38789
                                                                                      • PathFileExistsW.SHLWAPI(?,?,?,00000000,?,?,?,?,?,?), ref: 00B387BD
                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 00B387CD
                                                                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000,?,?,?,?,?,?), ref: 00B387E7
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 00B387F3
                                                                                      Strings
                                                                                      • AHMOOOOO]gl{$$'3:CRajv|"',-17BHTcp|"'2:@, xrefs: 00B36E71
                                                                                      • KNOUUUUU[dgt".117CHNRRW`ku{!/5BIQRRR__nu, xrefs: 00B37526
                                                                                      • ANT^^^^^it|,,48FR`biqz%13BDRVXeix},2:CKUW\dkvz%)5@AJS``mz$1::AMRVepv$(69ENSamty)*36?DKUabmov%)2469<CNU^ehkvy#,:?DGISTV__``afrx{)*04BLLRU^dnq".1>IOS\`jv!#(4=CRV\gpqr}--.2>FGO]^llmx{&4??JSannw}*017FSVX_bfrr#/6ADPSWbjjlv&,8DGSV]erx}*9<=LT`abgrz|#0?BGNOPU`lv|&5=JR, xrefs: 00B3809A
                                                                                      • NY\hhhhhs"1>MTcpx %/;;<=JJUZZep{}%3=KU^h, xrefs: 00B36FB4
                                                                                      • KNQSSSSS\ilz#,3:BJT_jp|"'668?KWemyz"(-:@CFHNNXY_flv$&177<@JYaflps|#.9AGGHP[_gghmw#-5BQYhmmy!0?AKSX`ekkst||,.67DHNRZfoty#)1>ISSXfqs ,77??DKOX]gkny*/8EKM[eqx#%479AKR]]box, xrefs: 00B38868
                                                                                      • O[blllllny!-25::;?DJQZfpx%/67>>KTUW[_cnqq}**+9;GV[joy*+06@OUYelyz"**+.3=HUV`jqt|'5@GQR_chmoq{ #-47EO]fosu{#%1=DRRTbp!0;ENPUdfoz|+/2AHR^f, xrefs: 00B37DC2
                                                                                      • ENOXXXXXgsw'44@EOP[in{&-:?@@DDHUbot%.5DKQT_git|#..=FMTamov!(,8<ALXY`kx!08:=BNQ^ht%48@FIV_l{*4<<HKZ]fqw(5<KNS]]jkv&+5=AFOZhlnt$3?JNPUWYZZ`l{*8=JTY]jjsv#((-./22>FU^iu{$2:=@NZglx %(,8@BNZhhklnwxz+9;JJKYc, xrefs: 00B37A5D
                                                                                      • JT[hhhhht|-;?DRUdhvyz#/7ABO[jq{!$+39@HS`dft#*9AKWdsvwwz)/4BHV_mm{#%(3=HV]kuv%&.7;>JLYYfoty'02<=LORT`gu%//<BDOPU[]^hv&/0;GMUW__ekqs (/=AHLY^cgp}&(--./6DER\_flrrwz{&08=HU[[elnst$&'',2?LM\dguu}*+78FPQX[\jjjq"$'*2ADSbfu!')3>GS_hjsuuy} -, xrefs: 00B383F9
                                                                                      • CMQ^^^^^ceoty|)77ADKZdnpyy&.3<?IT_guu$(2, xrefs: 00B386CF
                                                                                      • OY_mmmmmx$36BNQ[ejmv "+1<?KO\]kmm{"'+57>HSU`mq|)8@HKR^irr!#0;BPSakooy*-67=JO^do}#*.9=DQT_irv}(4<HLWbft!&19GRUbkvy".;CPTYfmqvy%-2=LTU_jw&0?LV[egp|',7DGRWZ``aot#'.8BQ_bq!(-3<KYgs$+//5:>@DPS^mps '5=IWaiww $+2:FN]egkmtz "#+09@CMXamtv!0<DSZ]hnt{&.7=GNPQ]kkq!$),4:HU, xrefs: 00B3791D
                                                                                      • L[bpppppp}}..22<ABFMUcgos!.:DJMOS_aow""#)0=FQYelz",6:HTT`chu"-3>MRXdqu}#)7BDGTZbgsw%-//;HMO]ehpt "/<<KMX[[\acis!%.57CDKQUXcoq{#1;??CCKNPZ^aiuz*,-<>LNSSZix"&115CIIMOQWYhoy{%%&5?@DN\jqv%4:EGHQX_flpz"-;DSWZcouu$-6ES_dip #.:GMSU^dp}},8?EKVZhlo|(3@FSakvw(/8?IT]gjjx, xrefs: 00B3744A
                                                                                      • HNNPPPPP]gv%.5?M\_iqx#*6:CHP[dpty '6@DORRahlqv!'.:?CKX`hptu&.;AMOS\^bkqy, xrefs: 00B3A68C
                                                                                      • LQQ\\\\\crrsuyy|+38;GQV\hnpw#(*6<HS__no{, xrefs: 00B3A5F5
                                                                                      • AFFSSSSSWZ_efrtx{ &-38DRVemwx}"$&&222:AP, xrefs: 00B36D93
                                                                                      • O]aiiiiix".3:FOZgms &4=DRXacn{++5ANTUdpu, xrefs: 00B36EA6
                                                                                      • BJPPPPPP_cjm{!-2=DSaills#'2>KT`blrw !"%2, xrefs: 00B37BD8
                                                                                      • FGKVVVVV^dlwx}*5BENP\\giu%+:BGSZbfuy$2AEOSUairy$33@ILZ]cpsx!,,9AMXcoqs$(6<?KUcr"#$3457CQ_em{%-<HPTV^iwz*45@MQV\hn{,1@JKO]jwy}((,1?ADJS^m, xrefs: 00B374CD
                                                                                      • AMM[[[[[akkmq "+++46>FTagqssx)357DHOUdp{, xrefs: 00B37310
                                                                                      • EHKPPPPPY]hiqtz)5AFTWYgjs (19;GS[\ku"*6CMQXfjw(+15DJMQT]hltt!&3@LMP[]crw!03?KTW_hlr|%18@O\_gpz'0;;EQ\achkw'.005>@BMZ^lz##08@IQ\gssz{{}$,5BMS^^aiqu$%**07?GHUdfiw##&3AFKPV_mqr!%/<BHLOPRY[isu#)2;=KS]aops, xrefs: 00B38620
                                                                                      • CPSXXXXX_dko ()24;FNR[^_fffhv'',/>@MU_dkmnt{*09CIKNTU]hmr"*89=CJKQ]^dqvx, xrefs: 00B36F9A
                                                                                      • FFGGGGGGRYemqr!$15?EKQWZ\`bbddlv{%)3:@CDFUdix%4>KWahu *.=HUdnw%49EKR\cffpqw{)-489GHQSTUU]hjlv''6;HKValxz, xrefs: 00B38546
                                                                                      • CLQ]]]]]huy}#/<CDEFGKT_nrx{*049CKVcekx&(, xrefs: 00B3772A
                                                                                      • NNNPPPPP]iu{$.9>KZ[^ddfq|&)0<<KKMY`gjqy|--5:?ANPXgtw&*3ABOSVW_dm{)*8CHU_kz *88AP]iqvx!%(1>HRY[gttw".5<FU`hv{'5@GTYdno{})./2?KTTV_ghjkzz|),9:EPRYY[_cddjos""-9HWWaalw'(+9?ABFSYfffgjprs|"-6<KKWYZfor!!/136EHPXfhqwx$')*36EO]]`dstz+5=CHJXadet|-2AHKOV[`m{#(6AIRZenqu$, xrefs: 00B384E0
                                                                                      • GLNPPPPPTbprt|}"(269<AJJPPP]ls$*55@FRSZb, xrefs: 00B3878F
                                                                                      • HKLPPPPP\]bnq"((579FNVcp{*59>KP_imr!$06<, xrefs: 00B36E5A
                                                                                      • HRTWWWWWYZahmv#/44CEGNTWZZ^grz &(7DPZ]em, xrefs: 00B36DCA
                                                                                      • NTV\\\\\est!++,24=FHP]hqz)889BDIN[cjkt!", xrefs: 00B37044
                                                                                      • AADDDDDDEQ`bmmsv%(-0<JNS``fsz}(6@@DLQXeqvvy)66ES_dfq}.<IMTcr")+4<ETTUZdmuyy%-9:CETbo|&-8=BBEO]fq{*-57>HLR`dly"/8FJO^fjmvy*.27AKSailv%+449EMSbpr"+1:FJQ]lu !*7CKTTadlmy)-99EHSWYhs{}++13BNYfky%199@IQ[gtuy"#/>?FOT[enq| !(788>ELZfpqx$)/25;IS[blw{!#//1<=BFSZiv&27FPY, xrefs: 00B37E6E
                                                                                      • 5, xrefs: 00B3A60E
                                                                                      • AEKOOOOOR[fs"/7CCDIJYZgs$'1:GVet}).1<@O], xrefs: 00B3705B
                                                                                      • KMT_____hl{!/07CIO[hjy%%+:>GKZfpq{"/11@H, xrefs: 00B37B18
                                                                                      • MQTbbbbbjr|(59=ABMYZ\cry#+8@GNPSbfhr#'.:@LYajx|%08<ACOXdhn|%(/:DP_fity'-//5=KSZhsxz&++9@LMU^ciooru}#*6DL, xrefs: 00B37983
                                                                                      • M[[]]]]]ky!!..8<CGOVW]bkvyy||(366EMQZ^`ajy| .<JQ`cr#'.;DDLLPZeny#%-0;GRT, xrefs: 00B36DB3
                                                                                      • HRUVVVVVdrsz$.:<ESadixz$'.99=DMNVbnvy'+4<IPQYcgpx'0:?IP]eo{&,2AJO[aejjqy$12?AP^allw%3BKWaijlz'1;GHOT]]kw(0;ELLQWYfqsu&4CFRTbkz +:ALYYhikt"-:@FO^ahln}'()-/0>ENWemy(/:BCR^^_kx''-5?KXclt#/6<FTZhnt}#08GLW^jo|-3=GMRRapy%027:ADENUW^_ceox", xrefs: 00B37836
                                                                                      • IIMMMMMMZivy(3:==CHUVaer{##,38@MVYYYaisy, xrefs: 00B37CB4
                                                                                      • BIJKKKKKPVdpwx}(--7??AKSWZ^_ajo}()+7@ADPS\jpy(79?JT_nr|"(68BEFIO[gmx &589HKKT\`gku&)/4>FIW`jy%.9@CCCHHOX_nz%3>HL[_dlww&*-7=>FHTWY[corv"#08<GR\bcprw!00>KTU`bqr#.<DKWboy}, xrefs: 00B38912
                                                                                      • OOPTTTTT_bos$--3BEJPVX[`ks!!-6<EEIMP[jru, xrefs: 00B382ED
                                                                                      • MQWaaaaafkz$'6:AEIIU`hhw"#239GU^_ddqx)/7FGGTafgo}!"*49BO[^ciw'1<IXYegst{".5=@BGV^gtz&18FQQZ^ao|+67@OZgsx, xrefs: 00B37387
                                                                                      • EJLXXXXXXgoo|!'4>M\cjx{|'-034@DN[cr"$*38, xrefs: 00B37090
                                                                                      • MMRaaaaajv '(49EO\kv"188DOS]cfoz"*01<=>JXakx{ '38AAOX[dpy{})3:FOXccglz(0, xrefs: 00B3A59F
                                                                                      • JQRUUUUUUW]lr{}!%(1>KWfr|%/=EHJKLMMUU_bo, xrefs: 00B371A2
                                                                                      • DPQYYYYYY`fjos{}'5=IM\`chptz!&,:?HQVcmwx{)1;=JLLNSbemx'2=ILP_jp| .<<DPRUbbq{(*,3>@@JSbhloz$%*,-;;BJQR__a, xrefs: 00B38145
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Attributes$ExistsPath$Delete$CriticalSection$CloseEnterHandleLeave
                                                                                      • String ID: 5$AADDDDDDEQ`bmmsv%(-0<JNS``fsz}(6@@DLQXeqvvy)66ES_dfq}.<IMTcr")+4<ETTUZdmuyy%-9:CETbo|&-8=BBEO]fq{*-57>HLR`dly"/8FJO^fjmvy*.27AKSailv%+449EMSbpr"+1:FJQ]lu !*7CKTTadlmy)-99EHSWYhs{}++13BNYfky%199@IQ[gtuy"#/>?FOT[enq| !(788>ELZfpqx$)/25;IS[blw{!#//1<=BFSZiv&27FPY$AEKOOOOOR[fs"/7CCDIJYZgs$'1:GVet}).1<@O]$AFFSSSSSWZ_efrtx{ &-38DRVemwx}"$&&222:AP$AHMOOOOO]gl{$$'3:CRajv|"',-17BHTcp|"'2:@$AMM[[[[[akkmq "+++46>FTagqssx)357DHOUdp{$ANT^^^^^it|,,48FR`biqz%13BDRVXeix},2:CKUW\dkvz%)5@AJS``mz$1::AMRVepv$(69ENSamty)*36?DKUabmov%)2469<CNU^ehkvy#,:?DGISTV__``afrx{)*04BLLRU^dnq".1>IOS\`jv!#(4=CRV\gpqr}--.2>FGO]^llmx{&4??JSannw}*017FSVX_bfrr#/6ADPSWbjjlv&,8DGSV]erx}*9<=LT`abgrz|#0?BGNOPU`lv|&5=JR$BIJKKKKKPVdpwx}(--7??AKSWZ^_ajo}()+7@ADPS\jpy(79?JT_nr|"(68BEFIO[gmx &589HKKT\`gku&)/4>FIW`jy%.9@CCCHHOX_nz%3>HL[_dlww&*-7=>FHTWY[corv"#08<GR\bcprw!00>KTU`bqr#.<DKWboy}$BJPPPPPP_cjm{!-2=DSaills#'2>KT`blrw !"%2$CLQ]]]]]huy}#/<CDEFGKT_nrx{*049CKVcekx&($CMQ^^^^^ceoty|)77ADKZdnpyy&.3<?IT_guu$(2$CPSXXXXX_dko ()24;FNR[^_fffhv'',/>@MU_dkmnt{*09CIKNTU]hmr"*89=CJKQ]^dqvx$DPQYYYYYY`fjos{}'5=IM\`chptz!&,:?HQVcmwx{)1;=JLLNSbemx'2=ILP_jp| .<<DPRUbbq{(*,3>@@JSbhloz$%*,-;;BJQR__a$EHKPPPPPY]hiqtz)5AFTWYgjs (19;GS[\ku"*6CMQXfjw(+15DJMQT]hltt!&3@LMP[]crw!03?KTW_hlr|%18@O\_gpz'0;;EQ\achkw'.005>@BMZ^lz##08@IQ\gssz{{}$,5BMS^^aiqu$%**07?GHUdfiw##&3AFKPV_mqr!%/<BHLOPRY[isu#)2;=KS]aops$EJLXXXXXXgoo|!'4>M\cjx{|'-034@DN[cr"$*38$ENOXXXXXgsw'44@EOP[in{&-:?@@DDHUbot%.5DKQT_git|#..=FMTamov!(,8<ALXY`kx!08:=BNQ^ht%48@FIV_l{*4<<HKZ]fqw(5<KNS]]jkv&+5=AFOZhlnt$3?JNPUWYZZ`l{*8=JTY]jjsv#((-./22>FU^iu{$2:=@NZglx %(,8@BNZhhklnwxz+9;JJKYc$FFGGGGGGRYemqr!$15?EKQWZ\`bbddlv{%)3:@CDFUdix%4>KWahu *.=HUdnw%49EKR\cffpqw{)-489GHQSTUU]hjlv''6;HKValxz$FGKVVVVV^dlwx}*5BENP\\giu%+:BGSZbfuy$2AEOSUairy$33@ILZ]cpsx!,,9AMXcoqs$(6<?KUcr"#$3457CQ_em{%-<HPTV^iwz*45@MQV\hn{,1@JKO]jwy}((,1?ADJS^m$GLNPPPPPTbprt|}"(269<AJJPPP]ls$*55@FRSZb$HKLPPPPP\]bnq"((579FNVcp{*59>KP_imr!$06<$HNNPPPPP]gv%.5?M\_iqx#*6:CHP[dpty '6@DORRahlqv!'.:?CKX`hptu&.;AMOS\^bkqy$HRTWWWWWYZahmv#/44CEGNTWZZ^grz &(7DPZ]em$HRUVVVVVdrsz$.:<ESadixz$'.99=DMNVbnvy'+4<IPQYcgpx'0:?IP]eo{&,2AJO[aejjqy$12?AP^allw%3BKWaijlz'1;GHOT]]kw(0;ELLQWYfqsu&4CFRTbkz +:ALYYhikt"-:@FO^ahln}'()-/0>ENWemy(/:BCR^^_kx''-5?KXclt#/6<FTZhnt}#08GLW^jo|-3=GMRRapy%027:ADENUW^_ceox"$IIMMMMMMZivy(3:==CHUVaer{##,38@MVYYYaisy$JQRUUUUUUW]lr{}!%(1>KWfr|%/=EHJKLMMUU_bo$JT[hhhhht|-;?DRUdhvyz#/7ABO[jq{!$+39@HS`dft#*9AKWdsvwwz)/4BHV_mm{#%(3=HV]kuv%&.7;>JLYYfoty'02<=LORT`gu%//<BDOPU[]^hv&/0;GMUW__ekqs (/=AHLY^cgp}&(--./6DER\_flrrwz{&08=HU[[elnst$&'',2?LM\dguu}*+78FPQX[\jjjq"$'*2ADSbfu!')3>GS_hjsuuy} -$KMT_____hl{!/07CIO[hjy%%+:>GKZfpq{"/11@H$KNOUUUUU[dgt".117CHNRRW`ku{!/5BIQRRR__nu$KNQSSSSS\ilz#,3:BJT_jp|"'668?KWemyz"(-:@CFHNNXY_flv$&177<@JYaflps|#.9AGGHP[_gghmw#-5BQYhmmy!0?AKSX`ekkst||,.67DHNRZfoty#)1>ISSXfqs ,77??DKOX]gkny*/8EKM[eqx#%479AKR]]box$LQQ\\\\\crrsuyy|+38;GQV\hnpw#(*6<HS__no{$L[bpppppp}}..22<ABFMUcgos!.:DJMOS_aow""#)0=FQYelz",6:HTT`chu"-3>MRXdqu}#)7BDGTZbgsw%-//;HMO]ehpt "/<<KMX[[\acis!%.57CDKQUXcoq{#1;??CCKNPZ^aiuz*,-<>LNSSZix"&115CIIMOQWYhoy{%%&5?@DN\jqv%4:EGHQX_flpz"-;DSWZcouu$-6ES_dip #.:GMSU^dp}},8?EKVZhlo|(3@FSakvw(/8?IT]gjjx$MMRaaaaajv '(49EO\kv"188DOS]cfoz"*01<=>JXakx{ '38AAOX[dpy{})3:FOXccglz(0$MQTbbbbbjr|(59=ABMYZ\cry#+8@GNPSbfhr#'.:@LYajx|%08<ACOXdhn|%(/:DP_fity'-//5=KSZhsxz&++9@LMU^ciooru}#*6DL$MQWaaaaafkz$'6:AEIIU`hhw"#239GU^_ddqx)/7FGGTafgo}!"*49BO[^ciw'1<IXYegst{".5=@BGV^gtz&18FQQZ^ao|+67@OZgsx$M[[]]]]]ky!!..8<CGOVW]bkvyy||(366EMQZ^`ajy| .<JQ`cr#'.;DDLLPZeny#%-0;GRT$NNNPPPPP]iu{$.9>KZ[^ddfq|&)0<<KKMY`gjqy|--5:?ANPXgtw&*3ABOSVW_dm{)*8CHU_kz *88AP]iqvx!%(1>HRY[gttw".5<FU`hv{'5@GTYdno{})./2?KTTV_ghjkzz|),9:EPRYY[_cddjos""-9HWWaalw'(+9?ABFSYfffgjprs|"-6<KKWYZfor!!/136EHPXfhqwx$')*36EO]]`dstz+5=CHJXadet|-2AHKOV[`m{#(6AIRZenqu$$NTV\\\\\est!++,24=FHP]hqz)889BDIN[cjkt!"$NY\hhhhhs"1>MTcpx %/;;<=JJUZZep{}%3=KU^h$OOPTTTTT_bos$--3BEJPVX[`ks!!-6<EEIMP[jru$OY_mmmmmx$36BNQ[ejmv "+1<?KO\]kmm{"'+57>HSU`mq|)8@HKR^irr!#0;BPSakooy*-67=JO^do}#*.9=DQT_irv}(4<HLWbft!&19GRUbkvy".;CPTYfmqvy%-2=LTU_jw&0?LV[egp|',7DGRWZ``aot#'.8BQ_bq!(-3<KYgs$+//5:>@DPS^mps '5=IWaiww $+2:FN]egkmtz "#+09@CMXamtv!0<DSZ]hnt{&.7=GNPQ]kkq!$),4:HU$O[blllllny!-25::;?DJQZfpx%/67>>KTUW[_cnqq}**+9;GV[joy*+06@OUYelyz"**+.3=HUV`jqt|'5@GQR_chmoq{ #-47EO]fosu{#%1=DRRTbp!0;ENPUdfoz|+/2AHR^f$O]aiiiiix".3:FOZgms &4=DRXacn{++5ANTUdpu
                                                                                      • API String ID: 1690736759-1161436516
                                                                                      • Opcode ID: e1c0ceb4f2753846c7398f421097ff7fb5daae65cf3c93e5a29cdea680546412
                                                                                      • Instruction ID: 0c80b162cb6055fb897c014e61d2ee640c7d7d48b0b9fb93bb57a5107e8a2819
                                                                                      • Opcode Fuzzy Hash: e1c0ceb4f2753846c7398f421097ff7fb5daae65cf3c93e5a29cdea680546412
                                                                                      • Instruction Fuzzy Hash: 77337F70A016099FDB15DB68CC98B99B7F9FF44314F2482E9E419EB2A2DB309E44DF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BC0920 Relevance: 32.2, APIs: 2, Strings: 19, Instructions: 669COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InitializeCriticalSection.KERNEL32(011B2B6C,00000000,-00000002,00000000,-00000002,00000000,-00000002,00000000,-00000002,00000000,-00000002,00000000,-00000002,00000000,-00000002,00000000), ref: 00BC1109
                                                                                      • InitializeCriticalSection.KERNEL32(011B2B84,?,?,?,011B27A0,-00000010,00EC7F75,000000FF), ref: 00BC1112
                                                                                      Strings
                                                                                      • P[agggggpp}'6?FIR\]fhhiv%3;<<JVclpx!/<@G, xrefs: 00BC0D7D
                                                                                      • NV[bbbbblmqt!*1?NRV]lns (/244:FIQYhkuu%(, xrefs: 00BC0FCE
                                                                                      • PPVWWWWW[hrw &*0??BKZ]lsx())/=@LTZccouu!, xrefs: 00BC0CDC
                                                                                      • MNN\\\\\afkvx "/<GVegtu{#+.0355?IXchmp|*, xrefs: 00BC0F2D
                                                                                      • ORT[[[[[]ix} *3BDMYahw")68ABDRahikxxx'-0, xrefs: 00BC0E4F
                                                                                      • CGISSSSSTahsx{+3BFKPWcdlmst",5:BEESZ`ijq, xrefs: 00BC0C6B
                                                                                      • EORWWWWWY_hnz!,057:@GMT]iox%,.1@O^fot{|%, xrefs: 00BC0D4B
                                                                                      • HIOSSSSSSUchlr| !'4AJUU_ls %-.3BIVds{+2>, xrefs: 00BC0F5F
                                                                                      • NVX[[[[[ahhq{**-9@FHKKMZ^dps}(2>@KW_apt!, xrefs: 00BC1053
                                                                                      • DDGNNNNNZfuuww(3@CR]bdr#$&)66AMOS[`lr -5, xrefs: 00BC0DEB
                                                                                      • HRVcccccow!',9BHQRYYZ]aanx"%**0=ADJT_`dl, xrefs: 00BC1000
                                                                                      • LVYbbbbbpw!!-8FU__nny|%(,2?BCNYYZejy&3;;, xrefs: 00BC0CAA
                                                                                      • LU[`````birw"%4<EGMM\fm|}&06BJQ`iwz}}(5>, xrefs: 00BC0EBB
                                                                                      • P[\\\\\\aamu$/9EOQTWft|}-3?LMWWWcnz%(-56, xrefs: 00BC0EED
                                                                                      • CPSYYYYY]_afiiq{"//<ETTcqr!'3AGLT_adhlr", xrefs: 00BC0E1D
                                                                                      • MNN]]]]]`dgosw"/13;FMWeoww| //19:CFQX\ff, xrefs: 00BC108C
                                                                                      • JUUXXXXXZdqss},0<DIM\cmn|'0;EKZ_gu%149DP, xrefs: 00BC0DB9
                                                                                      • NVW\\\\\hqs#/018BKWZ[irz| *03>MTYgmp!"1:, xrefs: 00BC0D19
                                                                                      • HTUWWWWW\gv||%0>FO^mxx#)/>GLUX`ghpqw{ &2, xrefs: 00BC0E89
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalInitializeSection
                                                                                      • String ID: CGISSSSSTahsx{+3BFKPWcdlmst",5:BEESZ`ijq$CPSYYYYY]_afiiq{"//<ETTcqr!'3AGLT_adhlr"$DDGNNNNNZfuuww(3@CR]bdr#$&)66AMOS[`lr -5$EORWWWWWY_hnz!,057:@GMT]iox%,.1@O^fot{|%$HIOSSSSSSUchlr| !'4AJUU_ls %-.3BIVds{+2>$HRVcccccow!',9BHQRYYZ]aanx"%**0=ADJT_`dl$HTUWWWWW\gv||%0>FO^mxx#)/>GLUX`ghpqw{ &2$JUUXXXXXZdqss},0<DIM\cmn|'0;EKZ_gu%149DP$LU[`````birw"%4<EGMM\fm|}&06BJQ`iwz}}(5>$LVYbbbbbpw!!-8FU__nny|%(,2?BCNYYZejy&3;;$MNN\\\\\afkvx "/<GVegtu{#+.0355?IXchmp|*$MNN]]]]]`dgosw"/13;FMWeoww| //19:CFQX\ff$NVW\\\\\hqs#/018BKWZ[irz| *03>MTYgmp!"1:$NVX[[[[[ahhq{**-9@FHKKMZ^dps}(2>@KW_apt!$NV[bbbbblmqt!*1?NRV]lns (/244:FIQYhkuu%($ORT[[[[[]ix} *3BDMYahw")68ABDRahikxxx'-0$PPVWWWWW[hrw &*0??BKZ]lsx())/=@LTZccouu!$P[\\\\\\aamu$/9EOQTWft|}-3?LMWWWcnz%(-56$P[agggggpp}'6?FIR\]fhhiv%3;<<JVclpx!/<@G
                                                                                      • API String ID: 32694325-874667094
                                                                                      • Opcode ID: f63a0310519a02744e2589fd299f97c242625809027db2a1e466d04406bc3045
                                                                                      • Instruction ID: db55fa63ee6601e89d759100bf4a4d0f58fa0ab869791c1345a54264db7fc0ff
                                                                                      • Opcode Fuzzy Hash: f63a0310519a02744e2589fd299f97c242625809027db2a1e466d04406bc3045
                                                                                      • Instruction Fuzzy Hash: 183290356241028BDB1DBB68C865B7A36E5EF90308F1881ECEA079F246EF71DE059B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CD9552 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 388windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00CD9559
                                                                                      • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00CC0020), ref: 00CD978E
                                                                                      • DeleteObject.GDI32(?), ref: 00CD97A5
                                                                                      • MulDiv.KERNEL32(?,00000000,00000064), ref: 00CD9941
                                                                                      • MulDiv.KERNEL32(?,00000000,00000064), ref: 00CD995E
                                                                                      • MulDiv.KERNEL32(00000000,00000000,00000064), ref: 00CD997D
                                                                                      • MulDiv.KERNEL32(00000028,00000000,00000064), ref: 00CD999A
                                                                                      • MulDiv.KERNEL32(?,00000000,00000064), ref: 00CD99B6
                                                                                      • MulDiv.KERNEL32(00000000,00000000,00000064), ref: 00CD99D3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: DeleteH_prolog3Object
                                                                                      • String ID: d
                                                                                      • API String ID: 2942389277-2564639436
                                                                                      • Opcode ID: cf0a96a8349a56a241fe471ff0be4b7aba62855efd3ef4e07b5c56ef22923c8c
                                                                                      • Instruction ID: 36a90da595a30f4c48e70f44c42306b3dd26f3cd373c0b2add0705e1bd1a144d
                                                                                      • Opcode Fuzzy Hash: cf0a96a8349a56a241fe471ff0be4b7aba62855efd3ef4e07b5c56ef22923c8c
                                                                                      • Instruction Fuzzy Hash: A1E1BB74A0021A9FCB14EFA9DC49ABE7BB0EF44315F10416AF515EB391DB34CA15EBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C87A27 Relevance: 10.6, APIs: 7, Instructions: 131fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00C87A31
                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,00C8730A,?,00000000,00000000,?,00C79071,00000024,?,00000000), ref: 00C87A61
                                                                                        • Part of subcall function 00C778CC: __CxxThrowException@8.LIBVCRUNTIME ref: 00C778E0
                                                                                      • PathIsUNCW.SHLWAPI(?,?,?,00000000,?,00C79071,00000024,?,00000000), ref: 00C87AD9
                                                                                      • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00C79071,00000024,?,00000000), ref: 00C87AFD
                                                                                      • CharUpperW.USER32(?,?,00C79071,00000024,?,00000000), ref: 00C87B2B
                                                                                      • FindFirstFileW.KERNEL32(00000000,?,?,00C79071,00000024,?,00000000), ref: 00C87B43
                                                                                      • FindClose.KERNEL32(00000000,?,00C79071,00000024,?,00000000), ref: 00C87B4F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolume
                                                                                      • String ID:
                                                                                      • API String ID: 2181567148-0
                                                                                      • Opcode ID: 5e777344c1ccdd253e602886ab58d59f0f1cf0e14d0a5572ed743e55f160f541
                                                                                      • Instruction ID: 159f6dab1fa30003b060d6d92444e4283d159f62059018f8582905da2ffc40f6
                                                                                      • Opcode Fuzzy Hash: 5e777344c1ccdd253e602886ab58d59f0f1cf0e14d0a5572ed743e55f160f541
                                                                                      • Instruction Fuzzy Hash: 92415071508215AFDB24BB61CC89EBEB36DEF10318F204799F419A2251FB31EF459B64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCDB7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindResourceW.KERNEL32(?,?,PNG,?,?,00EF3488,00EF3488,?,00CCE990,?,?,?,00000038,00CCD870), ref: 00CCDB9E
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00EF3488,00EF3488,?,00CCE990,?,?,?,00000038,00CCD870), ref: 00CCDBAD
                                                                                      • LockResource.KERNEL32(00000000,?,00EF3488,00EF3488,?,00CCE990,?,?,?,00000038,00CCD870), ref: 00CCDBBA
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,00EF3488,00EF3488,?,00CCE990,?,?,?,00000038,00CCD870), ref: 00CCDBCD
                                                                                        • Part of subcall function 00CCDBF3: GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,00CCDBDF,00000000,00000000,?,00EF3488,00EF3488,?,00CCE990,?,?), ref: 00CCDC00
                                                                                      • FreeResource.KERNEL32(00000000,00000000,00000000,?,00EF3488,00EF3488,?,00CCE990,?,?,?,00000038,00CCD870), ref: 00CCDBE2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$AllocFindFreeGlobalLoadLockSizeof
                                                                                      • String ID: PNG
                                                                                      • API String ID: 169377235-364855578
                                                                                      • Opcode ID: 2220d180cff75b15bc0b0e546f0d66fb2de6f017102f002797355726d6f33015
                                                                                      • Instruction ID: 240049045e33af7a9c272e271281715c8e141d63e981cbbbb9a8b224ea8c1156
                                                                                      • Opcode Fuzzy Hash: 2220d180cff75b15bc0b0e546f0d66fb2de6f017102f002797355726d6f33015
                                                                                      • Instruction Fuzzy Hash: C601DF3AA01119BF47126BA5EC98D7FBB6CEF463A1701417AFD02A7300EB309E0087A1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B32AA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 325fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00B32BA0
                                                                                      • FindNextFileW.KERNEL32(?,00000010,?,?,00000000), ref: 00B32C9A
                                                                                      • FindClose.KERNEL32(?,?,?,00000000), ref: 00B32CA9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID: \
                                                                                      • API String ID: 3541575487-2967466578
                                                                                      • Opcode ID: 45ccb30ab1d943d83c99f9e81476fa29aefa931a6cbdc835ef5c88866d21fb9c
                                                                                      • Instruction ID: 1d4763d9c3d7835a1681a67bca232841b724da39dea783bd121eefd86cf36de6
                                                                                      • Opcode Fuzzy Hash: 45ccb30ab1d943d83c99f9e81476fa29aefa931a6cbdc835ef5c88866d21fb9c
                                                                                      • Instruction Fuzzy Hash: EDD16771D002199BDF14EFA4CC96BEEBBB9FF08304F640599E411B7291EB34A945CBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C56440 Relevance: 6.6, Strings: 5, Instructions: 393COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<
                                                                                      • API String ID: 0-2356964677
                                                                                      • Opcode ID: 47fea391fbea4200c18cfa622a10551b345e0e2e83c17fdd63ca87d48df5c869
                                                                                      • Instruction ID: fbda4a19a390937956a522a677b025255e2a0b94db30aa0880d69b413d4105a5
                                                                                      • Opcode Fuzzy Hash: 47fea391fbea4200c18cfa622a10551b345e0e2e83c17fdd63ca87d48df5c869
                                                                                      • Instruction Fuzzy Hash: 95E1C575D002089BDF14CFA8D8816EDFBB5AF59325F94432AE825EB2D0D7309E898B54
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE56C0 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3685: GetLastError.KERNEL32(?,?,00DD0F74,01190B70,00000010), ref: 00DE3689
                                                                                        • Part of subcall function 00DE3685: _free.LIBCMT ref: 00DE36BC
                                                                                        • Part of subcall function 00DE3685: SetLastError.KERNEL32(00000000), ref: 00DE36FD
                                                                                        • Part of subcall function 00DE3685: _abort.LIBCMT ref: 00DE3703
                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00DC6B98,?,?,?,?,00DC65EF,?,00000004), ref: 00DE57A2
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00DE5832
                                                                                      • _wcschr.LIBVCRUNTIME ref: 00DE5840
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00DC6B98,00000000,00DC6CB8), ref: 00DE58E3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                      • String ID:
                                                                                      • API String ID: 4212172061-0
                                                                                      • Opcode ID: 56958349303dfbfbae466b4c87c5a0f391a2c790dd26e7522896a065c0efc1a4
                                                                                      • Instruction ID: 4038fd2d951d759b7b91b27490513d61bac1d242248702da92f338bf7e9aa972
                                                                                      • Opcode Fuzzy Hash: 56958349303dfbfbae466b4c87c5a0f391a2c790dd26e7522896a065c0efc1a4
                                                                                      • Instruction Fuzzy Hash: 3D612B71600B46AADB24BB36EC86BB673A8EF04394F18042AF905D7185EB74ED50C7B0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C8EAEF Relevance: 6.1, APIs: 4, Instructions: 83threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00C8EAF9
                                                                                        • Part of subcall function 00C88BA9: __EH_prolog3.LIBCMT ref: 00C88BB0
                                                                                      • GetCurrentThread.KERNEL32 ref: 00C8EB56
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C8EB5F
                                                                                      • GetVersionExW.KERNEL32(?), ref: 00C8EBFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$H_prolog3H_prolog3_Version
                                                                                      • String ID:
                                                                                      • API String ID: 786120064-0
                                                                                      • Opcode ID: 454bd32cb604d285079b5ea0dd1e6bbc733f6cdff8a7ccfaa21375b0bb25c08e
                                                                                      • Instruction ID: 2f632344a105b770ed3cd0c785afbc4e3df1754a16d34742f87dd3d1aa3e017b
                                                                                      • Opcode Fuzzy Hash: 454bd32cb604d285079b5ea0dd1e6bbc733f6cdff8a7ccfaa21375b0bb25c08e
                                                                                      • Instruction Fuzzy Hash: 4241DEB0801B04CFC721AF2A898569AFBF0FF48304F908A6ED1AE97711DB70A545CF58
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B67490 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 381COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DBF982: std::regex_error::regex_error.LIBCPMT ref: 00DBF98E
                                                                                        • Part of subcall function 00DBF982: __CxxThrowException@8.LIBVCRUNTIME ref: 00DBF99C
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00B675D6
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00B675FA
                                                                                      Strings
                                                                                      • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 00B675D1, 00B675F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___from_strstr_to_strchr$Exception@8Throwstd::regex_error::regex_error
                                                                                      • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
                                                                                      • API String ID: 451488043-3812731148
                                                                                      • Opcode ID: 7e8abf37c195810f44764bd26dc1406faef547b2589699bbbfe28761af3f06fa
                                                                                      • Instruction ID: ef1417dde62fa1c65523a141a2f8dbffbddb8f067e681dd760bcaa1a7a162c93
                                                                                      • Opcode Fuzzy Hash: 7e8abf37c195810f44764bd26dc1406faef547b2589699bbbfe28761af3f06fa
                                                                                      • Instruction Fuzzy Hash: 22E1AD75A48644DFDB25CF28C480AAABBF1FF58308F24499DE49297751DB39EC41CB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DBF27E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00BD66C0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00DBF2AD,?,?,?,00B322F4), ref: 00BD66C3
                                                                                        • Part of subcall function 00BD66C0: GetLastError.KERNEL32(?,?,?,00B322F4), ref: 00BD66CD
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00B322F4), ref: 00DBF2B1
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B322F4), ref: 00DBF2C0
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DBF2BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 450123788-631824599
                                                                                      • Opcode ID: cb80e9841d5859895fa86cdfd3c069b26ba457cff359fbf3a6b0eba6d59aad40
                                                                                      • Instruction ID: 811bdff54eb135fdedb52432b5e3d3f69fea5be33818c0709fb1a1dfa76f0bc1
                                                                                      • Opcode Fuzzy Hash: cb80e9841d5859895fa86cdfd3c069b26ba457cff359fbf3a6b0eba6d59aad40
                                                                                      • Instruction Fuzzy Hash: 69E0E5756017508FD334BF65E9043927BE4AF04744F00496ED45AD6741EBB5D4488B62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C15450 Relevance: 4.6, Strings: 1, Instructions: 3323COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: }
                                                                                      • API String ID: 0-4239843852
                                                                                      • Opcode ID: 37855170f555590070de59a0ed5acb627b93ed587d5c94e17914379c0359d20c
                                                                                      • Instruction ID: 1dc5d9f4e7895ae1e13e07a3074e58bb7504b8f29b1d205890016332f75e5b91
                                                                                      • Opcode Fuzzy Hash: 37855170f555590070de59a0ed5acb627b93ed587d5c94e17914379c0359d20c
                                                                                      • Instruction Fuzzy Hash: 47632975D04229CBDB24CF68C8807EDB7B1BF4A314F2582AAD859A7251DB34AEC5DF40
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DDF5DB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000003,?,00DDF5B1,00000003,01190F38,0000000C,00DDF708,00000003,00000002,00000000,?,00DE127B,00000003), ref: 00DDF5FC
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00DDF5B1,00000003,01190F38,0000000C,00DDF708,00000003,00000002,00000000,?,00DE127B,00000003), ref: 00DDF603
                                                                                      • ExitProcess.KERNEL32 ref: 00DDF615
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: bd113a22e582d49579b66ac34223a53206a7da9eecd029d5dc69188a42ba0645
                                                                                      • Instruction ID: 6ef520b0faf696a3fe39ca09b5a68ba6fb743c498246d8f461c862ebef9111b0
                                                                                      • Opcode Fuzzy Hash: bd113a22e582d49579b66ac34223a53206a7da9eecd029d5dc69188a42ba0645
                                                                                      • Instruction Fuzzy Hash: FCE0EC31041248AFCF117FA6FD0DA583B6AEF41799F144026F9069A731EB35DD46CBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE670F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00DC65EF,?,00000004), ref: 00DE6762
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID: GetLocaleInfoEx
                                                                                      • API String ID: 2299586839-2904428671
                                                                                      • Opcode ID: 388279699308b64d7757f11c15b4dd03c18c2ac2d633a3d78477862c3573695c
                                                                                      • Instruction ID: 3114f05e82c848529b2cfcd881a3895523454d9c7226734ed8ed39c29741aad1
                                                                                      • Opcode Fuzzy Hash: 388279699308b64d7757f11c15b4dd03c18c2ac2d633a3d78477862c3573695c
                                                                                      • Instruction Fuzzy Hash: 7CF0F031641208BBCB11BF62DC06EAE7FA5EB24750F440015FD056B2A1DA32DD14ABA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE6779 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,00DCB45E), ref: 00DE67B8
                                                                                      Strings
                                                                                      • GetSystemTimePreciseAsFileTime, xrefs: 00DE6794
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem
                                                                                      • String ID: GetSystemTimePreciseAsFileTime
                                                                                      • API String ID: 2086374402-595813830
                                                                                      • Opcode ID: b8f1f603b9da7b99f5cf66b28b89f3e0babaaf7694505ca63aff31c5e1b4a082
                                                                                      • Instruction ID: 61dfbd6180ac74501c0e831ebeffad97be1589deb1b91e9d90a87660a6389748
                                                                                      • Opcode Fuzzy Hash: b8f1f603b9da7b99f5cf66b28b89f3e0babaaf7694505ca63aff31c5e1b4a082
                                                                                      • Instruction Fuzzy Hash: 8AE05530A41158AB8310BF22EC06CBEBFA1CB24B50B840069FC026B381CD318D00A2EA
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DD0930 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 52996d02b1e0a6c55b4d49d1e77c214200726b5485a98fff9acaecf812fa0e37
                                                                                      • Instruction ID: 7f5eb09490d0df8777081aaf9684eb221fb03c19954204efa469ea2ae89d89e6
                                                                                      • Opcode Fuzzy Hash: 52996d02b1e0a6c55b4d49d1e77c214200726b5485a98fff9acaecf812fa0e37
                                                                                      • Instruction Fuzzy Hash: 7F021E71E002199FDF14CFA9D8907AEBBF1EF88314F29826AD919E7345D731A9418B90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C0FBE0 Relevance: 2.7, Strings: 1, Instructions: 1401COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ERCP
                                                                                      • API String ID: 0-1384759551
                                                                                      • Opcode ID: 4881436098a5cf4562b555c0d78bb1715873b0ddba32d17f42d2046050aaf361
                                                                                      • Instruction ID: 1be52b9eee101dbf662a72d117734225a36cddc3b8697e4aef6ef8a3b30ca1d0
                                                                                      • Opcode Fuzzy Hash: 4881436098a5cf4562b555c0d78bb1715873b0ddba32d17f42d2046050aaf361
                                                                                      • Instruction Fuzzy Hash: 69C25B756083418BC734DF18C4816EAB7E1FFC9314F644A2DE8A987381D7B1A9C2DB96
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C1A530 Relevance: 2.2, Strings: 1, Instructions: 967COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ERCP
                                                                                      • API String ID: 0-1384759551
                                                                                      • Opcode ID: b02fa8b75179bebef40ad4117fc212072774113c35dbbb41f0496ce5f81da472
                                                                                      • Instruction ID: f6dd8a246532254d9f44cc40256c62b5427a1743038b11ddb9d3ce3694667e25
                                                                                      • Opcode Fuzzy Hash: b02fa8b75179bebef40ad4117fc212072774113c35dbbb41f0496ce5f81da472
                                                                                      • Instruction Fuzzy Hash: CE925BB06093418FD724CF19C4807ABB7E1BF8A304F504A2EE99987391DB74D985DB92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE02ED Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,00000100,?,00000008,?,?,00DE02E8,00000100,?,00000008,?,?,00DF056B,00000000), ref: 00DE051A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 8672f7cc0c8674d93b8967f06c6caa1b10ecf13e73294cbd4eaae8a26221ed32
                                                                                      • Instruction ID: 007edc4ae741dceb0552b9ab341ef7dc3001dae537301b22ae28b6cd6fb71250
                                                                                      • Opcode Fuzzy Hash: 8672f7cc0c8674d93b8967f06c6caa1b10ecf13e73294cbd4eaae8a26221ed32
                                                                                      • Instruction Fuzzy Hash: A0B146312106498FD715DF29C48ABA57FA0FF04324F298658E99ACF2A1C375E982CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE5983 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3685: GetLastError.KERNEL32(?,?,00DD0F74,01190B70,00000010), ref: 00DE3689
                                                                                        • Part of subcall function 00DE3685: _free.LIBCMT ref: 00DE36BC
                                                                                        • Part of subcall function 00DE3685: SetLastError.KERNEL32(00000000), ref: 00DE36FD
                                                                                        • Part of subcall function 00DE3685: _abort.LIBCMT ref: 00DE3703
                                                                                      • EnumSystemLocalesW.KERNEL32(00DE5AAB,00000001,00000000,?,00DC6B91,?,00DE60D8,00000000,?,?,?), ref: 00DE59F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                      • String ID:
                                                                                      • API String ID: 1084509184-0
                                                                                      • Opcode ID: 6d424bf46a4a2e65dbe6bc8e62d9a28b877231805e2cb9e4998fa798e626a70e
                                                                                      • Instruction ID: 0734d3293078172bf72f4c132fcebe7a404f082a48ce728ba1a69889c5f7d51e
                                                                                      • Opcode Fuzzy Hash: 6d424bf46a4a2e65dbe6bc8e62d9a28b877231805e2cb9e4998fa798e626a70e
                                                                                      • Instruction Fuzzy Hash: 15110636200B059FDB18AF3A98D15BAB792FB843ACB18452DE94647640D7717902CB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE5A1E Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3685: GetLastError.KERNEL32(?,?,00DD0F74,01190B70,00000010), ref: 00DE3689
                                                                                        • Part of subcall function 00DE3685: _free.LIBCMT ref: 00DE36BC
                                                                                        • Part of subcall function 00DE3685: SetLastError.KERNEL32(00000000), ref: 00DE36FD
                                                                                        • Part of subcall function 00DE3685: _abort.LIBCMT ref: 00DE3703
                                                                                      • EnumSystemLocalesW.KERNEL32(00DE5CFB,00000001,?,?,00DC6B91,?,00DE609C,00DC6B91,?,?,?,?,?,00DC6B91,?,?), ref: 00DE5A6A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                      • String ID:
                                                                                      • API String ID: 1084509184-0
                                                                                      • Opcode ID: 31443e88f257a499c81388e920b20af8515106c4091410c5a1b0e5564022e91d
                                                                                      • Instruction ID: 548822cfcdd296a8f39da8f2c9c3ed16f41cb2196b9d16d5ac824eb1f7b3674f
                                                                                      • Opcode Fuzzy Hash: 31443e88f257a499c81388e920b20af8515106c4091410c5a1b0e5564022e91d
                                                                                      • Instruction Fuzzy Hash: 2DF028363007455FDB146F3AA8C167A7B91EF8039CB09413DF9068B650D671AD028730
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE6245 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE074F: EnterCriticalSection.KERNEL32(?,?,00DE3425,?,011910A0,00000008,00DE34F3,?,?,?), ref: 00DE075E
                                                                                      • EnumSystemLocalesW.KERNEL32(00DE61FF,00000001,01191180,0000000C), ref: 00DE627D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                      • String ID:
                                                                                      • API String ID: 1272433827-0
                                                                                      • Opcode ID: 48da9f008ae8f6ef7ce188ce0cedcdbc730449d6403eca0a320df6b949f96881
                                                                                      • Instruction ID: f93268be909f054bfda56a9bb521be3363167cba3124ea846f591b27e808b864
                                                                                      • Opcode Fuzzy Hash: 48da9f008ae8f6ef7ce188ce0cedcdbc730449d6403eca0a320df6b949f96881
                                                                                      • Instruction Fuzzy Hash: 84F04F72A10204EFDB54EF68D846B9D3BF0EB04720F14812AF521DB2D5C7B589808B65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE5938 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3685: GetLastError.KERNEL32(?,?,00DD0F74,01190B70,00000010), ref: 00DE3689
                                                                                        • Part of subcall function 00DE3685: _free.LIBCMT ref: 00DE36BC
                                                                                        • Part of subcall function 00DE3685: SetLastError.KERNEL32(00000000), ref: 00DE36FD
                                                                                        • Part of subcall function 00DE3685: _abort.LIBCMT ref: 00DE3703
                                                                                      • EnumSystemLocalesW.KERNEL32(00DE588F,00000001,?,?,?,00DE60FA,00DC6B91,?,?,?,?,?,00DC6B91,?,?,?), ref: 00DE596F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                      • String ID:
                                                                                      • API String ID: 1084509184-0
                                                                                      • Opcode ID: 591de6971886a9aafa308e05747db3c53dc73a11275bae2b36f336976bb847bd
                                                                                      • Instruction ID: 7b72dd6e3dccb8dbcad03f43051a6ed1ecbb5118e27fde2a959e5dc7180079a5
                                                                                      • Opcode Fuzzy Hash: 591de6971886a9aafa308e05747db3c53dc73a11275bae2b36f336976bb847bd
                                                                                      • Instruction Fuzzy Hash: A3F0EC353002459BCB04BF36EC45676BF95EFC1768B0A405DEE058B251C6719D42CBB0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C198A0 Relevance: .6, Instructions: 594COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f5de4bbf6bb9fb0d114d48245325052d3c65a28fa8db9e1bf6d989016559ecb1
                                                                                      • Instruction ID: 4b48f00c8d2fda5d4b44f6ed7ee552f1479de55f2d6270d5f5aaa1109604c90d
                                                                                      • Opcode Fuzzy Hash: f5de4bbf6bb9fb0d114d48245325052d3c65a28fa8db9e1bf6d989016559ecb1
                                                                                      • Instruction Fuzzy Hash: 272273316042419BCB28CE59C4A07AEB3E1FF86324F25495EE86AC72A0D735DDD5E782
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B69090 Relevance: .2, Instructions: 247COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e057026b6fc3d1eda5bebd29d18ff3bc259461c6a6808896a5b27f88286705ca
                                                                                      • Instruction ID: 771ab64d39a72ee6fdd9513b4f30e0e7fda9032959ed5265e80f9012945b9435
                                                                                      • Opcode Fuzzy Hash: e057026b6fc3d1eda5bebd29d18ff3bc259461c6a6808896a5b27f88286705ca
                                                                                      • Instruction Fuzzy Hash: 29C1F0B0900B429FDB14CF29C094B52BBE0FF95314F24C69AE8598B752D3B9E995CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DC9B2D Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: adaaa4a7b673d5edb6d08027f3fa4e98cc3f9a0fd4fef3acba587128c41659d8
                                                                                      • Instruction ID: b01ccfee6ffb0753c00de72bcc251f672b632d19c72a7932816968bb4eff07c0
                                                                                      • Opcode Fuzzy Hash: adaaa4a7b673d5edb6d08027f3fa4e98cc3f9a0fd4fef3acba587128c41659d8
                                                                                      • Instruction Fuzzy Hash: 4861577120070B66DE385A2899FDFBEE3DADB45754F1C051EE883DB281C611DD82837A
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B43BA0 Relevance: .1, Instructions: 131COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a625b9eba9145edd87105e79f6f5b1351ad9b59befbeb0c2c4410287da191a6d
                                                                                      • Instruction ID: 0496e2104801474cfa4376b4e1a8bd8cb8c3619f2c13d801a5d2a1982fe8965e
                                                                                      • Opcode Fuzzy Hash: a625b9eba9145edd87105e79f6f5b1351ad9b59befbeb0c2c4410287da191a6d
                                                                                      • Instruction Fuzzy Hash: FA415367A082545BCF148E79D8A52FF7FE18A7B60479E50EAD4C1E7303D426870AAB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B43CE0 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8af6c6b0d0736da85f23d929c6c8f9b01fceadbaab3a1a9b841de5d04a70140d
                                                                                      • Instruction ID: 92392f29b40698eb2ed7af8e5d43bc5c7db631c34b99914816b7741653d0b0ec
                                                                                      • Opcode Fuzzy Hash: 8af6c6b0d0736da85f23d929c6c8f9b01fceadbaab3a1a9b841de5d04a70140d
                                                                                      • Instruction Fuzzy Hash: D3413A61409AE01EC3228B7985644B6FFF08E1B13274E87CEE8F58F9D3C515A709EB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C53470 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___swprintf_l.LIBCMT ref: 00C5349A
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C534C3
                                                                                      • ___swprintf_l.LIBCMT ref: 00C534D5
                                                                                      • __allrem.LIBCMT ref: 00C534FA
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53508
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53518
                                                                                      • ___swprintf_l.LIBCMT ref: 00C5352A
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53550
                                                                                      • ___swprintf_l.LIBCMT ref: 00C53562
                                                                                      • __allrem.LIBCMT ref: 00C53584
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53592
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C535A2
                                                                                      • ___swprintf_l.LIBCMT ref: 00C535B4
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C535D9
                                                                                      • ___swprintf_l.LIBCMT ref: 00C535EB
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53610
                                                                                      • ___swprintf_l.LIBCMT ref: 00C53622
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53639
                                                                                      • ___swprintf_l.LIBCMT ref: 00C5364B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$___swprintf_l$__allrem
                                                                                      • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                      • API String ID: 2797256748-2102732564
                                                                                      • Opcode ID: e74c532205f55e634e9ee802c150b6ba29c09c8c177e7755f2f75605c6d53cef
                                                                                      • Instruction ID: 613630746825d6c362b68fc561b7a2a72766d2b37c4b0653f7d9f7273e79dd5b
                                                                                      • Opcode Fuzzy Hash: e74c532205f55e634e9ee802c150b6ba29c09c8c177e7755f2f75605c6d53cef
                                                                                      • Instruction Fuzzy Hash: 1D41C8BBB806A436E92265497C03FEF121CDBC1F96F150429FE19BB1C196906A9902FD
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B3AAF0 Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 300synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PathFileExistsW.SHLWAPI(00000000,?,7F82841F,?,?,?,000000FF,?,00B37606,?,00000000,?,?,?,?,?), ref: 00B3AB28
                                                                                      • EnterCriticalSection.KERNEL32(00000000,?,000000FF,?,00B37606,?,00000000,?,?,?,?,?,?), ref: 00B3AB6C
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?,000000FF,?,00B37606,?,00000000,?,?,?,?,?,?), ref: 00B3AB88
                                                                                      • EnterCriticalSection.KERNEL32(00000000,00000000,?,000000FF), ref: 00B3ABA9
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF), ref: 00B3ABC0
                                                                                      • EnterCriticalSection.KERNEL32(00000000,00000000,?,000000FF), ref: 00B3AC02
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?,?,000000FF), ref: 00B3AC19
                                                                                      • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,000000FF), ref: 00B3AC83
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,00000000,?,?,?,?,?,?,000000FF), ref: 00B3AC97
                                                                                      • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B3AD22
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B3AD36
                                                                                      • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B3AD99
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00B3ADB0
                                                                                      • WaitForSingleObject.KERNEL32(?,00000BB8,?), ref: 00B3AE21
                                                                                      • EnterCriticalSection.KERNEL32(00000000,00000000), ref: 00B3AE42
                                                                                      • LeaveCriticalSection.KERNEL32(00000000,?), ref: 00B3AE59
                                                                                      Strings
                                                                                      • DRSYYYYY_ceegkq .2?JKWZepr!#.:GQ[ilq{),/, xrefs: 00B3AC5D
                                                                                      • LTUdddddjnww .58@IQTTbiit"$3BHTcq{!&.28D, xrefs: 00B3AC43
                                                                                      • HVY^^^^^gkvvv%.77=JOX^dss '18@BCR\ivv".5, xrefs: 00B3ACFC
                                                                                      • PYYcccccfs|&(3>FJN\`bet}.8:@@GLMWan|}&27, xrefs: 00B3ABE7
                                                                                      • APRRRRRRS__hly!#008<CNWcqq"#16CKP[gjr#18, xrefs: 00B3AE27
                                                                                      • O^dgggggsw!/23BCGUUZfhtxx)68>HQ_jlx}%45=, xrefs: 00B3ACE2
                                                                                      • LT[_____gtu#',/6DQ[]apy)18BMOQ^ajjjy{$,6, xrefs: 00B3AD7E
                                                                                      • DMPXXXXXgu")/6@HJQ`gkkz| #.;FMXelw{}$.=I, xrefs: 00B3AB8E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$ExistsFileObjectPathSingleWait
                                                                                      • String ID: APRRRRRRS__hly!#008<CNWcqq"#16CKP[gjr#18$DMPXXXXXgu")/6@HJQ`gkkz| #.;FMXelw{}$.=I$DRSYYYYY_ceegkq .2?JKWZepr!#.:GQ[ilq{),/$HVY^^^^^gkvvv%.77=JOX^dss '18@BCR\ivv".5$LTUdddddjnww .58@IQTTbiit"$3BHTcq{!&.28D$LT[_____gtu#',/6DQ[]apy)18BMOQ^ajjjy{$,6$O^dgggggsw!/23BCGUUZfhtxx)68>HQ_jlx}%45=$PYYcccccfs|&(3>FJN\`bet}.8:@@GLMWan|}&27
                                                                                      • API String ID: 1211496803-1960759659
                                                                                      • Opcode ID: 0f39ed6bb20711b4597c82ed4646940d315f97bc98777bfaf75f44c47aab275f
                                                                                      • Instruction ID: c0de80a0aafc4d4eabc1dc778e4adb91565a67ae85f097e4ed585a8019c89599
                                                                                      • Opcode Fuzzy Hash: 0f39ed6bb20711b4597c82ed4646940d315f97bc98777bfaf75f44c47aab275f
                                                                                      • Instruction Fuzzy Hash: 09B18F7160160AAFD704EB69DC49B5AF7F8FF44325F148299B525E73A2EB30A904CB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B32098 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registryclipboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegisterClipboardFormatW.USER32(Native), ref: 00D5949E
                                                                                      • RegisterClipboardFormatW.USER32(OwnerLink), ref: 00D594AB
                                                                                      • RegisterClipboardFormatW.USER32(ObjectLink), ref: 00D594B9
                                                                                      • RegisterClipboardFormatW.USER32(Embedded Object), ref: 00D594C7
                                                                                      • RegisterClipboardFormatW.USER32(Embed Source), ref: 00D594D5
                                                                                      • RegisterClipboardFormatW.USER32(Link Source), ref: 00D594E3
                                                                                      • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 00D594F1
                                                                                      • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 00D594FF
                                                                                      • RegisterClipboardFormatW.USER32(FileName), ref: 00D5950D
                                                                                      • RegisterClipboardFormatW.USER32(FileNameW), ref: 00D5951B
                                                                                      • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 00D59529
                                                                                      • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 00D59537
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClipboardFormatRegister
                                                                                      • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                                      • API String ID: 1228543026-2889995556
                                                                                      • Opcode ID: d76992f19eb863e598c299212ff5a7d79020c5b7e9362221e1ce9c655e8a6e6a
                                                                                      • Instruction ID: b1df0a925f7b978994ef138298096bec7545ee09bbf0de3cc6feb12f9fc644b2
                                                                                      • Opcode Fuzzy Hash: d76992f19eb863e598c299212ff5a7d79020c5b7e9362221e1ce9c655e8a6e6a
                                                                                      • Instruction Fuzzy Hash: BF11A871943B01AFDB60AFB2AC5D425BBB4FF487013184D5EF146AE6B0D674D108AF85
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCD2F4 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog3_
                                                                                      • String ID: (
                                                                                      • API String ID: 2427045233-3887548279
                                                                                      • Opcode ID: 3540d92f110a4edd5db907bd59ac9c6b781d60d868983b8924209d22629bdf2e
                                                                                      • Instruction ID: 22f7616358ce606eb855afdd607226be9f84352c5464745814db895c57427354
                                                                                      • Opcode Fuzzy Hash: 3540d92f110a4edd5db907bd59ac9c6b781d60d868983b8924209d22629bdf2e
                                                                                      • Instruction Fuzzy Hash: 60C13870901269DFDB24EF65DC45BADBBB9FF58300F0081EAE54AA6261DB305E84DF21
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCF9C2 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 243windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00CCF9CC
                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00CCFA35
                                                                                      • GetObjectW.GDI32(?,00000018,?,00000000), ref: 00CCFA53
                                                                                      • SelectObject.GDI32(?,?), ref: 00CCFA81
                                                                                      • CreateCompatibleDC.GDI32(?), ref: 00CCFAAA
                                                                                      • CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00CCFB00
                                                                                      • SelectObject.GDI32(?,?), ref: 00CCFB12
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00CCFB21
                                                                                      • SelectObject.GDI32(?,?), ref: 00CCFB34
                                                                                      • DeleteObject.GDI32(?), ref: 00CCFB3C
                                                                                      • BitBlt.GDI32(?,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 00CCFB72
                                                                                      • SelectObject.GDI32(?,?), ref: 00CCFC8D
                                                                                      • SelectObject.GDI32(?,?), ref: 00CCFC99
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
                                                                                      • String ID: (
                                                                                      • API String ID: 1429849173-3887548279
                                                                                      • Opcode ID: 4201c122ac2730b8da9304592b08dfccd420e0e1624dd636d9def852854e510e
                                                                                      • Instruction ID: 8b31322f2cdbc24933828cae08d796410dee58ff44452b6d89264b9a4ebdc768
                                                                                      • Opcode Fuzzy Hash: 4201c122ac2730b8da9304592b08dfccd420e0e1624dd636d9def852854e510e
                                                                                      • Instruction Fuzzy Hash: FDA11971A01209DFDF21EFA5C985AAEBBB5FF48304F20412EE416A7261DB309E46DF10
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD2740 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 179COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PathFileExistsW.SHLWAPI(?,7F82841F,?,00000010,?,00EC9850,000000FF,?,00B382C2), ref: 00BD2777
                                                                                      • SetLastError.KERNEL32(E0008001,?,00EC9850,000000FF,?,00B382C2), ref: 00BD2782
                                                                                      • GetFileAttributesW.KERNEL32(?,?,00EC9850,000000FF,?,00B382C2), ref: 00BD279E
                                                                                      • SetLastError.KERNEL32(E0008002,?,00EC9850,000000FF,?,00B382C2), ref: 00BD27B2
                                                                                      Strings
                                                                                      • GLR\\\\\]gv|*8??IOX_eltu!07@FRacfkw#,..7, xrefs: 00BD284B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLast$AttributesExistsPath
                                                                                      • String ID: GLR\\\\\]gv|*8??IOX_eltu!07@FRacfkw#,..7
                                                                                      • API String ID: 2811593863-1699477200
                                                                                      • Opcode ID: 1f000ff47286715d48840b7154e2eb9d3c8b21631bba06f6903859a58ba448f8
                                                                                      • Instruction ID: 824b01c00c1a1557770734f387abf5a4d1effd7e69e6178b2a07bf636d955ce8
                                                                                      • Opcode Fuzzy Hash: 1f000ff47286715d48840b7154e2eb9d3c8b21631bba06f6903859a58ba448f8
                                                                                      • Instruction Fuzzy Hash: F251B1719011459FDB00DFA9DC48B9AFBF4FF55324F1442AAE415E73A1EB319D049BA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE4523 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___free_lconv_mon.LIBCMT ref: 00DE4567
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE384B
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE385D
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE386F
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE3881
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE3893
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38A5
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38B7
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38C9
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38DB
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38ED
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE38FF
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE3911
                                                                                        • Part of subcall function 00DE382E: _free.LIBCMT ref: 00DE3923
                                                                                      • _free.LIBCMT ref: 00DE455C
                                                                                        • Part of subcall function 00DE1298: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?), ref: 00DE12AE
                                                                                        • Part of subcall function 00DE1298: GetLastError.KERNEL32(?,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?,?), ref: 00DE12C0
                                                                                      • _free.LIBCMT ref: 00DE457E
                                                                                      • _free.LIBCMT ref: 00DE4593
                                                                                      • _free.LIBCMT ref: 00DE459E
                                                                                      • _free.LIBCMT ref: 00DE45C0
                                                                                      • _free.LIBCMT ref: 00DE45D3
                                                                                      • _free.LIBCMT ref: 00DE45E1
                                                                                      • _free.LIBCMT ref: 00DE45EC
                                                                                      • _free.LIBCMT ref: 00DE4624
                                                                                      • _free.LIBCMT ref: 00DE462B
                                                                                      • _free.LIBCMT ref: 00DE4648
                                                                                      • _free.LIBCMT ref: 00DE4660
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                      • String ID:
                                                                                      • API String ID: 161543041-0
                                                                                      • Opcode ID: 5b42e32b2a7dface3bc4fbc8fd4be1a9eecf7b4d0cc6a27dd5b6465ae754ee11
                                                                                      • Instruction ID: 2e05e5c1bfe88c9ef0d8da366ddb3131767d4ae468808eca46adcde17837f71a
                                                                                      • Opcode Fuzzy Hash: 5b42e32b2a7dface3bc4fbc8fd4be1a9eecf7b4d0cc6a27dd5b6465ae754ee11
                                                                                      • Instruction Fuzzy Hash: D83119716007889FEB21BA3ADC46BAA73E9EF41310F584919E558D7191DE31ED808B34
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCDBF3 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 234memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAlloc.KERNEL32(00000002,?,00000000,?,?,?,00CCDBDF,00000000,00000000,?,00EF3488,00EF3488,?,00CCE990,?,?), ref: 00CCDC00
                                                                                      • GlobalLock.KERNEL32 ref: 00CCDC18
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 00CCDC34
                                                                                      • EnterCriticalSection.KERNEL32(011ABA60,00000000), ref: 00CCDC4D
                                                                                      • LeaveCriticalSection.KERNEL32(011ABA60,00000000), ref: 00CCDCB7
                                                                                        • Part of subcall function 00C778CC: __CxxThrowException@8.LIBVCRUNTIME ref: 00C778E0
                                                                                      • __EH_prolog3.LIBCMT ref: 00CCDCD5
                                                                                      • GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,?,?,?,00000000,00000004,00B31A84,00000001), ref: 00CCDDD0
                                                                                      • DeleteObject.GDI32(00000000), ref: 00CCDDDD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$CriticalObjectSection$AllocCreateDeleteEnterException@8H_prolog3LeaveLockStreamThrow
                                                                                      • String ID:
                                                                                      • API String ID: 1998389736-3916222277
                                                                                      • Opcode ID: e83227dcd071500f783fba3e1c398760133b20e981b9fc93ed91294a3d4d69be
                                                                                      • Instruction ID: 91c61f5771d9789772ee2540246b215743bc01b977682b29bcb0856d6925576f
                                                                                      • Opcode Fuzzy Hash: e83227dcd071500f783fba3e1c398760133b20e981b9fc93ed91294a3d4d69be
                                                                                      • Instruction Fuzzy Hash: D1819D71900616AFCB14AFA5DC45FAEB778FF04304F00413DE826AA291DB709E55DBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C53660 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5369F
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C536DD
                                                                                      • ___swprintf_l.LIBCMT ref: 00C53735
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C5374D
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C53782
                                                                                      • ___swprintf_l.LIBCMT ref: 00C53797
                                                                                      • ___swprintf_l.LIBCMT ref: 00C537B2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$___swprintf_l
                                                                                      • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
                                                                                      • API String ID: 2070094197-564197712
                                                                                      • Opcode ID: 5d014da6b405c4cbc0e0f1665ca2bd32a8139fdebd886b888a920628b43d7cc9
                                                                                      • Instruction ID: e828aab3bd87e1386f0c5cd7ae0a4391d64c7b38b77a9113969ef8a5ad3939bd
                                                                                      • Opcode Fuzzy Hash: 5d014da6b405c4cbc0e0f1665ca2bd32a8139fdebd886b888a920628b43d7cc9
                                                                                      • Instruction Fuzzy Hash: A34147B7F002487AEB205D6D8C42FEEB7A9DB84B91F050178FD08FB281E9719E5452E4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CD68A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3.LIBCMT ref: 00CD68AE
                                                                                      • GetObjectW.GDI32(?,00000018,?,00000048,00CCEFE2,?,?), ref: 00CD68C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog3Object
                                                                                      • String ID:
                                                                                      • API String ID: 133200376-3916222277
                                                                                      • Opcode ID: a33734baeed13c144eb559f8988cc196572ada15c32de4859d1ae23e348b4750
                                                                                      • Instruction ID: 8494f553ae63c22089f2971922a79f7b3ff73b0653f5bc4201ace3829605a765
                                                                                      • Opcode Fuzzy Hash: a33734baeed13c144eb559f8988cc196572ada15c32de4859d1ae23e348b4750
                                                                                      • Instruction Fuzzy Hash: 15416E72D00115AFDB11ABE0DC49AFEBB79EF54301F10811AF611BA3A1DB719E09EB60
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCE2DA Relevance: 15.2, APIs: 10, Instructions: 202COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00CCE2E4
                                                                                      • GetObjectW.GDI32(?,00000018,?,000000A8,00CCE8F2,?,00000010,00000038,00CCD870), ref: 00CCE30D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: H_prolog3_Object
                                                                                      • String ID:
                                                                                      • API String ID: 2214263146-0
                                                                                      • Opcode ID: 8671ced11f36b18904dc169d98e9cb0ac8304bc484c2d95b8868b14c5ba37a30
                                                                                      • Instruction ID: f2a43257626868e48df1a162be8b99f9610bf94b2506d4010f42ce1a471bd5ce
                                                                                      • Opcode Fuzzy Hash: 8671ced11f36b18904dc169d98e9cb0ac8304bc484c2d95b8868b14c5ba37a30
                                                                                      • Instruction Fuzzy Hash: 57811971E002298BDB24DFA9C884A9DBBB5FF59304F14816EE859E7311DB30AE45DF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD3770 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 377COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00BD3710: PathFindFileNameW.SHLWAPI(00000000,00000010), ref: 00BD3725
                                                                                      • PathRemoveExtensionW.SHLWAPI(00000010), ref: 00BD381A
                                                                                      • PathFileExistsW.SHLWAPI ref: 00BD38CE
                                                                                      • __fread_nolock.LIBCMT ref: 00BD3A3F
                                                                                      Strings
                                                                                      • JWX\\\\\ao} $%*5CKRY[[[^erz)6CHMUVVer!.=, xrefs: 00BD396B
                                                                                      • LT[_____npw$/9==CIVacnp{|"/5>@AGT^_msz!&, xrefs: 00BD3908
                                                                                      • APRRRRRR_mow#*2=ABBJWals"(3BJPYYgjpv"$)2, xrefs: 00BD3943
                                                                                      • 0, xrefs: 00BD3B3D
                                                                                      • HVY^^^^^kty{|').6@HR]es"$.5<<@HHPQTZ``dj, xrefs: 00BD38D8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$File$ExistsExtensionFindNameRemove__fread_nolock
                                                                                      • String ID: 0$APRRRRRR_mow#*2=ABBJWals"(3BJPYYgjpv"$)2$HVY^^^^^kty{|').6@HR]es"$.5<<@HHPQTZ``dj$JWX\\\\\ao} $%*5CKRY[[[^erz)6CHMUVVer!.=$LT[_____npw$/9==CIVacnp{|"/5>@AGT^_msz!&
                                                                                      • API String ID: 2516054526-2614603060
                                                                                      • Opcode ID: 68d4ac0537c6cce2efe85b2f16d75f4725132256f2a45b223ad13bb7bbbdce13
                                                                                      • Instruction ID: 53b267c3adb6854d4a34a9e075ec09b6f19cd45c5e65f5ff458498ba94272838
                                                                                      • Opcode Fuzzy Hash: 68d4ac0537c6cce2efe85b2f16d75f4725132256f2a45b223ad13bb7bbbdce13
                                                                                      • Instruction Fuzzy Hash: F0E1AF71A006188BDB24DB68CC89B99F7F5EF44710F0442DAE419AB392EB719E44CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD4310 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 202processsynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessW.KERNEL32 ref: 00BD44C3
                                                                                      • WaitForSingleObject.KERNEL32(?,00BD6B87), ref: 00BD44D9
                                                                                      • GetExitCodeProcess.KERNEL32 ref: 00BD44E6
                                                                                      • CloseHandle.KERNEL32(?), ref: 00BD450C
                                                                                      • CloseHandle.KERNEL32(?), ref: 00BD4511
                                                                                      Strings
                                                                                      • JUUXXXXX]`nq!(7DPQXbcpq}!$/=KZ]eksz|'57C, xrefs: 00BD4372
                                                                                      • DDGNNNNNSVYY_ft}(-;BOY\co *39CHO[gvw -6D, xrefs: 00BD441E
                                                                                      • D, xrefs: 00BD43D3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
                                                                                      • String ID: D$DDGNNNNNSVYY_ft}(-;BOY\co *39CHO[gvw -6D$JUUXXXXX]`nq!(7DPQXbcpq}!$/=KZ]eksz|'57C
                                                                                      • API String ID: 976364251-3778148213
                                                                                      • Opcode ID: a75d6d886d075b4e1e5030dd5450707c219806de563eb36471c4e1d36c532218
                                                                                      • Instruction ID: 1a23f15b5eda535e6c96e48e2dda297be8c220736fac26bd1a5a44f1f4a199e7
                                                                                      • Opcode Fuzzy Hash: a75d6d886d075b4e1e5030dd5450707c219806de563eb36471c4e1d36c532218
                                                                                      • Instruction Fuzzy Hash: FA717B719006099FDB10DFA9D849B9EF7F8EF54324F2482A9E425AB392EB709D04CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE1990 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e0d085ead16283f924f59c74dbcb40f22954126fcc35bd7f956ea26e258b7179
                                                                                      • Instruction ID: 08b14c42eccbff1766e8179adbcf56bf3b9ba28c97d0cf08f5e996e900db3883
                                                                                      • Opcode Fuzzy Hash: e0d085ead16283f924f59c74dbcb40f22954126fcc35bd7f956ea26e258b7179
                                                                                      • Instruction Fuzzy Hash: 82C1E378F442899FCB11EFAAD845BADBBB1FF0A310F184159E554A7382D7309981CB71
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCD900 Relevance: 13.7, APIs: 9, Instructions: 196fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_GS.LIBCMT ref: 00CCD90A
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00EEF8EC,00000000,01163094,00000000,00F6C800,00000000,?,?,00000A38,00CCE8D9,?,00000000,00000038), ref: 00CCD9A1
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00F6C800,00000000,?,?,00000A38,00CCE8D9,?,00000000,00000038), ref: 00CCDA43
                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00CCDA53
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00CCDA5C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateH_prolog3_HandleModuleNameSize
                                                                                      • String ID:
                                                                                      • API String ID: 2198494350-0
                                                                                      • Opcode ID: 55ca801015eb34d8078d0a9d1e4ae41cb97b7ea6d56932397735f25fbd63eb76
                                                                                      • Instruction ID: 158809dc739e0fdf5188bed196b5ce3a1730fd118f05dab8972c76e6a7e813c0
                                                                                      • Opcode Fuzzy Hash: 55ca801015eb34d8078d0a9d1e4ae41cb97b7ea6d56932397735f25fbd63eb76
                                                                                      • Instruction Fuzzy Hash: 0261E572900218ABDB20EF65DC85FEE73BCEF96310F1001ADF516A7181DA709E85DB61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DC729E Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3685: GetLastError.KERNEL32(?,?,00DD0F74,01190B70,00000010), ref: 00DE3689
                                                                                        • Part of subcall function 00DE3685: _free.LIBCMT ref: 00DE36BC
                                                                                        • Part of subcall function 00DE3685: SetLastError.KERNEL32(00000000), ref: 00DE36FD
                                                                                        • Part of subcall function 00DE3685: _abort.LIBCMT ref: 00DE3703
                                                                                      • _memcmp.LIBVCRUNTIME ref: 00DC7548
                                                                                      • _free.LIBCMT ref: 00DC75B9
                                                                                      • _free.LIBCMT ref: 00DC75D2
                                                                                      • _free.LIBCMT ref: 00DC7604
                                                                                      • _free.LIBCMT ref: 00DC760D
                                                                                      • _free.LIBCMT ref: 00DC7619
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorLast$_abort_memcmp
                                                                                      • String ID: C
                                                                                      • API String ID: 1679612858-1037565863
                                                                                      • Opcode ID: 3455b1577693d214624e79afe6b21f85856697b7015e99b7ee18cb2e53714f8a
                                                                                      • Instruction ID: 17f955648190741387c2691a2d8ceeac9bd800c68c058d4df07260c2f4e7e61f
                                                                                      • Opcode Fuzzy Hash: 3455b1577693d214624e79afe6b21f85856697b7015e99b7ee18cb2e53714f8a
                                                                                      • Instruction Fuzzy Hash: 29C12775A0521ADBDB24DF18C885BADB7B4FF08314F5485AEE949A7350D730AE90CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B56BF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B56C25
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B56C52
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B56C7F
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B56CAC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw
                                                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                      • API String ID: 2005118841-1866435925
                                                                                      • Opcode ID: e7c180eb0a7e01cac1b9c9ecfdc20bc424fd03dd7b37a2be6bad73df11f0f146
                                                                                      • Instruction ID: 88fb86a209acc6e1b796fdfc5c73dcdbe944679365d46c3047c12003b67024fd
                                                                                      • Opcode Fuzzy Hash: e7c180eb0a7e01cac1b9c9ecfdc20bc424fd03dd7b37a2be6bad73df11f0f146
                                                                                      • Instruction Fuzzy Hash: CE1182705443467AC614EB20CC43F6E7BD8DB44755F9088CCBCD5AB1C2DBB0A9988676
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA135D Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __EH_prolog3_catch.LIBCMT ref: 00CA1364
                                                                                      • EnterCriticalSection.KERNEL32(?,00000010,00CA1265,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA1375
                                                                                      • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2,?,00B404BE), ref: 00CA1391
                                                                                      • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70), ref: 00CA1401
                                                                                      • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90), ref: 00CA141B
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA142A
                                                                                      • TlsSetValue.KERNEL32(?,00000000), ref: 00CA145A
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2,?,00B404BE), ref: 00CA1491
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$AllocLeaveLocalValue$EnterH_prolog3_catch
                                                                                      • String ID:
                                                                                      • API String ID: 2715462074-0
                                                                                      • Opcode ID: 36e50cb031afc115ff41c7dc44b6d9db61329ad49b65ca684142fb8ed3a27fdc
                                                                                      • Instruction ID: e0062073105e86935e0197a9d9c18ba27a1d6e3fd79128e3c55d7a5f5679dc00
                                                                                      • Opcode Fuzzy Hash: 36e50cb031afc115ff41c7dc44b6d9db61329ad49b65ca684142fb8ed3a27fdc
                                                                                      • Instruction Fuzzy Hash: CE31E270500707EFCB149F55D88596ABBB4FF45714F14C62DE8699B660DB30A940DF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9CB56 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemMetrics.USER32 ref: 00C9CB64
                                                                                      • GetSystemMetrics.USER32 ref: 00C9CB72
                                                                                      • SetRectEmpty.USER32(?), ref: 00C9CB85
                                                                                      • EnumDisplayMonitors.USER32(00000000,00000000,00C9C9EA,?,?,00000000,00C9CB17), ref: 00C9CB95
                                                                                      • SystemParametersInfoW.USER32 ref: 00C9CBA4
                                                                                      • SystemParametersInfoW.USER32 ref: 00C9CBD1
                                                                                      • SystemParametersInfoW.USER32 ref: 00C9CBE5
                                                                                      • SystemParametersInfoW.USER32 ref: 00C9CC0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                                                                                      • String ID:
                                                                                      • API String ID: 2614369430-0
                                                                                      • Opcode ID: 0984f37129806ebd4bb3337f56ea105d3bb6ac995496b9113603b3fb0db7b591
                                                                                      • Instruction ID: 577f128a2b2532761bdc251655a1f72b6c7babb6fffe9991a6c31a58d4ff1c55
                                                                                      • Opcode Fuzzy Hash: 0984f37129806ebd4bb3337f56ea105d3bb6ac995496b9113603b3fb0db7b591
                                                                                      • Instruction Fuzzy Hash: 3D214DB0202616BFF704AF719C8DEE2BBACFF09351F00052AE559DA240E7B02944CBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CDE07F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 212windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C778CC: __CxxThrowException@8.LIBVCRUNTIME ref: 00C778E0
                                                                                      • IsWindow.USER32(?), ref: 00CDE197
                                                                                      • ShowWindow.USER32(00000000,00000004,?,00000000,00000000), ref: 00CDE1D8
                                                                                      • IsWindow.USER32(00000000), ref: 00CDE228
                                                                                      • IsWindowVisible.USER32 ref: 00CDE233
                                                                                      • ShowWindow.USER32(00000000,00000000,?,00000000,00000000), ref: 00CDE27F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Exception@8ThrowVisible
                                                                                      • String ID: (
                                                                                      • API String ID: 579020799-2408637067
                                                                                      • Opcode ID: d3309de8a2a0a670b254598ca69b5b1fce6e96c38b27045acef5d07d0a76d069
                                                                                      • Instruction ID: b22897d49a9a8fa52d55fb5bdb7b4c12b3cbd90488687e8e7f19265e7350d48a
                                                                                      • Opcode Fuzzy Hash: d3309de8a2a0a670b254598ca69b5b1fce6e96c38b27045acef5d07d0a76d069
                                                                                      • Instruction Fuzzy Hash: C171A4316007059FDB28FF65D845AAEB7B8FF44310F14462EEA169B791DB70EA04DB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD1290 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,7F82841F), ref: 00BD132E
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000007,00000000), ref: 00BD1353
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0D591AD8,000000FF,00000000,00000000,00000000,00000000), ref: 00BD13A5
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,011B392C,000000FF,00000000,00000000,00000000,00000000), ref: 00BD13CB
                                                                                      Strings
                                                                                      • GOORRRRR]ap!(6AGIKVcq"#.=GHHRZ[ccmp}!/=G, xrefs: 00BD12EA
                                                                                      • OST\\\\\ftt|)47:AKMX[[gmu"$14BGS_clnpz%), xrefs: 00BD14AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID: GOORRRRR]ap!(6AGIKVcq"#.=GHHRZ[ccmp}!/=G$OST\\\\\ftt|)47:AKMX[[gmu"$14BGS_clnpz%)
                                                                                      • API String ID: 626452242-4175385514
                                                                                      • Opcode ID: 9f16278fa0aa52e0220755833048f8f1540b491b868591d38516c1dc18d4ae7f
                                                                                      • Instruction ID: 6cd2395e43e1eb6a25f84ed6e68a380e7f10272f7b052fc01df6ddbd84f153f6
                                                                                      • Opcode Fuzzy Hash: 9f16278fa0aa52e0220755833048f8f1540b491b868591d38516c1dc18d4ae7f
                                                                                      • Instruction Fuzzy Hash: 99717C71A00218ABDB10DFA8DC45BAEBBF4EF09320F2442A9F515BB3C1D7756900CB65
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C78B14 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114libraryfileloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,?,?,80004005,?,?,00000000,?,?,?,?), ref: 00C78BD8
                                                                                      • GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 00C78BE8
                                                                                      • CreateFileW.KERNEL32(80004005,?,?,?,00000000,00000000,00000000,00000000,?,?,?,80004005,?,?,00000000,?), ref: 00C78C30
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressCreateFileHandleModuleProc
                                                                                      • String ID: ;$CreateFileTransactedW$kernel32.dll
                                                                                      • API String ID: 2580138172-2855324796
                                                                                      • Opcode ID: 73f3f9a669e4b87765ed3bf164e54a2ec9604902d69f3ebba1cfca41b9b0891b
                                                                                      • Instruction ID: ea20237d6da642bb0bccc983898ddec72db453e06009f5f5cb02635915ee9108
                                                                                      • Opcode Fuzzy Hash: 73f3f9a669e4b87765ed3bf164e54a2ec9604902d69f3ebba1cfca41b9b0891b
                                                                                      • Instruction Fuzzy Hash: E5419F7194110DEFCB11DF55DC84C9EBBBAFF08791B10812AFA68A6240DB318D65DBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C1C2F0 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedCompareExchange.KERNEL32(011B3978,00000000,00000000), ref: 00C1C304
                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,00C110B5,?,00C1B3A8), ref: 00C1C30D
                                                                                      • InterlockedCompareExchange.KERNEL32(011B3978,00000000,00000000), ref: 00C1C31D
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,?,00C110B5,?,00C1B3A8), ref: 00C1C324
                                                                                      • WaitForSingleObject.KERNEL32(000000FF,?,00000000,00000000,?,?,00C110B5,?,00C1B3A8), ref: 00C1C332
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,?,00C110B5,?,00C1B3A8), ref: 00C1C414
                                                                                      • ReleaseMutex.KERNEL32(?,00000000,00000000,?,?,00C110B5,?,00C1B3A8), ref: 00C1C420
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CompareExchangeInterlockedMutex$CloseCreateFreeHandleObjectReleaseSingleVirtualWait
                                                                                      • String ID:
                                                                                      • API String ID: 3379796566-0
                                                                                      • Opcode ID: 5a541423a27468af6c562a3b3754a35555dd20cbd216ca1dbb9a8a0814d95d1a
                                                                                      • Instruction ID: 988a8672fdb3cb38bc1ee90c6bb57810f516adb8587f3e96e2e6e67b71df4d48
                                                                                      • Opcode Fuzzy Hash: 5a541423a27468af6c562a3b3754a35555dd20cbd216ca1dbb9a8a0814d95d1a
                                                                                      • Instruction Fuzzy Hash: A4416870641201DFD725CF29D8C4BA5F7A1FB89314B28C66EE4258B3A5E731E892DF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE4226 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00DE3F6D: _free.LIBCMT ref: 00DE3F96
                                                                                      • _free.LIBCMT ref: 00DE4274
                                                                                        • Part of subcall function 00DE1298: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?), ref: 00DE12AE
                                                                                        • Part of subcall function 00DE1298: GetLastError.KERNEL32(?,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?,?), ref: 00DE12C0
                                                                                      • _free.LIBCMT ref: 00DE427F
                                                                                      • _free.LIBCMT ref: 00DE428A
                                                                                      • _free.LIBCMT ref: 00DE42DE
                                                                                      • _free.LIBCMT ref: 00DE42E9
                                                                                      • _free.LIBCMT ref: 00DE42F4
                                                                                      • _free.LIBCMT ref: 00DE42FF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 1b61c71fbc3b6ff1f12703768d19f80266ee0c6c0ca01e3c05a12d12ac09143d
                                                                                      • Instruction ID: 1e9e0e9dac17ce51bc430485f54371fa8d386d1bfbb2e0f06c7e28ecccb7cf6a
                                                                                      • Opcode Fuzzy Hash: 1b61c71fbc3b6ff1f12703768d19f80266ee0c6c0ca01e3c05a12d12ac09143d
                                                                                      • Instruction Fuzzy Hash: AE112471940B88A6D620B776CC0BFEBB7FCDF04700F844A15B29DA7052D675B65486B0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DC5B2E Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00C2D375,00EE1574,00DC5B25,00DC291E,00B9DAA4,?,00000001,00000000,7F82841F), ref: 00DC5B3C
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DC5B4A
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DC5B63
                                                                                      • SetLastError.KERNEL32(00000000,00000001,?,00C2D375,00EE15B4,in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing,00000001,00000000,7F82841F), ref: 00DC5BB5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: 2fbfa5389b33a46faf0a0c9469fcd82c4aff05ef44d5f83758f282055624f552
                                                                                      • Instruction ID: 64cb4df4ad283c97c2d7337bfcb6c4d7537fe5453284c401016597e1d8d9a59c
                                                                                      • Opcode Fuzzy Hash: 2fbfa5389b33a46faf0a0c9469fcd82c4aff05ef44d5f83758f282055624f552
                                                                                      • Instruction Fuzzy Hash: 3601F93211AB135DAA342A757C45F1A2B86DB027B4724027EF430861E8FF616CC09670
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE07C0 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: __cftoe
                                                                                      • String ID:
                                                                                      • API String ID: 4189289331-0
                                                                                      • Opcode ID: 4f590aeeee39da371b4fe04e9d7b15bf19f15fac6c78cfdc255461ce72edaf49
                                                                                      • Instruction ID: 996ebea9efaad7259532948d48a614464e8f163a4acacda6446073fdf686f064
                                                                                      • Opcode Fuzzy Hash: 4f590aeeee39da371b4fe04e9d7b15bf19f15fac6c78cfdc255461ce72edaf49
                                                                                      • Instruction Fuzzy Hash: ED51CB32500245ABEB247F5A8C85FAE7BB9EF59320F1C4219F41996183DB71D980CAB4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B65870 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00B658A6
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00B658C9
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00B658E9
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B6595F
                                                                                      • std::_Facet_Register.LIBCPMT ref: 00B65975
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00B65980
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                      • String ID:
                                                                                      • API String ID: 2536120697-0
                                                                                      • Opcode ID: e4c8d00c31d1592322e872e6d0941e7d3ef6a1e4a7be660c20d0d9def0a72776
                                                                                      • Instruction ID: 193822926740ead40ea3b3ab86681d798cbbb36484677ead55ea88427f1ef8fb
                                                                                      • Opcode Fuzzy Hash: e4c8d00c31d1592322e872e6d0941e7d3ef6a1e4a7be660c20d0d9def0a72776
                                                                                      • Instruction Fuzzy Hash: BF31C031D00659CFCB25DF94D881AEEB7F4FB08324F14426AE826B7381D734A951CBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B65630 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00B65666
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00B65689
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00B656A9
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B6571F
                                                                                      • std::_Facet_Register.LIBCPMT ref: 00B65735
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00B65740
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                      • String ID:
                                                                                      • API String ID: 2536120697-0
                                                                                      • Opcode ID: 5a4c995f30be5e8c1df68b7c90f3a0c26d9d6ae09e0ad948315547183cb21e23
                                                                                      • Instruction ID: aa6e3353ac8ede1a737eac74313a68bdc39b3874d52edc6254484884e698bdcf
                                                                                      • Opcode Fuzzy Hash: 5a4c995f30be5e8c1df68b7c90f3a0c26d9d6ae09e0ad948315547183cb21e23
                                                                                      • Instruction Fuzzy Hash: 3331AE71D01619DFCB25DF54D880AAEB7F4FF48324F5446AAE815A7281DB34AD41CBA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C56B80 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 180COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00C56C01
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00C56C1A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                      • String ID: W$0123456789ABCDEF$0123456789abcdef
                                                                                      • API String ID: 601868998-1291541780
                                                                                      • Opcode ID: eca5a801da8aa75d22466abeab481af61344b86ac85ccc03c931a53b4f0e2352
                                                                                      • Instruction ID: ff8471a1f086ba9650b1eb12bc8a9340694522f1738052948064eb14a88c3580
                                                                                      • Opcode Fuzzy Hash: eca5a801da8aa75d22466abeab481af61344b86ac85ccc03c931a53b4f0e2352
                                                                                      • Instruction Fuzzy Hash: BD51C335E042498BCF10CFA8D4806EDFBB1EF55309F94456EDC59A7201E731AA89CB64
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA45D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(?), ref: 00CA45E6
                                                                                      • GlobalFlags.KERNEL32(?), ref: 00CA4607
                                                                                      • GlobalUnlock.KERNEL32(?,?,?,?,00CCB446,?,00EDF7B4,?,?,00CD0182,00C9D675,00000000), ref: 00CA4615
                                                                                      • GlobalFree.KERNEL32 ref: 00CA4621
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$DeleteFlagsFreeObjectUnlock
                                                                                      • String ID: x4
                                                                                      • API String ID: 2517987852-83548478
                                                                                      • Opcode ID: 395dfe2f45d5e3a528995d0baae32df3c0028f7ad8a0a487c2b2045683096360
                                                                                      • Instruction ID: 7e1454a5ec00639433e264c8fc9ffc13043ee423e41e91e4ceda6066da5dab31
                                                                                      • Opcode Fuzzy Hash: 395dfe2f45d5e3a528995d0baae32df3c0028f7ad8a0a487c2b2045683096360
                                                                                      • Instruction Fuzzy Hash: C4F0B432902236BFC6252F59F80CADEB75CDF97766F040016F9547B21087715A44C6E9
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DDF660 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DDF611,00000003,?,00DDF5B1,00000003,01190F38,0000000C,00DDF708,00000003,00000002), ref: 00DDF680
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DDF693
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00DDF611,00000003,?,00DDF5B1,00000003,01190F38,0000000C,00DDF708,00000003,00000002,00000000), ref: 00DDF6B6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: fce6c07e7f8907e4f3fac22bbf815f286ed9cb7d78099e4b1d2cb694025be1d0
                                                                                      • Instruction ID: 7dfc775c52260b6d7702a82a90c34e72aa5ada553b0f63306f5d14fd18c517a1
                                                                                      • Opcode Fuzzy Hash: fce6c07e7f8907e4f3fac22bbf815f286ed9cb7d78099e4b1d2cb694025be1d0
                                                                                      • Instruction Fuzzy Hash: 85F04431941208BFCB116F65EC0DBADBFB5EB04751F040166F806A6260DB349E84CA95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DED6A1 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c902049f984e873694751709554cc0812383232ebe05ab03e9e4755d6dc0cd6d
                                                                                      • Instruction ID: f7a1227ad8113f4a952985acd816c7abb53bf689126fa772c8d9f6880fac22cf
                                                                                      • Opcode Fuzzy Hash: c902049f984e873694751709554cc0812383232ebe05ab03e9e4755d6dc0cd6d
                                                                                      • Instruction Fuzzy Hash: 9871D231D0029A9BDB21BF56C884ABEBB76FF45360F284229E45567281DF709C41CBB1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BC1890 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(000003CC,?,00000010,00B38593,?), ref: 00BC18AB
                                                                                      • LeaveCriticalSection.KERNEL32(000003CC,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC18BB
                                                                                      • PathFileExistsW.SHLWAPI(00000000,?), ref: 00BC18E6
                                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00BC1905
                                                                                      • LeaveCriticalSection.KERNEL32(000003CC), ref: 00BC1912
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$FileLeave$CreateEnterExistsPath
                                                                                      • String ID:
                                                                                      • API String ID: 3387406714-0
                                                                                      • Opcode ID: fcecfbd1ac6e5f06c469a042f5177f931fa14cc8d4bf6636899b4ab8245dc4ff
                                                                                      • Instruction ID: c49c864846f034be20c615ec7e713bd02a6513709cf6cd43f23f05f61cf4b7e3
                                                                                      • Opcode Fuzzy Hash: fcecfbd1ac6e5f06c469a042f5177f931fa14cc8d4bf6636899b4ab8245dc4ff
                                                                                      • Instruction Fuzzy Hash: 0B11D330601208AFD714AF29EC49FADBBF8EF45721F1042ADF815BA2D0EB706A45CB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE3709 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,?,00DC622F,00DE0A0C,?,00DE36B3,00000001,00000364,?,00DD0F74,01190B70,00000010), ref: 00DE370E
                                                                                      • _free.LIBCMT ref: 00DE3743
                                                                                      • _free.LIBCMT ref: 00DE376A
                                                                                      • SetLastError.KERNEL32(00000000), ref: 00DE3777
                                                                                      • SetLastError.KERNEL32(00000000), ref: 00DE3780
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free
                                                                                      • String ID:
                                                                                      • API String ID: 3170660625-0
                                                                                      • Opcode ID: 9036c3089133d5301a06919f284dcddfaa190f5f4a81b05ffb49b35c82828c93
                                                                                      • Instruction ID: 898ade1575422614b0ae0445be52084d90bcb58eeb95c8b7fb58c5646f9d75dc
                                                                                      • Opcode Fuzzy Hash: 9036c3089133d5301a06919f284dcddfaa190f5f4a81b05ffb49b35c82828c93
                                                                                      • Instruction Fuzzy Hash: 4C01D6F62056802BD3123A3B6C8E93A3769CBD17F67280129F418A7291FA70CA454131
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE3CE8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00DE3D00
                                                                                        • Part of subcall function 00DE1298: RtlFreeHeap.NTDLL(00000000,00000000,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?), ref: 00DE12AE
                                                                                        • Part of subcall function 00DE1298: GetLastError.KERNEL32(?,?,00DE3F9B,?,00000000,?,00000000,?,00DE423F,?,00000007,?,?,00DE46BB,?,?), ref: 00DE12C0
                                                                                      • _free.LIBCMT ref: 00DE3D12
                                                                                      • _free.LIBCMT ref: 00DE3D24
                                                                                      • _free.LIBCMT ref: 00DE3D36
                                                                                      • _free.LIBCMT ref: 00DE3D48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 8088856b97711e37d40bab74c52b5400dce154e34d8944ad009f0124d2a7237c
                                                                                      • Instruction ID: 9d981303b805a06461b7b431a6ca5ef7314bb649aee9c5ce9eb811daafdb771a
                                                                                      • Opcode Fuzzy Hash: 8088856b97711e37d40bab74c52b5400dce154e34d8944ad009f0124d2a7237c
                                                                                      • Instruction Fuzzy Hash: D2F0FF3654468C678638FA6EEC86D2673EDEA057107AC0955F129D7505CA30FDC08A74
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B34020 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00B34029
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00B34033
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00B3403F
                                                                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3405B
                                                                                      • WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3406C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$ObjectSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 1755037574-0
                                                                                      • Opcode ID: 1ca967b2b5c0794d7def0b1f482b8df3093266101714789ba407f4f1f55091f0
                                                                                      • Instruction ID: a3fce66047337889c25bd8f68c5785c293a4e4147932a5d210ecdfdcfd84cde1
                                                                                      • Opcode Fuzzy Hash: 1ca967b2b5c0794d7def0b1f482b8df3093266101714789ba407f4f1f55091f0
                                                                                      • Instruction Fuzzy Hash: C2F030B2501512AFD3086B62FD8CB86FB69FB04365F505016F21AA6A10D775A8688FA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B606E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 238COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,00000010,00000104), ref: 00B607C0
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000104,00BC3135,00000000,-00000002,?,?,?,?,80070057), ref: 00B608F4
                                                                                      Strings
                                                                                      • GVZcccccpz})-7CCKMQYdnu!*9>HR`es}$17:EEN, xrefs: 00B60848
                                                                                      • BOQRRRRRUdfjlmo|))+-5;HWbptw()05DPW__lqv, xrefs: 00B6094D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryFileModuleName
                                                                                      • String ID: BOQRRRRRUdfjlmo|))+-5;HWbptw()05DPW__lqv$GVZcccccpz})-7CCKMQYdnu!*9>HR`es}$17:EEN
                                                                                      • API String ID: 3981628254-3859078707
                                                                                      • Opcode ID: cc76a2c88d77185a0eff26f8460c52035478fa2798c1c0b999869de6292a6f99
                                                                                      • Instruction ID: e0db8663088360169716a4a7f9c5a24d2f14176b25b28c4aa4d5c1b8caa51ef4
                                                                                      • Opcode Fuzzy Hash: cc76a2c88d77185a0eff26f8460c52035478fa2798c1c0b999869de6292a6f99
                                                                                      • Instruction Fuzzy Hash: F581F371A201059BDB18EB29C895BBFB7F6EF94300F0441EDE90697291EB75AE41CF90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD0A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 00BD0AE3
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00BD0B08
                                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00BD0B12
                                                                                      Strings
                                                                                      • JNPUUUUUcjnz}#%.9:???FSZZfiww{,;>MQXbjnntz%0<<BPW\kmoy()789@MY[`hiinpx',, xrefs: 00BD0AEC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: DebugFormatFreeLocalMessageOutputString
                                                                                      • String ID: JNPUUUUUcjnz}#%.9:???FSZZfiww{,;>MQXbjnntz%0<<BPW\kmoy()789@MY[`hiinpx',
                                                                                      • API String ID: 3011195115-3081766093
                                                                                      • Opcode ID: d7d82dcc968a8a7523af54c04ebbcd73951e00487495a867fd60096daac223bc
                                                                                      • Instruction ID: d621e0bef3f7411a5e3c7485d1b9f64427d9e41e21ad020e4aef54f72f951ce1
                                                                                      • Opcode Fuzzy Hash: d7d82dcc968a8a7523af54c04ebbcd73951e00487495a867fd60096daac223bc
                                                                                      • Instruction Fuzzy Hash: CC218371900609AFD710EF64DC09FAEBBF8EF44724F14426AF915A72D0DB709904CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCE827 Relevance: 6.2, APIs: 4, Instructions: 185COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$DeleteH_prolog3ImageLoad
                                                                                      • String ID:
                                                                                      • API String ID: 91933946-0
                                                                                      • Opcode ID: 10579168fcf6327cc15fc65671ecce72b1100a60f1d457e6718eb0194cb21cfb
                                                                                      • Instruction ID: 2eb89e6fe302c271eb3e82c1edb2f47551ec51035d3f9c9c6310d4412d2d5cd5
                                                                                      • Opcode Fuzzy Hash: 10579168fcf6327cc15fc65671ecce72b1100a60f1d457e6718eb0194cb21cfb
                                                                                      • Instruction Fuzzy Hash: B6717D718012159FCF19EF64C885BED7BB5FF0A310F1441ADEC256B286CB349A45DBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DEE9F0 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: e2f55898161fbedea1ae2865c9cdadcd706dbdef7769ab1831d3f57d23293719
                                                                                      • Instruction ID: 8b77588fc7b126e6bc5521e938534fdf4ee24d19b87faba26e03ec023ba1513f
                                                                                      • Opcode Fuzzy Hash: e2f55898161fbedea1ae2865c9cdadcd706dbdef7769ab1831d3f57d23293719
                                                                                      • Instruction Fuzzy Hash: 17411631600291AADB217FBB9C86B7E7BA5FF45330F18422DF419D7292E6748C4186B1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE4389 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,84E85006,00DC869E,00000000,00000000,00DCA3BC,?,00DCA3BC,?,00000001,00DC869E,84E85006,00000001,00DCA3BC,00DCA3BC), ref: 00DE43D6
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00DE445F
                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00DE4471
                                                                                      • __freea.LIBCMT ref: 00DE447A
                                                                                        • Part of subcall function 00DE0EEA: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B442A3), ref: 00DE0F1C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                      • String ID:
                                                                                      • API String ID: 2652629310-0
                                                                                      • Opcode ID: 3233bba457eea7cdf8bbe6c9cb7a135782cd7ef949ce67bf2b8dad54566c5bc4
                                                                                      • Instruction ID: 95cc8f648c1dc513d082659e15c7ddbc4910452f64a3e65dce576333c3ce55ae
                                                                                      • Opcode Fuzzy Hash: 3233bba457eea7cdf8bbe6c9cb7a135782cd7ef949ce67bf2b8dad54566c5bc4
                                                                                      • Instruction Fuzzy Hash: F431DE72A0024AAFDB25AF66DC45EAE7BA5EB00750B084129FC04DB290EB75DD51CBB0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B94380 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,MyLog.cpp,000000FF,00000000,00000000,00000001,00BA4ED6), ref: 00B94406
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,MyLog.cpp,000000FF,00000000,00000000), ref: 00B94432
                                                                                      • InitializeCriticalSection.KERNEL32(?), ref: 00B9448C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$CriticalInitializeSection
                                                                                      • String ID: MyLog.cpp
                                                                                      • API String ID: 1169288905-1586943524
                                                                                      • Opcode ID: 23a20b7829b81c52243d9018b794eccebeef365718a717e84fed423a14475926
                                                                                      • Instruction ID: 897e23575fd741b9ac84603dcfa45fa39c96021a60638508fb8d5a348b61df63
                                                                                      • Opcode Fuzzy Hash: 23a20b7829b81c52243d9018b794eccebeef365718a717e84fed423a14475926
                                                                                      • Instruction Fuzzy Hash: 6231A1B12002006BEB149F25CC96B6B7A94EF45314F14426DE9098F3C6EBB6E814C7F5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B56000 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00B56037
                                                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00B560A3
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00B560BB
                                                                                        • Part of subcall function 00DC3A5A: KiUserExceptionDispatcher.NTDLL(?,?,?,?,011B1E70,?), ref: 00DC3AB9
                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B560C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: std::_$DispatcherExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_ThrowUser___std_exception_copy
                                                                                      • String ID:
                                                                                      • API String ID: 2355598456-0
                                                                                      • Opcode ID: f234d911cd0c5067296dca2b0457bded93db99fb4d5c385ce3e05aec04505254
                                                                                      • Instruction ID: 91eb17b490434aaa6ce22b0bcae235a234fad8e36e1dd17245a0bb6ca669d5d7
                                                                                      • Opcode Fuzzy Hash: f234d911cd0c5067296dca2b0457bded93db99fb4d5c385ce3e05aec04505254
                                                                                      • Instruction Fuzzy Hash: 8621AB718047889ECB21CFA9C941BDFBBF8EF18710F00466EE456A3640E775A648CBA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE63A7 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00DE634E,?,00000000,00000000,00000000,?,00DE667A,00000006,FlsSetValue), ref: 00DE63D9
                                                                                      • GetLastError.KERNEL32(?,00DE634E,?,00000000,00000000,00000000,?,00DE667A,00000006,FlsSetValue,00F1E6A8,00F1E6B0,00000000,00000364,?,00DE3757), ref: 00DE63E5
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00DE634E,?,00000000,00000000,00000000,?,00DE667A,00000006,FlsSetValue,00F1E6A8,00F1E6B0,00000000), ref: 00DE63F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: 0960fee9033ec87e0ebe0b9c2aab48e0a3603438e3102ed9278592d90a9c4015
                                                                                      • Instruction ID: 5dd5957f910c16952a5930f8f430bf9e261e4ee00746e6a473186efd7d0a38c2
                                                                                      • Opcode Fuzzy Hash: 0960fee9033ec87e0ebe0b9c2aab48e0a3603438e3102ed9278592d90a9c4015
                                                                                      • Instruction Fuzzy Hash: 0301F732206276AFC7216A7BBC4CE667B98EF15BF17190530F945E7280D730D8018AF0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD18C0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PathFileExistsW.SHLWAPI(00000000,00B3AE09,00BC2F30,?,00000000,?,00000000), ref: 00BD18CC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExistsFilePath
                                                                                      • String ID:
                                                                                      • API String ID: 1174141254-0
                                                                                      • Opcode ID: 2c2c5792348b07a727c4c5796f1598a85a34f641caa92b438a97529957d9a25d
                                                                                      • Instruction ID: 0330033b8f35c39fb9c432fa33d6444e77e230ee46e8fd2c8feb9f7fc5c05cf4
                                                                                      • Opcode Fuzzy Hash: 2c2c5792348b07a727c4c5796f1598a85a34f641caa92b438a97529957d9a25d
                                                                                      • Instruction Fuzzy Hash: C8E046315079306EEB61672EBC4CADA2399DF02365F410A93F461E92E0E7158C8B22E5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C3A970 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: %s$Connection #%ld to host %s left intact
                                                                                      • API String ID: 0-118628944
                                                                                      • Opcode ID: dd233d92bfe8f31bc1e5153f9890bd85ed669e4f251d6aed6bdf22ab5b8da5a6
                                                                                      • Instruction ID: b82122cc767394501f90e7450aa11938b1abe3089defac0f5761a7194d058be8
                                                                                      • Opcode Fuzzy Hash: dd233d92bfe8f31bc1e5153f9890bd85ed669e4f251d6aed6bdf22ab5b8da5a6
                                                                                      • Instruction Fuzzy Hash: 4F714570610704AFEB25DF24DC45BEAF7E4FF05308F040169E8AE52291D7B56AA8DF92
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B60430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,00000010,00000104,?,7F82841F,7F828C27,7F82841F,7F828C2B), ref: 00B604F0
                                                                                      Strings
                                                                                      • CHN]]]]]`mq ,2?DMOVekoz#+.8>HJRZ\dnx$39:, xrefs: 00B60586
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileModuleName
                                                                                      • String ID: CHN]]]]]`mq ,2?DMOVekoz#+.8>HJRZ\dnx$39:
                                                                                      • API String ID: 514040917-1655671946
                                                                                      • Opcode ID: d197c69ac37f5ea2332f6c01890401b618e57064510444a6cee2d916b48f244d
                                                                                      • Instruction ID: 141d7cd2eef9e004505e12f6bddd1cbb40aebfbcbc549dd1a49b23a7cd5b1c36
                                                                                      • Opcode Fuzzy Hash: d197c69ac37f5ea2332f6c01890401b618e57064510444a6cee2d916b48f244d
                                                                                      • Instruction Fuzzy Hash: D361E4719101099BCB14EB64CC95FEFB3B9EF50320F0442E9A506A71D1EB759E85CFA0
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B6CAF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,7F82841F,?,?,?,?,00BC0886), ref: 00B6CB38
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00BC0886), ref: 00B6CB59
                                                                                      Strings
                                                                                      • CGJRRRRRalpy|| '-459ANXfiwy||%19:AEJMYbejxy"/9ELU^bdhpt}-5=CERS\hu&&3>FKOXcjnn}"-19AJV\ilu&*8EJU`km{"&,5CDGHHNOXZ[_lnn{+069FGLLOWX[]ix| +5=AKT[jqvx&(+3;?NYaopz!!+1?@FGV, xrefs: 00B6CBAA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide
                                                                                      • String ID: CGJRRRRRalpy|| '-459ANXfiwy||%19:AEJMYbejxy"/9ELU^bdhpt}-5=CERS\hu&&3>FKOXcjnn}"-19AJV\ilu&*8EJU`km{"&,5CDGHHNOXZ[_lnn{+069FGLLOWX[]ix| +5=AKT[jqvx&(+3;?NYaopz!!+1?@FGV
                                                                                      • API String ID: 626452242-2584301198
                                                                                      • Opcode ID: e0a7333aec8e9f05600323207a422723996a30f8715a0e25d41475a6b7d53b8b
                                                                                      • Instruction ID: 5304f45ccede2ac8db378d72986302f3162471e9edcfa7ec261f884ab054db8a
                                                                                      • Opcode Fuzzy Hash: e0a7333aec8e9f05600323207a422723996a30f8715a0e25d41475a6b7d53b8b
                                                                                      • Instruction Fuzzy Hash: 7431E771E903187AEB11AB649C83FBF77B8DB45F10F100259F6147A2C2EBB56500D669
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DE551F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00DE577A,00000004,00000050,?,?,?,?,?), ref: 00DE55FA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 0-711371036
                                                                                      • Opcode ID: f2c9a606de6c17b3c9bbfae35bc99ed9f80d6c76528180a3ab3c44561f63dfbd
                                                                                      • Instruction ID: a9c27a402c6a42ab98104f8d4ae65b871e41be214a910a70d6f644d58e54742c
                                                                                      • Opcode Fuzzy Hash: f2c9a606de6c17b3c9bbfae35bc99ed9f80d6c76528180a3ab3c44561f63dfbd
                                                                                      • Instruction Fuzzy Hash: DD219262A04981A6DB34FF56ED01B9773A7EB54BA8FAA4524E90AD7108F732DD40C370
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C56AC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___from_strstr_to_strchr.LIBCMT ref: 00C56AEF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___from_strstr_to_strchr
                                                                                      • String ID: .$0123456789
                                                                                      • API String ID: 601868998-4187921772
                                                                                      • Opcode ID: 2ab44b29e564122b04476075d2c602f3d97f56c64bba58f7bdd8bd3064e56d1a
                                                                                      • Instruction ID: 88dc44c25f6ce9c908c950d9d085f2a95f9428d1384fefdeb6cb03b07fe051e2
                                                                                      • Opcode Fuzzy Hash: 2ab44b29e564122b04476075d2c602f3d97f56c64bba58f7bdd8bd3064e56d1a
                                                                                      • Instruction Fuzzy Hash: 6B216A3E900A045BDB218A2DC4D03BAFBB5DF42317F5400BECC69CB240D532CB999298
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C9C567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000014), ref: 00C9C5D5
                                                                                      • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 00C9C625
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: BitmapColorCreate
                                                                                      • String ID: (
                                                                                      • API String ID: 2048008349-3887548279
                                                                                      • Opcode ID: da014054fc9e02ced95f2b823cc2d2ff021d1363df370ce8de677462bd06466c
                                                                                      • Instruction ID: 9387c9ec9c3f174b9baa963d4ac1c81b5ac8c1185645888540df1dd30eb1be10
                                                                                      • Opcode Fuzzy Hash: da014054fc9e02ced95f2b823cc2d2ff021d1363df370ce8de677462bd06466c
                                                                                      • Instruction Fuzzy Hash: 2321BE31A5124CDBEB14DFA89C46BEDBBF8EF14300F4080AEE545EB281DA345A48CB61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00BD8080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleProcess
                                                                                      • String ID: D
                                                                                      • API String ID: 3712363035-2746444292
                                                                                      • Opcode ID: e85d7da81f1121b929c244022411a593ccde174bf0a2096876dbd69be609b2bf
                                                                                      • Instruction ID: 416dfd13bbf2ef0ba31a409da8811b5fc102e076c22a053237916eee8a4a0965
                                                                                      • Opcode Fuzzy Hash: e85d7da81f1121b929c244022411a593ccde174bf0a2096876dbd69be609b2bf
                                                                                      • Instruction Fuzzy Hash: 8521F975E0024DABDB10DFD5DC45BDEBBB8EB08700F10406AEA05BB381E675A954CBA4
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00C48500 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ___swprintf_l
                                                                                      • String ID: ...$...
                                                                                      • API String ID: 48624451-2253869979
                                                                                      • Opcode ID: 477e501f9dba87fcfae593334e6e083c9330a39ee629befa2322d2d0387d1948
                                                                                      • Instruction ID: 0a303d0654daca9f88b7f6e66ef2758a5479324d06869bfdf77c4962cc42eb31
                                                                                      • Opcode Fuzzy Hash: 477e501f9dba87fcfae593334e6e083c9330a39ee629befa2322d2d0387d1948
                                                                                      • Instruction Fuzzy Hash: 1F11E475D00208AAEF25DE64DC45BFD7769FB01308F048199EDA46B181DE726B8E8790
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00B6EB50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 00B6ECF8, 00B6ED1C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
                                                                                      • API String ID: 0-3812731148
                                                                                      • Opcode ID: e799aea905d258d6b1a7a6761183bba22d7447012b89735df92f3fcae9dac910
                                                                                      • Instruction ID: bbecdca8608925da905e0a35f3cd723fc59e0e30e6df87c45093610ac847875d
                                                                                      • Opcode Fuzzy Hash: e799aea905d258d6b1a7a6761183bba22d7447012b89735df92f3fcae9dac910
                                                                                      • Instruction Fuzzy Hash: 52F0B47D1006054ADB24A77889C2F6E33C8CE1035070840BDE52BC7112EE19D9558776
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CCD87E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00BD66F0: InitializeCriticalSectionAndSpinCount.KERNEL32(011B4A38,00000000,00000000,?,?,00CCDC86,00000000,00000000), ref: 00BD6740
                                                                                        • Part of subcall function 00BD66F0: GetLastError.KERNEL32(?,?,00CCDC86,00000000,00000000), ref: 00BD674A
                                                                                        • Part of subcall function 00BD66F0: __Init_thread_footer.LIBCMT ref: 00BD6770
                                                                                      • GdipCreateBitmapFromStream.GDIPLUS(00000000,00000000,00000000), ref: 00CCD8B0
                                                                                      • GdipDisposeImage.GDIPLUS(?,T4,00000000,00000000,00000000), ref: 00CCD8DB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: Gdip$BitmapCountCreateCriticalDisposeErrorFromImageInit_thread_footerInitializeLastSectionSpinStream
                                                                                      • String ID: T4
                                                                                      • API String ID: 1431530342-13310779
                                                                                      • Opcode ID: 77f8ba039142d97337ede1728bcc6e76b2b4732e3ff5e37df8a5d879b104c22d
                                                                                      • Instruction ID: 61f9dff41a2a710f9bd9751d4317aa4f7e6dfe640162b75789b24b4bd5c59000
                                                                                      • Opcode Fuzzy Hash: 77f8ba039142d97337ede1728bcc6e76b2b4732e3ff5e37df8a5d879b104c22d
                                                                                      • Instruction Fuzzy Hash: 7AF03CB5D10219A7DF14EBA4C911BFEB7B89B10310F1005ADED02A7381DB748E049BE1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00DEA11A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,00EBE910,00EBE910,00000000,00000000,00000000,?,00000000), ref: 00DEA1B0
                                                                                      • GetLastError.KERNEL32 ref: 00DEA1BE
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00DEA219
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1717984340-0
                                                                                      • Opcode ID: 2a2378b871743ea45a981463890de67e439ac1f4e77dab5169994316c4a7edfa
                                                                                      • Instruction ID: dbc95a6478ab7bb4024d931dbe856115aff8c5647909ae9bdf0afd25e0ecb2b0
                                                                                      • Opcode Fuzzy Hash: 2a2378b871743ea45a981463890de67e439ac1f4e77dab5169994316c4a7edfa
                                                                                      • Instruction Fuzzy Hash: 23413D30600283AFCF21AFAED844B7A7BA4EF01320F195159F9596B191D731ED01C776
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA49D9 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(011AAE50,?,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004), ref: 00CA4A0A
                                                                                      • InitializeCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A20
                                                                                      • LeaveCriticalSection.KERNEL32(011AAE50,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A2E
                                                                                      • EnterCriticalSection.KERNEL32(00000000,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004,00CBD2FF), ref: 00CA4A3B
                                                                                        • Part of subcall function 00CA4970: InitializeCriticalSection.KERNEL32(011AAE50,00CA49F4,?,00000010,?,00CA11AA,00000010,00000008,00C8DCA5,00C8DCE3,00C7794C,00C789D5,00CBD329,?,00000000,00000004), ref: 00CA4988
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterInitialize$Leave
                                                                                      • String ID:
                                                                                      • API String ID: 713024617-0
                                                                                      • Opcode ID: ecbb510afcf65fa2912230d33e8217a601184c7cc255107d443019a4c6ecd909
                                                                                      • Instruction ID: 27d2e0720f2e026683a4ded791ab703a73cd332ff94d5c1f7ae9b138fd3b8ea1
                                                                                      • Opcode Fuzzy Hash: ecbb510afcf65fa2912230d33e8217a601184c7cc255107d443019a4c6ecd909
                                                                                      • Instruction Fuzzy Hash: F3F0F6739002269FC61C2B65FC0DB5A3F1CEF9631AF815422F251A7101D771C981DB95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 00CA12A2 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnterCriticalSection.KERNEL32(011AABFC,00000000,?,?,?,00CA1244,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70), ref: 00CA12AE
                                                                                      • TlsGetValue.KERNEL32(011AABE0,?,?,?,00CA1244,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA12C2
                                                                                      • LeaveCriticalSection.KERNEL32(011AABFC,?,?,?,00CA1244,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA12DC
                                                                                      • LeaveCriticalSection.KERNEL32(011AABFC,?,?,?,00CA1244,?,00000004,00C778B3,00C7794C,?,?,00000000,01181E90,011B1E70,?,00B405B2), ref: 00CA12E7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.901032925.0000000000B31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true
                                                                                      • Associated: 00000000.00000002.901026666.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000EDE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901459962.0000000000F89000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901754750.0000000001197000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901760670.0000000001199000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901765980.000000000119B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901771492.000000000119E000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901777518.00000000011A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901782378.00000000011A3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901788665.00000000011AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901803843.00000000011B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901823869.00000000011D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000011D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000001BD6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000025D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000026D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.00000000027F9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.901831770.0000000002854000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_b30000_k3yYC4F6nT.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$Leave$EnterValue
                                                                                      • String ID:
                                                                                      • API String ID: 3969253408-0
                                                                                      • Opcode ID: ae16d64177fc6f3f43790c43559fa1c3b07a3e2e87f5a2b3dbb9edcbfb355f8a
                                                                                      • Instruction ID: c448558d49dd752545c30a9ded3974bffefba5170c07d47c4e8df0d44428cb51
                                                                                      • Opcode Fuzzy Hash: ae16d64177fc6f3f43790c43559fa1c3b07a3e2e87f5a2b3dbb9edcbfb355f8a
                                                                                      • Instruction Fuzzy Hash: 04F02B322050215FCB145F86F888B2A7F78EF46758B090156EC01FF250D320EC05D791
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%